question about VLANS and rebooting Pfsense

comet424

@johnpoz
so i should exampled better on my sisters side i dont have cameras i only Made Vlans for future when i expand and i dont have to do it later
on the TP Link
it has Wifi for LAN, IoT,

ah ok so ya its messed on her side... i was thinking of just removing and re adding the ap.. or i gave her a 2nd outdoor tplink AP i had to test to see if maybe the round AP is just faulty.. as it the AP works when pfsense is up but as soon as you reboot.. she just looses access.. its like it got gremlins.. so i gave her one to plug in when she is home to test before i have to go over and physically test everything.. its just a strange thing it does...

sorry my dyslexia
so i guess i miss explained myself when i said Vlan and LAN go through pfsense.. no i didnt mean LAN to LAN traffic.. i ment like VLAN10 to LAN VLan20 to LAN VLAN10 to VLAN20
if the traffic goes through pfsense or does it stay at the network switch level

as i know LAN to LAN networking works without pfsense i ment from LAN to Vlans if your accessing Cameras say does it go LAN -->> Pfsense --> Cameras Vlan10 or does it go LAN --> Network switch --> Vlan10 Cameras

so like if you were copying a 20 gigs of files from LAN 192.168.0.x to VLAN 50 192.168.50.x does the copying go through pfsense or are the routes in the switch.. but once you reboot pfsense you can no longer copy since vlans are gone till pfsense is backup and running

and i wanted to know if the VLAN for the camera network if the shinobi is burried a few network switchs deep can still talk to the cameras.. as it talks to the cameras on the switch thats unmaged through the mirotek.. i relize LAN to LAN ips work but i i dunno about VLAN to LAN or a VLAN thats burried down a few network switchs can talk to the cameras while a pfsense reboots is what i ment.. sorry dyslexia it sounds easy for me.. but for me not so easily

at the time of burring 25 26 years ago when i had 100mbp network cards it could be the cables degraded i cant seem to get faster unless i pull a new 2 cables but plan to burry a fiber cable instead since i cant get it in the 1/2" or 3/4" piping burried years ago might just pull a a new cable 300 feet of cat 6 just kept putting things off but was thinking going fiber and not worry about cable lenght

so on the managed switch i tell it Vlan10 for example Port 1 and the unmanaged switch is pluged into port 1 and everything on the unmanaged switch gets 192.168.10.x for Vlan 10 this way all the ports under unmanaged switch get Vlan10

oh and here is my network cable that i burried 25 26 years ago
piece of the cable back then they didnt even stamp the cable.. you just buy a 1000 foot box from home depot and take what you got lol i think its degrading from the sun etc as i used to get full duplex now i run like half duplex to work. so reason i was thinking going fiber since both switchs in my house and shop are the same miroktek and have a 10gig sftp slot this way no issues running 300+ feet and i burry it with 1 1/4" tubing i have kicking around so plently or room i remember running the 2 network cables in that 1/2" or 3/4" was tight

johnpoz

@comet424 so you have to run 100 half to get a connection? Yeah that cable is degraded for sure. Even if wires were broken that allowed for get you should still be able to get full duplex 100 with just 2 pairs..

if you are redoing the run and its 20+ years old and especially since degraded and can no longer do gig.. Did you try re-terminating the ends? Then yeah for sure would run new wire.. Would be good practice if connecting buildings to use fiber vs copper.

Oh so the vlans are created on your sisters, just not in use.. Ok - again that has zero to do with anything.. if your sister can not even set a IP on her phone and talk to something else connected to switch that has an IP on that network that screams something wrong with the AP or switch.. You should be able to unplug the connection from pfsense to that switch - and everything should still be able to talk to each other via IP. Internet wouldn't work, dns wouldn't work for local resources if pfsense (unbound/dnsmasq/bind) running on pfsense was providing the dns for your local resources.

but i i dunno about VLAN to LAN

No those wouldn't work, because those have to be routed.. How would those work if your router is offline? But lan to lan would work, vlan X to vlan X would work, vlan y to vlan y would work.. But no if your router is offline how would you route? You could route via some L3 switch on your network - but then pfsense would be useless as firewall since it wouldn't see intervlan traffic. And pfsense could not be your dhcp server because for dhcp to work on pfsense it has to be attached at L2. And if you were routing on downstream L3 switch then it would just be a transit network to pfsense.

stephenw10

I've never used those Omada controlled APs myself but I would check what their behaviour is when they lose their upstream gateway. Quite a few managed APs like that will helpfully stop being an AP (broadcasting an SSID) if they think they have lost upstream connectivity.

johnpoz

@stephenw10 while that is possible sure - that would be moronic.. An AP ip is just management it has nothing to do with providing services to clients using the AP for a wireless connection. Why should it stop providing wifi if the gateway goes away for its management IP, or for that matter even the wireless networks its providing - but it has no way to even know the gateway is done since it would even have an IP on some vlan to be able to check from.

The omadas are pretty much a copy of the unifi stuff - I mean like duplication copy.. They have some differences in their controller - but last time I looked it was pretty much a duplicate of the unifi controller - other than the branding on it.. The unifi controllers can be offline forever and the AP still function.

So why would it shut down its wifi if its management network can not talk to its gateway or the controller even? That would be horrible design.. But yeah guess its possible. But his drawing doesn't even have any APs listed.. And is that tplink on his sisters network omada or just your typical tplink AP, is it really an AP or a wifi router being used as an AP? For all we know its doing nat and routing, and maybe if it looses access to its gateway (pfsense) it shuts down routing? from its lan to its wan? Since it can not get to its wan.. It could be maybe even have 192.168.1 on both sides? Which shouldn't even work - but I have seen some wifi routers pass traffic even when their wan and lans are the same network.

stephenw10

Mmm, indeed. My Unifi AP did that though. Until I put OpenWRT on it.

I didn't even have anything complex enabled on it that might have required access to the controller. Like the captive portal.

johnpoz

@stephenw10 Well when I get a chance I will pull the cable for for my wifi networks from pfsense.. I have native network and then some vlans where my iot stuff, is another one where my rokus/tvs are on, etc..

There is no way AP should shut down their wifi because they can not talk to the management gateway. And I will shut down my controller vm.. But that goes down all the time and all my wifi still works.

But I would bet a large sum of money it has no effect. Wife is leaving in like 15 minutes - I will do it then and report back.

My main trusted wifi network (management as well for the AP and controller are on my native 192.168.2.0/24 network.. Then I have a guest wifi, trusted and eap wifi (this should fail) because it uses radius for eap-tls auth. And it won't be able to talk to pfsense where freeradius runs to do the auth. But my trust, roku and iot networks which I have both wired and wireless devices on 192.168.2.0/24, 192.168.4.0/24, 192.168.7.0/24 should all continue to function.

oh my roku network is on its own uplink - will pull that cable to.

stephenw10

It's been a while. But I remember being really confused by it the first time I saw it. Looks like it was the Uplink Connectivity Monitor though. It ping the management gateway and if it fails it stops broadcasting the SSID. Fun*.

johnpoz

@stephenw10 ok back - I shutdown my interfaces on pfsense..

I had to set manual IPs on the network I wasn't already on.. So the 192.168.2 I was already on when I shut down the controller and interfaces on pfsense.. Pings just fine - that IP is one of my APs

The 7 address my my roku ultra, and the 4 is one of my smart lightbulbs.

Other than phone not wanting to connect to the different networks when dhcp wasn't there - I was able to get it to connect if changed the profile to manual IP..

You can see my phone says there is no internet on my roku network - 192.168.7 netweork.. And still pinging devices on that network just fine.

Oh I don't run that monitor - your limited to number of ssids you can run when that is on.. So its off.. I had to switch back to legacy interface to find it - I don't even see it listed in new ui.

stephenw10

Mmm, as I say it's been a while and the unifi docs didn't show anything current. So maybe they removed it or at least disabled it by default.

johnpoz

@stephenw10 take a look at my edit - took a while to find it, had to switch back to legacy ui to find it.. But you can see if you run more than 4 ssids you can't run it. I had turned it off long time ago.. Since I run 5 ssids.

stephenw10

Nice. Yeah I'm pretty sure it was on by default back when I was using it. I spent a while trying to diagnose power failure in the AP because it didn't occur to me that it would stop being an AP for any other reason.

Anyway be aware that such a thing exists and maybe Omada copied it.

comet424

@stephenw10 @johnpoz
as for the vlan names on my sisters i guess i could just left out saying i made the same on her network since its not in use.. guess i make more confusion adding in stuff

i going to get my sister to test her network tommorow with the extra TP link antenna and remove the round disc version to see if its just a faulty AP maybe

as for my cable.. ya ive re terminated both ends still get 100mbp at half speed but since i been around a while i remember and still have my BNC coaxal network cable and cards for 10mbp when i used to host BBS Lan partys 80s 90s and 1200 baud and 33k modem even the modem for the Texas Instrument I99 i still have kicking around take ur phone and jam it on the suction cups.. 40+ years of networking of just standard LAN i only started using Vlans last couple years as my LAN was getting too cluttered...

so ya about the VLANs i was curious ya so VLAN 10 even though its embedded on 2 networks a few switchs apart will still be able to access even with pfsense down.. as i figured might go down too as i was going to move then the shinobi recording computer to the same switch as the cameras but then wouldnt solve for the 2nd switch of cameras at 2nd location..

i still playing around with pfsense high availability and had those questions about it above.. but i going to play around with it more.. pfsense pretty stable as long as hardware is good had it running on my sisters computer a dell from 15-20 years ago but it just started glitch now so i built a newer version as i thought also maybe the glitching computer for the AP issues .. but didnt solve it.. but i do love the verstile use of any computer pfsense will install on..

i appreciate the help so far
oh and i still have my 1 server thats still plugged in my network from 26 27 years ago running windows 98 and i ran Microsoft Wingate thats how we supplied dhcp internet for a lan party on 28.8k modem for 10 guys in a basement for a week at a time.. memories lol and that comp still works to this date but i dont miss dip switch networking

im just hoping i can test out what 1gb internet speed is before i dead.. as 3mbps speed is like dial up for the 80s 90s all over again now a days lol