I assume you only have one NIC in that device?

You can still leave LAN assigned as the parent interface directly and assign VLAN99 as an OPT interface.

Steve

@johnpoz Can DNS be an issue? My LAN interface has private 10.160.15.1/24 and IoT 11.160.30.1/24.

By any ways can these conflicting with anything?
I am also running pfblocker

@johnpoz : Linksys EA7300 - You said it would work, but it doesn't!!! 😆 🤣

Not listed as supported on the DD-WRT web site. 😞

But it is supported on OpenWRT with vLan! Yay!

So, cool beans! I can (probably) take it from here.
Thanks for your, and everyone's, help!!!

No worries, glad you're up and running. 👍

@gertjan The suggested system patch fixed the issue. Thank you!

@viragomann said in Multiple VLANs in HA config:

So ensure the VLAN is also properly configured on the switch.

omg , so stupid :)

Thx it all works now

@waldy327 said in FTTH (AON): Fritz!Box 5530 works, pfSense not:

Or is it enough to disable
"Hardware TCP Segmentation Offloading"
"Hardware Large Receive Offloading"

Those should be disabled anyway, they are disabled by default so definitely disabled them if you have set them enabled.

Hardware offloading requires the driver and hardware to work correctly together. Something that works on an igb NIC might work on ix. It might not even work on a different NIC that also uses the igb driver.
They usually do though because those Intels are the best supported. Intel contributes their own driver code to FreeBSD.

To disable that as a test you can run at the command line:

ifconfig ix0 -vlanhwfilter -vlanmtu -vlanhwtag -vlanhwcsum

I had assumed your igb NICs are not SFP?

Steve

Yes you could use pools in one subnet and filter them differently using aliases but you can't filter traffic between the clients on one subnet that way. Traffic would just go between them directly without passing through pfSense. Only one interface.
Really you need to use VLANs in there to separate the traffic at layer 2.

Steve

@autourdupc said in VLAN to LAN ping always possible despite rules:

Next time, i will ask community before spending soo much time !

What we are here for.. If there is some issue you have question on - or not sure if your understanding something correctly.. Yup just stop on by, here to help.

@johnpoz

Yap! You are right... Some times we don’t think as it should be. It’s exactly the same situation that I’ve with the printer – just an IP assign and everything is working.

As far as I know, TrueNAS (before FreeNAS) has not any internal firewall. At least configurable with the GUI. I’ll investigate deeper.

Maybe it’s the gateway (I’ve some doubts that is wrong), so I’ve to confirm.

For testing, I’ll also change the NAS to the LAN (same net where I’ve also the pfSense) and check if anything changes.

Nevermind. It was traffic shaper mucking me up.

OK i got it! when i block UDP traffic from LAN see rule (or image below) to the IPcam ipaddress it works as it should. what i think happened is that default UDP doesn't work, still don't know why btw, then the camera is forced to use TCP. Its just a guess.

alt text

@andyrh said in New 7100 setup:

I moved the WAN by changing the parent interface for the default WAN VLAN.

The VLAN on WAN, 4090 by default, only applies to the internal switch. So simply moving the VLAN parent to ix0 or igb3 would only work if VLAN 4090 is defined correctly on the external switch they are connected to.
If that's not the case the new WAN interface would be directly ix0 or igb3 without a VLAN.

Steve

@djohnson
This is a late reply but it may assist someone else in future.
The VOIP audio traffic (RTP) require separate UDP ports to be open. The exact range will vary depending on your VoIP system.

Hence, if the RTP ports are not open, you can experience a "working" system, but with a complete lack of audio.

@johnpoz

The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG

Re: There is really no reason for it
I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.

I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...

From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.

Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.

Thank you. -jeff

You can only choose a switch port on one interface as you found. If you leave unset it will use the actual VLAN status which takes it's state from the parent interface. In this case though that's the in internal port which is always UP.

No, there's no private VLAN type function. That would need to be on a switch where hosts are connected directly.

Steve

@marvosa said in Some VLANS Route and some don't:

but the IP Range for the MGMT VLAN is incorrect.

Yeah 10.0.12/22 or 255.255.252 would be 10.0.12.0 - 10.0.15.255

What are the rules you put on these vlans?

And yes a drawing would be most helpful.. Your saying the devices pull the correct info via dhcp.. If so that would point to connectivity being good, so first thing that comes to mind is wrong rules or lack of rules on the vlan interfaces.

Use Captive Portal along with FreeRadius. Create a user and restrict no of simultaneous devices to 3. Share the username and password with all the users.... at a time only 3 will be able to connect.

Regards,
Ashima

@gsemet
In Interfaces > Bridges you can define a new bridge and add interfaces to it. The go to Interface Assignments, assing an interface to the new bridge and enable it. No further settings are needed on the bridge interface.
But befor you have to ensure that there is no configuration on the vlan 10 interface. It has only to be enabled.

However, with this setting results in the vlan 10 going down, when WAN goes down. To avoid that you can move the IP settings from the WAN interface to the bridge.

Thank you both for your suggestions, I've been away so I didn't have time to test. I'll try both approaches (believe the one suggested by @fireodo will do the trick).

@godhead83

Start simple. Get the main LAN going first, including DHCP. Once that is done, you can do the same with the VLANs, including a DHCP server for each one. By doing things one step at a time, it's easier to resolve problems. Also, you should get handy with Wireshark, to see what's actually happening on the wire. You can also enable a column in it to display VLAN ID.

I solved the issue a while ago and forgot to answer here.
After entering the IP in Captive Portal / Allowed IP Addresses, everything was perfect.
As my CP is authenticated, so I believe that the question was precisely at that point. The other end had no way to authenticate itself to be able to pass and from the moment I released the IP there, he started to communicate. I even thought about doing a test of this type, taking the CP's authentication to see if it worked directly, but I ended up not having time.

Anyway ... it's resolved.
Thanks to everyone who was willing to try to help.

@gabriel-silveira Se você tem 2 provedores, os 2 estão conectados no pfsense, certo?
O Gateway group permite você configurar essas saídas de Internet em failover por exemplo, caso provedor A caia, utilize o provedor B até que o A seja restabelecido.

Ou caso você queria por exemplo que a VLAN20 utilize o provedor A apenas, você adiciona na regra de Firewall que permite o acesso a Internet dessa VLAN o gateway apontando para o gateway do provedor A.

Você fez alguma configuração nesse sentido?

Pois caso tenha feito, você precisará criar regras de Firewall, permitindo a conexão entre as VLANs, com gateway sem alteração, ou seja, em default, e essa regra deverá estar no topo.

Ela precisa estar antes das regras que permitem o acesso a Internet com gateway específico, ou seja, que não seja default.

Uma recomendação para que possamos te ajudar melhor, é sempre postar uma topologia do ambiente. Estou tendo que fazer suposições sobre o problema e o ambiente.

Good day,
I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...

I have now added a VLAN to the LAN port in proxmox and created a bridge from that. This I have added to pfSense with the first address of the ip subnet which will act as gateway for the /29 addresses from the guests/hosts on the network.

So far so good.

@johnpoz

Luckily i'm in a controlled environment where only PC's and Desktop Phones approved by (me) are allowed to have access via WiFi.

No phones or personal devices are allowed on that segment.

/Bingo

@charles_moody said in Trunk/LAGG problem / pfSense UniFi 24-250W PoE Switch and VLANs:

Can anyone tell me how to get the switch to adopt

So this is crux of your issue?

That has nothing to do with pfsense.. Your controller and switch need to be on the same L2 network for adoption... Or you need to use L3 adoption.. This has everything to do with unifi, and not related to pfsense at all.

https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

behind that about 10 smart-managed Netgear switches

This seems nuts - are they all in closets somewhere.. How big is this house? If you were running cable - why would all your cables not just home run back to your core switching area? Curious where exactly all these switches are?

want LAN just for troubleshooting and because it’s often stated that LAN will strip of the VLAN tags from the traffic

Huh? You can run vlans on lan just like any other interface.. So not sure what your thinking with this statement... Sure you can use lan interface as your management interface.. But it can run vlans on it as well if you want.

@JKnott

I tend to heir on the side of caution when it comes to using terminology I'm not 100% familiar with, but I have the basics down that's for sure.

Regardless, after some extensive troubleshooting I got rid of the Aruba switch and swapped it out with a Ubiquiti.
Had my network infrastructure team troubleshoot the Aruba... nobody could get it working. They let me know about how others have not been able to use Aruba equipment in the past, so i chalked it up to the switch.

While captive portal could be blocking.. You clearly have issue there with only allowing tcp.. Unless your client is doing doh or dot there is now way he could get any dns.. DNS runs on UDP 53..

You can see right there in your block 53 to 8.8.8.8 was blocked.

@j24 I added a NAT rule that redirects the DNS requests from the VLAN to a known DNS e.g. 8.8.8.8. It's not the best solution I hope someone can help us separate pfBlocker from the other VLANs.

@CalTommo

I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.