question about VLANS and rebooting Pfsense
-
hi
my question is is there a way when Pfsense Reboots Vlans stay intact or no or do you need special switchs?i find if pfsense reboots ill loose dhcp on access points to phones or tablet which is weird.. or if i have Static IPs on LAN and CAMERAS network when i reboot pfsense i loose access to those cameras even though they static IP
i use mikrotek switchs and a tplink 10g and i think the mikrotek is a layer 2 or 3 whatever that all really means... but i thought when i reboot pfsense since pfsense is just a single cable to the switch the switch would do all the routing even when pfsense reboots.. but i guess i wrong...
i guess thats normal? and is that why people have High avaialibty a 2nd router duplicated so when the first reboots the 2nd takes over? just curious if i can do anything...
-
when Pfsense Reboots Vlans stay intact or no or
The VLANs stay up and VLANs are layer 2. Access within the same VLAN can be handled by the switch itself (when host A and host B are on the same VLAN), it won't need to go through pfSense.
i find if pfsense reboots ill loose dhcp on access points to phones or tablet which is weird.. or if i have Static IPs on LAN and CAMERAS network when i reboot pfsense i loose access to those cameras even though they static IP
What DHCP lease times do you have set? And what access points you got?
The clients don't usually loose their IP. DHCP is only used to acquire the IP and once the client gets an IP it won't 'need' the DHCP server until half the lease time has passed.
You should not loose access to your cameras after a reboot of the pfSense. While you are rebooting pfSense, you will not be able to access the cameras from a not-camera VLAN. But after that it should be back to normal.
Can you show a diagram of your network? What VLAN are defined on the pfSense and how are the switches placed and configured?
-
@patient0
so i have 2 setups my house and my sisters house
she and i use TP-Link AP devices and use the omada software.. when her pfsense reboots her phone drops the ip goes to 169.x.x.x even though i set the TP-link with all Static IPs so she looses access to Home assistant.. even though HA is static ip and her phone and HA are on the same lan so its not using the vlan but this issue happens every reboot.. as i have IoT vlan for her too... and i changed to static ips to try to resolve the 169.x.x.x after pfsense reboots its like when pfsense reboots it causes her phone to dump.. but i dunno why.. it shouldnt happen and maybe she got a glitcchy AP is all i can think ofso for my setup i got the cameras.
i have Vlan Cameras with Reolink cameras.. they are on 192.168.10.x static ips my desktop is 192.168.0.151 static ip... i hav a reolink app on my desktop and when i reboot pfsense they loose all connection to the cameras till pfsense boots backup.. but i thought if i give static ips and since the cameras poe unmanaged switch that plugs into mikrotek switch and that microtek switch plugs into my 10g switch that my desktop is on.. and i loosse the cameras so i figured when i go to static it would still work as they got static ips and on the mirotek says vlan10 (cameras) is the port that goes toe unmanaged camera poe switch so i figured all of that it wouldnt loose connectionand also i have a shinobi box thats on the 192.168.10.x network but its not connected to the camera unmanaged switch.. its connected to a vlan on another switch as its not in the same rack.. when pfsense reboots does the shinobi loose connection to the cameras while pfsense reboots as its not part of the same switch but on a same vlan but not on the same switch
and how do i get the program that like te pfseense tutorial people do with the pics of internet and switchs and arrows and text... be probably easier then me trying to do it in windows paint.. but i dont know the program they use or if its free?
-
@comet424 said in question about VLANS and rebooting Pfsense:
use TP-Link AP devices and use the omada software
Maybe someone has more knowledge in that area (Omada), in my view that should not happen if the AP is not a DHCP server.
What DHCP lease times have you set in pfSense?Of course if the phone looses it's IP address, nothing works anymore.
169.254.xxx/16 are link-local IPs a device assigns itself if it doesn't find an DHCP, Wikipedia Link-local addressi have Vlan Cameras with Reolink cameras.. they are on 192.168.10.x static ips my desktop is 192.168.0.151 static ip... i ... they loose all connection to the cameras till pfsense boots backup
Your desktop: 192.168.0.x & cameras: 192.168.10.x => That is inter-VLAN traffic which is routed through the pfSense. Hence that routing will not be possible until the pfSense is up again.
and also i have a shinobi box thats on the 192.168.10.x network but its not connected to the camera unmanaged switch.. its connected to a vlan on another switch as its not in the same rack.. when pfsense reboots does the shinobi loose connection to the cameras while pfsense reboots as its not part of the same switch but on a same vlan but not on the same switch
Depends how the unmanaged switch is connected to the other switch and/or pfSense. Here a diagram (can be hand-drawn) would help.
how do i get the program that like te pfseense tutorial people do with the pics of internet and switchs and arrows and text
https://app.diagrams.net/ is free to use. Web GUI or applications available
-
@comet424 said in question about VLANS and rebooting Pfsense:
when her pfsense reboots her phone drops the ip goes to 169.x.x.x
For that to happen your dhcp lease must be insanely low.. Dhcp has a lease time, common default is 2 hours - this is what pfsense defaults too.. A lease is renewed around the 50% mark - so like every hour on a 2 hour lease.
So in a worse case scenario, if the dhcp server went down just before a client was going to renew you should have min 1 hour before the lease expires the client gives up the IP it had in the lease and dropped to apipa address, ie the 169.254 address.
The only other could be if the client lost its connection and gave up its lease.. But that shouldn't happen - and if your on wifi pfsense being on or off should have zero to do with the client maintaining its connection to your AP wifi.
So I can think of couple of scenarios where your issue could be seen.. Your dhcp lease is insanely low - like minutes only. Or your client is loosing its connection to wifi and giving up its lease.. Maybe moving to a different AP and or ssid you are using? Where the client gives up its lease even though their is time left on it.
I would check what your dhcp server is set for lease time.. You can easy tell on a windows client via ipconfig /all
Ethernet adapter Local: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Killer E2600 Gigabit Ethernet Controller Physical Address. . . . . . . . . : B0-4F-13-0B-FD-16 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Friday, June 27, 2025 8:51:52 AM Lease Expires . . . . . . . . . . : Saturday, July 5, 2025 8:51:52 AM Default Gateway . . . . . . . . . : 192.168.9.253 DHCP Server . . . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : EnabledI run a really long lease - but you can see date and time got the lease, and when that lease expires.. Client will not give up this lease until it expires.. If it can not renew the lease after July 5 then it would do a discover trying to obtain a new lease. If it can not then it would drop to a 169.254 address.
If pfsense rebooting causes your client to loose its lease either you have a lease time set so freaking low that it expires before pfsense comes back online and can provide dhcp. Or you have something else going on in your network where the client thinks it has to get a new lease - and gives its lease up early and sends discover, but since no dhcp server available it drops to 169.254 address.
edit: thought of another scenario that guess could cause the problem - if the client is loosing access to its gateway, and then drops its lease to get another one and since pfsense is currently down due to the reboot can not renew or get a new lease and drops to 169.254 - but a sane client that would do such a thing should continue to look for dhcp on a very short cycle. So the client should recover on its own in a few minutes.
Maybe this is case with phone and your just not waiting long enough for it to recover after pfsense is back up.. I could see this being problematic if you were middle of streaming something locally on the same network as the phone and it couldn't ping its gateway so it does dhcp discover and drops its lease.. I have not tested such a thing with either phone or tablet, etc. since only time my pfsense reboots is on an upgrade or extended power outage. And by time I go to test that everything is working - my pfsense does radius auth for my one wifi network secured devices are on - my mobile phone and tablet, etc so I test this after the upgrade and they are working so if they had dropped their ip because of gateway loss they recover really quick.
-
@johnpoz @patient0
ok so i used the program to make a drawingthe left side is my sisters network 192.168.1.1 and it has all the same vlans as in the diagram i made for my network
and then the other is my home network i have 2 locations one is my house and 1 is my shop on my property so i have like 3 racks but the different location my house
so basiclly that is my setup i like this program better then windows paint as i always struggle if i wanna move stuff.. i appreciate that.
so
for my sisters network dropping
like her iphone she cant even set a static ip or when she does it will not access the network.. it wont even access Home assistant even when her phone is 192.168.1.x and her HA is 192.168.1.12 and i set the tplink omada for the AP to be a static ip a 255.255.255.0 a gateway and a dns of 192.168.1.1 for her pfsense and it wont work... but when she uses dhcp works fine until she reboots pfsense and for whatever god ole reason the phone drops .. i thinking either bad AP and its dropping the signal but shes like 5 feet from it... i gave her a 2nd one for outside to expand her wifi so going to have her test it too to see if its a flaky AP thats dropping the signal..dchp release time is the default 7200
so for my network
so i have a few questions then about the vlan
-
so even though i have static ips and pfsense reboots.. i can not access the camera network cameras on the LAN network right? unless it was on the same network...
-
does the shinobi camera recording server when pfsense reboots does it loose connection where it is on the network
-
does all the traffic from Vlan and LANs all go through pfsense? so so it doesnt stay within the switchs and the pfsense just gives out hte ips... cuz if thats the case do i need then to upgrade the pfsense network card to 10gig to the 10g uplink switch on the mikrotek? to also maximize the speed? as i plan to upgrade a 10g cable from house to shop 10 gig cable since both switchs have 10gig networking..
and since you guys are smarter i was looking at hte High availiablity
i had questions about it
1.. when you make a 2nd server 192.168.0.2 and you do the sync setup it doesnt clone adapters interfaces or vlans you gotta enter them in on the 2nd server so it doesnt replicate it..
2.. can you just import the config xml file on the 2nd server and then change the adapter interfaces just for the intital setup?
3.. i saw a partial video they do virtual IP but how do you set that up if main pfsense is 192.168.0.1 backup i playing with is 192.168.0.2 and i want it to point to 192.168.0.1 as a virtual ip too as i dont wanna mess up all the setups i already done..4.. is there a good video to learn from it as i a visual learner.. but for me i also leave pfsense up like a month or so at a time.. but i reboot alot at times due to my 3mbps internet connection i pay 100 bucks a month for but here in ontario canada we finally getting high speed fiber so for 100 bucks ill get 1000mbps i guess that 1gbs speed so maybe i also wont have to reboot pfsense so much where my modem i guess gets conjested doing stuff and it stalls out i get warning on the wan connection instead of a green online.. so i hoping sometime by end of the year it be faster waited 20 years for this crap lol.
and here is that image and that cisco switch is like a 20 year old 1gb network switch
-
-
@comet424 said in question about VLANS and rebooting Pfsense:
the left side is my sisters network 192.168.1.1 and it has all the same vlans as in the diagram i made for my network
no it doesn't - you list a unmanaged switch.. How would you be doing vlans? Are all your devices doing tags? And your just running tags over a dumb switch.?
like her iphone she cant even set a static ip or when she does it will not access the network.
Well that screams something wrong with your AP then - if you set a static IP on your phone and can not access something else on the same network (that has an IP) your AP is broken.. The AP ip is meaningless and is only needed for management of the AP.. If you can not access another IP on the same network pfsense is not involved.. So either you have something wrong with the AP or it is doing client/ap isolation. Wouldn't matter if pfsense is rebooting or just off - it is not involved with devices talking to each other on the same network - be it a wire or wireless. Unless your pfsense was setup as bridge and then devices wouldn't be able to talk to other device that was on the other side of the bridge. But you drawing shows no such bridge.
And if your devices have static IPs then dhcp couldn't be the issue.. The only thing that pfsense could be involved with would be if you were pointing to it for dns, and you were trying to access the other device via a fqdn that since your dns is off is not resolving.
does all the traffic from Vlan and LANs all go through pfsense?
Traffic on the same vlan has zero to do with pfsense - your router could be turned off or unplugged it has zero to do with devices on the same network talking to each other..
I find it odd that people that would run something like pfsense have no clue how basic tcp/ip works.. Why would you think that traffic on the same network goes through your router?
And you got me curious to your 100mbps cable.. What it only has 2 pairs? cat 5 from like 35 years ago can run gig.. Shoot it can do 2.5ge even..
Here is a really old 25' patch cable I had laying about - shoot the clips on the ends of the connectors even busted off, and does 2.5ge just fine.
I had this cable in the bottom drawer of my old desk.. Prob sat in there for 20+ years ;)
You could unplug the cable from pfsense that goes to your microtek switch and all devices on the same network would still be able to talk to each other via IP no matter where they are connected.. Now if pfsense is doing dns than yeah you would have an issue trying to do dns to resolve an IP. And I see nothing in that drawing that should force a dhcp client to try and get an IP from dhcp if pfsense was rebooted or off.. So at min you should be able to talk to stuff on the same network for 50% of your lease time... Unless you have some clients that don't renew and loose their IP while pfsense (dhcp server) is off.. But the odds of that would be pretty slim that you run into such a coincidence
If you unplug the connection from pfsense to your microtek and devices on the same network can not talk to each other - then you have something else going on.. The only thing pfsense being off or rebooting would break is intervlan routing, ability to get a dhcp address or dns resolution of your local resources that dns is being provided by pfsense.
-
@johnpoz
so i should exampled better on my sisters side i dont have cameras i only Made Vlans for future when i expand and i dont have to do it later
on the TP Link
it has Wifi for LAN, IoT,ah ok so ya its messed on her side... i was thinking of just removing and re adding the ap.. or i gave her a 2nd outdoor tplink AP i had to test to see if maybe the round AP is just faulty.. as it the AP works when pfsense is up but as soon as you reboot.. she just looses access.. its like it got gremlins.. so i gave her one to plug in when she is home to test before i have to go over and physically test everything.. its just a strange thing it does...
sorry my dyslexia
so i guess i miss explained myself when i said Vlan and LAN go through pfsense.. no i didnt mean LAN to LAN traffic.. i ment like VLAN10 to LAN VLan20 to LAN VLAN10 to VLAN20
if the traffic goes through pfsense or does it stay at the network switch levelas i know LAN to LAN networking works without pfsense i ment from LAN to Vlans if your accessing Cameras say does it go LAN -->> Pfsense --> Cameras Vlan10 or does it go LAN --> Network switch --> Vlan10 Cameras
so like if you were copying a 20 gigs of files from LAN 192.168.0.x to VLAN 50 192.168.50.x does the copying go through pfsense or are the routes in the switch.. but once you reboot pfsense you can no longer copy since vlans are gone till pfsense is backup and running
and i wanted to know if the VLAN for the camera network if the shinobi is burried a few network switchs deep can still talk to the cameras.. as it talks to the cameras on the switch thats unmaged through the mirotek.. i relize LAN to LAN ips work but i i dunno about VLAN to LAN or a VLAN thats burried down a few network switchs can talk to the cameras while a pfsense reboots is what i ment.. sorry dyslexia it sounds easy for me.. but for me not so easily
at the time of burring 25 26 years ago when i had 100mbp network cards it could be the cables degraded i cant seem to get faster unless i pull a new 2 cables but plan to burry a fiber cable instead since i cant get it in the 1/2" or 3/4" piping burried years ago might just pull a a new cable 300 feet of cat 6 just kept putting things off but was thinking going fiber and not worry about cable lenght
so on the managed switch i tell it Vlan10 for example Port 1 and the unmanaged switch is pluged into port 1 and everything on the unmanaged switch gets 192.168.10.x for Vlan 10 this way all the ports under unmanaged switch get Vlan10
oh and here is my network cable that i burried 25 26 years ago
piece of the cable back then they didnt even stamp the cable.. you just buy a 1000 foot box from home depot and take what you got lol i think its degrading from the sun etc as i used to get full duplex now i run like half duplex to work. so reason i was thinking going fiber since both switchs in my house and shop are the same miroktek and have a 10gig sftp slot this way no issues running 300+ feet and i burry it with 1 1/4" tubing i have kicking around so plently or room i remember running the 2 network cables in that 1/2" or 3/4" was tight
![20250630_142417[1].jpg](/assets/uploads/files/1751307998979-20250630_142417-1.jpg)
-
@comet424 so you have to run 100 half to get a connection? Yeah that cable is degraded for sure. Even if wires were broken that allowed for get you should still be able to get full duplex 100 with just 2 pairs..
if you are redoing the run and its 20+ years old and especially since degraded and can no longer do gig.. Did you try re-terminating the ends? Then yeah for sure would run new wire.. Would be good practice if connecting buildings to use fiber vs copper.
Oh so the vlans are created on your sisters, just not in use.. Ok - again that has zero to do with anything.. if your sister can not even set a IP on her phone and talk to something else connected to switch that has an IP on that network that screams something wrong with the AP or switch.. You should be able to unplug the connection from pfsense to that switch - and everything should still be able to talk to each other via IP. Internet wouldn't work, dns wouldn't work for local resources if pfsense (unbound/dnsmasq/bind) running on pfsense was providing the dns for your local resources.
but i i dunno about VLAN to LAN
No those wouldn't work, because those have to be routed.. How would those work if your router is offline? But lan to lan would work, vlan X to vlan X would work, vlan y to vlan y would work.. But no if your router is offline how would you route? You could route via some L3 switch on your network - but then pfsense would be useless as firewall since it wouldn't see intervlan traffic. And pfsense could not be your dhcp server because for dhcp to work on pfsense it has to be attached at L2. And if you were routing on downstream L3 switch then it would just be a transit network to pfsense.
-
I've never used those Omada controlled APs myself but I would check what their behaviour is when they lose their upstream gateway. Quite a few managed APs like that will helpfully stop being an AP (broadcasting an SSID) if they think they have lost upstream connectivity.
-
@stephenw10 while that is possible sure - that would be moronic.. An AP ip is just management it has nothing to do with providing services to clients using the AP for a wireless connection. Why should it stop providing wifi if the gateway goes away for its management IP, or for that matter even the wireless networks its providing - but it has no way to even know the gateway is done since it would even have an IP on some vlan to be able to check from.
The omadas are pretty much a copy of the unifi stuff - I mean like duplication copy.. They have some differences in their controller - but last time I looked it was pretty much a duplicate of the unifi controller - other than the branding on it.. The unifi controllers can be offline forever and the AP still function.
So why would it shut down its wifi if its management network can not talk to its gateway or the controller even? That would be horrible design.. But yeah guess its possible. But his drawing doesn't even have any APs listed.. And is that tplink on his sisters network omada or just your typical tplink AP, is it really an AP or a wifi router being used as an AP? For all we know its doing nat and routing, and maybe if it looses access to its gateway (pfsense) it shuts down routing? from its lan to its wan? Since it can not get to its wan.. It could be maybe even have 192.168.1 on both sides? Which shouldn't even work - but I have seen some wifi routers pass traffic even when their wan and lans are the same network.
-
Mmm, indeed. My Unifi AP did that though. Until I put OpenWRT on it.
I didn't even have anything complex enabled on it that might have required access to the controller. Like the captive portal.
-
@stephenw10 Well when I get a chance I will pull the cable for for my wifi networks from pfsense.. I have native network and then some vlans where my iot stuff, is another one where my rokus/tvs are on, etc..
There is no way AP should shut down their wifi because they can not talk to the management gateway. And I will shut down my controller vm.. But that goes down all the time and all my wifi still works.
But I would bet a large sum of money it has no effect. Wife is leaving in like 15 minutes - I will do it then and report back.
My main trusted wifi network (management as well for the AP and controller are on my native 192.168.2.0/24 network.. Then I have a guest wifi, trusted and eap wifi (this should fail) because it uses radius for eap-tls auth. And it won't be able to talk to pfsense where freeradius runs to do the auth. But my trust, roku and iot networks which I have both wired and wireless devices on 192.168.2.0/24, 192.168.4.0/24, 192.168.7.0/24 should all continue to function.
oh my roku network is on its own uplink - will pull that cable to.
-
It's been a while. But I remember being really confused by it the first time I saw it. Looks like it was the Uplink Connectivity Monitor though. It ping the management gateway and if it fails it stops broadcasting the SSID. Fun*.
-
@stephenw10 ok back - I shutdown my interfaces on pfsense..
I had to set manual IPs on the network I wasn't already on.. So the 192.168.2 I was already on when I shut down the controller and interfaces on pfsense.. Pings just fine - that IP is one of my APs
The 7 address my my roku ultra, and the 4 is one of my smart lightbulbs.
Other than phone not wanting to connect to the different networks when dhcp wasn't there - I was able to get it to connect if changed the profile to manual IP..
You can see my phone says there is no internet on my roku network - 192.168.7 netweork.. And still pinging devices on that network just fine.
Oh I don't run that monitor - your limited to number of ssids you can run when that is on.. So its off.. I had to switch back to legacy interface to find it - I don't even see it listed in new ui.
-
Mmm, as I say it's been a while and the unifi docs didn't show anything current. So maybe they removed it or at least disabled it by default.
-
@stephenw10 take a look at my edit - took a while to find it, had to switch back to legacy ui to find it.. But you can see if you run more than 4 ssids you can't run it. I had turned it off long time ago.. Since I run 5 ssids.
-
Nice. Yeah I'm pretty sure it was on by default back when I was using it. I spent a while trying to diagnose power failure in the AP because it didn't occur to me that it would stop being an AP for any other reason.
Anyway be aware that such a thing exists and maybe Omada copied it.
-
@stephenw10 @johnpoz
as for the vlan names on my sisters i guess i could just left out saying i made the same on her network since its not in use.. guess i make more confusion adding in stuffi going to get my sister to test her network tommorow with the extra TP link antenna and remove the round disc version to see if its just a faulty AP maybe
as for my cable.. ya ive re terminated both ends still get 100mbp at half speed but since i been around a while i remember and still have my BNC coaxal network cable and cards for 10mbp when i used to host BBS Lan partys 80s 90s and 1200 baud and 33k modem even the modem for the Texas Instrument I99 i still have kicking around take ur phone and jam it on the suction cups.. 40+ years of networking of just standard LAN i only started using Vlans last couple years as my LAN was getting too cluttered...
so ya about the VLANs i was curious ya so VLAN 10 even though its embedded on 2 networks a few switchs apart will still be able to access even with pfsense down.. as i figured might go down too as i was going to move then the shinobi recording computer to the same switch as the cameras but then wouldnt solve for the 2nd switch of cameras at 2nd location..
i still playing around with pfsense high availability and had those questions about it above.. but i going to play around with it more.. pfsense pretty stable as long as hardware is good had it running on my sisters computer a dell from 15-20 years ago but it just started glitch now so i built a newer version as i thought also maybe the glitching computer for the AP issues .. but didnt solve it.. but i do love the verstile use of any computer pfsense will install on..
i appreciate the help so far
oh and i still have my 1 server thats still plugged in my network from 26 27 years ago running windows 98 and i ran Microsoft Wingate thats how we supplied dhcp internet for a lan party on 28.8k modem for 10 guys in a basement for a week at a time.. memories lol and that comp still works to this date but i dont miss dip switch networkingim just hoping i can test out what 1gb internet speed is before i dead.. as 3mbps speed is like dial up for the 80s 90s all over again now a days lol
