@johnpoz Well, I have here a scenario in it's not possible for the packets to go through the local/internal network.
I have a pfSense with a /29 public IP (one address in the WAN and others as VIPs). In the LAN side, I have a PBX IP running in a VLAN1, and a STUN/TURN Server running on another VLAN2.
For the PBX I have a VIP with NAT Port Forward Rules, and NAT Outbound Rules;
For the STUN/TURN Server, I also have a VIP with NAT Port Forward Rules, and NAT Outbound Rules;
The IP Phones/Softphones located "in the world" can access the STUN/TURN Server via VIP address.
But the PBX, can't access the VIP address of STUN/TURN Server.
And why do I need this? Because the STUN/TURN Server needs to receive/recognize the Public IP address of the PBX and send back this information to the PBX put this on the SIP packets.
If the PBX reaches the STUN/TURN Server internally, the STUN will return the internal IP to PBX, and this info will be informed in the SIP packets, and then no one on the internet can find the RTP address of PBX.

But I didn't find how to make it work here. Any idea?

BR,

@the-other

Resolved. Was the rule source...

@uquevedo said in Changing from LAN to VLAN:

So it sounds like I need to at least configure the LAN interface with an IP address.

Not really. But I hope you get it working this year. 😉

@Nyetwerk https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/configuring-the-switch-ports.html

@johnpoz yeah and you most often lock your doors at night so why not lock your network at specific time also.

@nischay sure your not running into a broadcast storm? Or bad traffic on the wire?

Are you just talking about access to the web gui of the switch? Or like the whole network or portion of it fails to work.. I have a cheap little tplink sg108e that I rarely access.. And sometime when I do go to access it the web gui doesn't come up, and yeah have to reboot it to gain access to the gui..

If the whole switch stops switching I would sniff to see if your seeing such issues. I have seen malformed packets on the wire take down a switch, same with a broadcast storm/loop can do the same thing.

Pfsense would really not have anything to do with a switch, actually switching.. Or its gui not working, If gui just doesn't work - do you have an arp entry for its IP?

@baketopher said in IoT Wifi Device Doing .MIL ARP probe then fails to connect:

an see it it authenticates for a few seconds and then gets deauthed by the AP

why would it be getting deauthed? Is it possible it just doesn't work with the security your using, wpa3 maybe? Most iot type devices have no support for wpa3 as of yet..

I would setup ssid that is just basic wpa2 (sure it would support that) but if not try wpa1 even..

But yeah once you can actually get it on yoru wireless network - you could just set that IP as a vip on the interface your wifi is connected to, and it should answer the arp.. But it never even asks for dhcp etc.. It should be able to stay authed.

Another way to test, do you have your old AP - just connect it at the same time - does it connect to that one?

@NogBadTheBad said in BOND Interfaces:

@Dobby_ The OP mentioned a LAG.

You can’t create a LAG to two different switches, you could have two different links and route.

One LAG to the switch 1 and a second one to the switch 2 would be able to realize
in my eyes

Ok, I think I figured it out. I tried another piece of hardware and that is working a lot better. I checked, the original machine used some cheap China NICs, this new one is all Intel.

At this point I'm calling it a hardware issue.

NVM. had a derp moment and forgot I configured an interface on truenas. I removed that interface and it is all working.

@viragomann that’s right, I added the 2 Mgmt interface IPs into that alias and my thought was also the same where I can access the primary when it’s in backup carp mode and that the webgui response would also be smooth. This is great!

@viragomann I honestly didn't even check internet but no. Doesn't seem to have access.

kub-master can ping the vmnic on the portgroup which means it is leaving the ESXi server, but then either the ubiquiti or the tp-link is not carrying the packets up to the pfsense.

The ubiquiti says all vlans are being forwarded on the 4 ports connected to the ESXi (all 4 are uplink ports on the port group)

f3e0c98e-da2e-4574-b57d-8d60da53de75-image.png

TP-Link has all the ports as tagged:
0543e803-2186-4ef4-9e08-83695694aef7-image.png

I even tried them as untagged just in case and no change.

I'm at a loss where to look next.

@Urbaman75 said in Intervlan communication:

solved the problem, actually adding a route on the right VLAN instead of going through the default (VLAN100)

I am not sure how you have these systems connected together or how your network is all connected.. But if you have two routers.. And you have different networks hanging off them.. To get to networks on the different router, the routers should be connected via a transit/connector network.. And the appropriate routes setup on each, with the appropriate firewall rules on the transit and your other vlans to control who can talk to who etc..

A transit network is a network that connects router that does not have hosts on it, used to transit from one router to another.

Simple drawing of such a setup.

transit.jpg

@Melim The “real” way to availability like that, is to have two switches that supports stacking.
Create a multi-chassis Link aggregation that runs LACP on the switch stack and a two interface LACP LAG in pfsense.
Connect one link to each switch and you have the best og by far fastest failover on link/switch chassis failure.

@limex
I initial thought is Lagg and LACP are different. Lagg is real basic and should work fine. Lagg just expands bandwidth not speed.

@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):

There has to be a better way without providing my guest the password for iOT.

Already went over how you can do that, create a different PSK for a different SSID that on your iot vlan. Or setup private psk (PPSK) that allows different psk for the same ssid.

Private or Personal PSK, is somewhat new and can differ in implementation for different vendors.. So simpler solution would be to just create another SSID with a guestpassword for the psk that is also attached to your iot network.

Now you can just turn that network on or off depending if you have guest djs over, and you could even change this psk between parties.. Much easier to lock that down to be honest..

What exactly are you using for your wifi? Some old wifi router, or an actual AP that supports vlans?

edit: Macgyver way to do it if your wifi APs don't support vlans would be to just use another wifi router as AP that is connected to your iot network and uses a different SSID than your normal iot psk. This could be done cheap with any old wifi router you have laying about, or just buying some 20$ wifi router off amazon. Nice thing with that, is you could just turn it off when not in use ;)

It seems like this issue was hardware related. I swapped out the 10G card and the strange behavior has gone away.