Port tagging on APU2?

bingo600

I suppose JKnott is taking over here
He's repeating most of what i suggested

JKnott

No, just making sure he's not missing anything.

bingo600

Since you don't get the pfSense box as DNS servers on your WiFi clients , you must have changed the default DHCP Server settings.

You haven't changed the DHCP Server Gateway option , have you ?

orangehand

@bingo600 No - Screenshot 2020-11-28 at 19.05.29.png

And to follow your checklist, I can ping the VLAN gateway when on the VLAN SSID. I cannot get any further than that.

bingo600

Did you try to remove/disable the LAN block rule on the Guest Vlan ?
Can you then ping the Lan IF , and/or a Lan device ?

Something is fishy ....
Smells of missing or wrong def-gw.

But if you havent touched Anything besides what you have posted in the ~~dhcp screenshot.~~ PfSense should hand out the interface address as def-gw.

And that you can ping.

Hey ...

That screenshot is not DHCP Server , that's the IF
~~You haven't set any upstream gw on the if ... have you~~
Dooh missed it was set to none

orangehand

@bingo600 I removed the custom DNS addresses from the DHCP server and that made no difference. What I am wondering is why the SG-1100 has a switch submenu in Interfaces to enable port tagging, and this APU2 does not. Might that be the crux of this?

bingo600

@orangehand said in Port tagging on APU2?:

@bingo600 I removed the custom DNS addresses from the DHCP server and that made no difference.

I expected that , as your DNS servers are on the INET , and INET can't be reached.

What I am wondering is why the SG-1100 has a switch submenu in Interfaces to enable port tagging, and this APU2 does not. Might that be the crux of this?

Nope .. I'm running a Unifi on a pfSense wo. switch menu , and JKnott does the same (see further up).

Your tagging is working , since you get a Guest Ip address (in Vlan 20)

Post a picture of your DHCP Server settings for Guest

You don't have any group or floating rules , do you ?

orangehand

@bingo600 Screenshot 2020-11-28 at 19.28.17.png Anything not shown is default

bingo600

@orangehand

Then something is fishy ....

Did you remove the Lan block rule , and tried to ping lan IF and maybe a lan device.

Edit:

Now that you have removed the 9.9.9.9 & 1.1.1.1 as DNS , can you resolve DNS now?

I mean what does ie. ping dns.google.com show ?

Does it resolve like here , where it resolves to 8.8.4.4

$ ping dns.google.com
PING dns.google.com (8.8.4.4) 56(84) bytes of data.

orangehand

@bingo600 Yes. I can ping devices on both subnets from the guest subnet when that rule is disabled

orangehand

@bingo600 and @JKnott You are stars for trying; thanks so much. I need to go out to dinner now. Any further thoughts much appreciated!

bingo600

@orangehand
Then def-gw ought to be set correct.

Can you ping the WAN IF ?

How is your outbound NAT set ?

Do you have "Auto created XXX to wan" for all the interfaces ?

Especially look at Guest , if it's missing there

Maybe post a screenshot

bingo600

@orangehand

Did you get this solved ?

orangehand

@bingo600 No. Here is the Outbound NAT screenshot: Screenshot 2020-11-29 at 10.02.19.png

JKnott

@orangehand said in Port tagging on APU2?:

I need to go out to dinner now. Any further thoughts much appreciated!

I like pizza.

JeGr

@orangehand said in Port tagging on APU2?:

On the Sg-1100 I set up yesterday there was a switch submenu in Interfaces where you added the tags. On my APU2 box there isn't a switch submenu so where do I do the tagging?

Just for anyone else wondering: SG1100, 2100, 3100 and 7100 have built in Switch chipsets! Those ports are actually switched internally that's why they have a special pfsense version from Netgate to include the config of said switch chip. You don't have that on any other hardware!

Other than that @JKnott and @bingo600 seem to have things under control, wouldn't want to intrude and confuse everyone :)

orangehand

@JeGr Thanks for that! So in the absence of that switch config, how does one tag the lan interface so that VLAN traffic flows through it?

JKnott

@orangehand

If you don't have a managed switch, you tag not only the LAN interface on pfsense, but also on every device you want to use the VLAN. This is easy enough to do with computers, but many other devices don't support VLANs.

These days, go with managed switches. They're cheap, but avoid TP-Link.

orangehand

@JKnott all my switches are Unifi

JKnott

@orangehand

I have a Unifi AP and a Cisco switch.