@4RR3N said in How to easily block access between multiple VLANs ?: ncluding grabbing IP via DHCP for my client You can not place a rule that blocks dhcp - because when you enable dhcp hidden rules are created that allow for dhcp before rules you place on the interface or even the floating tab are evaluated. Vs having rules block vlan x, y and z on your vlan a interface.. As mentioned yes just create an alias that contains all your networks, or for that matter just all of rfc1918 space so you can just use one rule. Keep in mind you would need to make sure you allow what you want before this rule - say dns, or ntp or icmp to pfsense IP on that interface, etc.

@pfsense555 The easy way to find out is to do packetcapture on pfsense, and see what happens to LACP control frames when you remove power from one switch.

@viragomann I have DHCP server enabled on IoT [image: 1724006881663-screenshot-from-2024-08-18-20-47-50.png] I tried the Packet Capture and it capture traffic only when I select LAN interface and it even capture traffic when I connect to IoT WLAN and on the IoT interface it does not capture anything

I got it figured out. I don't recall setting up traffic shaper, but somehow they were limited to be pretty low. Maybe I set it up previously when I had a 100/10 speed. I may just turn it off entirely and see how it goes. Thank you both for your help! I'm glad I asked before diving into setting up the second interface.

@hardingd FIXED: It turned out to be the <pvid>1</pvid> on the <swports>. Removed that and VMs started getting DHCP from the VLAN 10 interfaces.

Maybe this helps.

@ff101 Thanks! It's working now which means the issue was in the switch configuration, I'll check that up next.

Hmm, something must have changed. If nothing changed in the firewall/switch it must have been in a client somehow.

When I was setting up VMs on my TrueNAS Core (also FreeBSD based) I discovered a limitation of bridging where an interface could bridge untagged trafffic or VLAN tagged traffic, but not both. My ongoing solution has been to move all my untagged traffic onto a tagged VLAN and just assign that VLAN to the various ports on the switch. So none of the downstream devices see the the VLAN tagging, but to the pfsense and truenas everything is tagged. Without looking through your whole setup, I'd bet that's what you're running into.

@NasKar said in Using home assistant with Iot on different VLAN: I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes. I'm not sure that is the best approach. What is the logic behind not putting Home assistant on the IOT network so it can scan for and communicate with all your IOT devices. Then Enable Main network access to home assistant via the defined Home assistant interface. Home assistant access to the internet & port forwarding from the internet to Home assistant as required. Block any other IOT connections to other local networks (including Main) and the internet as you desire. Doing so avoids having to reverse engineer the communication protocols used between each of your IOT devices and Home assistant.

@johnpoz Thanks

@the-other There isn't any DHCP running on the AP. Yes, I have both a default (non-VLAN) and a separate VLAN network defined on the AP, each with separate SSIDs. Clients that I'm not trying to get onto the VLAN are connecting and operating fine on the default (non-VLAN) network. If I tell that one PC to connect to that SSID it works fine and it gets an IP and is good to go.

@Hoserman You were confusing layer 2 and layer 3 traffic. Be careful not to create a routing loop. STP is your friend when working with multiple networks. STP is Spanning Tree Protocol which you want to use to protect your network. There are at least 3 versions of STP that come to mind right now. Some converge faster than others.

running the following on pfsense shell ifconfig igb0 -vlanhwtag -vlanhwcsum -vlanhwfilter in shell will allow me run run suricata in inline mode, and vlan will still work....you can use the app shellcmd to automatically run the cmd at boot..

@alirx you can bridge 1 vlan.. but you have have multiple vlans on the same bridge.. I am pretty sure it doesn't work that way. You seem to have some money to setup such a network.. bite the bullet and get a switch. Or redo your vlans or add interfaces so you can run your 2.5ge on their own connection

@febu said in LAN x = VLAN x - how to setup?: @JKnott Thank you. I want to connect WAN and WAN_VPN to certain LAN ports by using VLAN configuration of SG2100. I am confused with "tagged" and "untagged" and I tried a setup VLAN, interfaces, firewall, etc. but I could not connect to the internet. What else do you need to know? Can you explain me how to do it? You can find out a bit about VLANs here. What a VLAN does is allow separate networks to be carried over the same cable. VLANs are logically separate, but not physically. When you create a VLAN, a tag is inserted into the Ethernet frame, which includes the VLAN number. Normally, Ethernet does not have that tag. On my home network, I have a VLAN for my guest WiFi, which uses the same cable and Ethernet port as my main LAN. If you don't have more than one network on a cable, you don't need a VLAN on that cable. As for that VPN, you generally use routing to send the VPN traffic where you want it, not VLANs. In fact, you can route several networks over a VPN, with routing. I don't have any experience with that SG2100 so I can't help there.

@Bambos The proper way, when bridging an interface to an existing one, is to move over the IP settings to the bridge. So the member interfaces should remain with IP setting "none".

@copz1998 Depending on your needs, eero has a guest SSID capability when in bridge mode. That would isolate those devices completely. Otherwise does your eero have the ability to host a second SSID for that VLAN?

@johnpoz Thank you for taking a look! Your explanation makes sense to me and the image helps a lot. It also explains why I didn't see firewall (deny) logs. A question I have floating around is if I could still make it work somehow by returning the laptop to vlan10 but then also have it capable of swapping to vlan100 when I want to do management. But there's probably enough explanation for that online already. Once more, thank you very much.