@Spottedfezzit There are far bigger brains on this forum than mine! I suggest you post to the forum than relying on my singularly small brain, but, yes, of course, I am happy to help if I can.

David.

Edit3: Finally the things have worked. What I did based on @jasonlitka post on another thread. I open up the cli to check the running config file on the ports 3 and 36. I have cleaned all the configurations on each port. So the configurations are below:

Switch01 Core(config)#do show running-config interface GigabitEthernet1/0/03 interface gigabitethernet1/0/3 description "Live Esquerda" switchport access vlan 10 ! Switch01 Core(config)#do show running-config interface GigabitEthernet1/0/36 interface gigabitethernet1/0/36 switchport mode general switchport general allowed vlan add 10 tagged switchport general allowed vlan add 1 untagged !

And bang! Machine is addressed and working.

@p2ranger @michmoor gave the link where it is explained for pfSense but it is not timebased:

server: access-control-view: 192.168.1.69/32 blocksites view: name: "blocksites" local-zone: "youtube.com" static

I don't think that there is a more integrated solution for youtube.com in pfBlocker. You can force save search for youtube though.

If it'll help, some further details about my setup, everything is connected by Unifi switches that are vlan capable, but not all of the ports are specifically configured to be on a vlan.

I've been doing fping tests just to see what can be seen through a few different systems, and below is my findings.

From a system that is connected to a port designated with vlan 3220 [10.32.2.0 network]:

uquevedo@ubence-air-wired ~ % fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From the VM itself that is configured with the bridge interface to vlan 3240:

uquevedo@kea-testing:~$ fping -qga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From a system that is connected to a port designated with vlan 3230 [10.32.3.0 network]:

[uquevedo@fedora-system ~]$ fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From the actual RHEL9.2 host system, which of course can ping the IP address:

[uquevedo@rh-vm01 ~]$ fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.9 10.32.40.10

There are many bridged interfaces on the host system connecting to various vlan tagged interfaces:
Screenshot 2023-05-17 at 7.13.36 AM.png

The bridge0 interface is a non-vlan tagged interface [vlan1?] and is accessible to all systems on the network.

I was under the assumption that if a network interface was tagged with vlan information that it would be accessible to other systems that are part of that same vlan?

Another thing about my setup is that these vlans are configured on a pfSense box for lab purposes, they are not configured on my main pfSense box [which I don't think matters]. So even though the opt ports of this system are technically on their own network, they are connecting to my main network.

@gertjan I think I've discovered the answer for my problem...

I came across a note about comcast blocking traffic which pings and the answer was to turn off monitoring on the gateway. Voila. That worked.

I tested it by turning monitoring back on and it still worked. That seems a little flaky to me and I suspect it will come back to haunt me... but for now i'm clad it's framed up pretty well.

I did create the 4084 vlan and assigned it to a default Interface OPT1. Then in the Interface settings I renamed the OPT1 to WAN2.

I also created a gateway for WAN2 manually and had to set a NAT in outbound for WAN2.

Thank you for your help.

@hudri said in Assigning Clients to VLANs:

where they just manually switched back and forth between the VLANs,

You can - where you set the pc to understand the tag, but again that is not a vlan... That is some user without a clue to networking thinking they have setup a vlan and all they did is run multiple IP schemes on the same network. There is no actual security there, anything can talk to anything, be it you setup a firewall rule or not - broadcast and multicast traffic is going to be seen by every device.

That is not a vlan. A vlan actually isolates traffic at layer 2..

You could move your pc into another vlan that is on that port, by changing the pvid on trunk port so the untagged traffic is now in X vs Y, etc. But just changing on the IP on the pc isn't going to work if you actually have vlans setup.

@onepiece said in Creating VLANs and subnets (and SSIDs) using pfSense:

Do most modern APs allow multiple SSID transmissions using separate subnets simultaneously?

Proper APs usually do, but using a router as an AP won't. Just read the specs to see what an AP can do.

I have a Unifi AC-Lite AP, which supports multiple SSIDs and VLANs, as did a TP-Link AP I used before.

BTW, some people here like the Unifi APs.

@stephenw10 I guess there is VLAN configured because I didn't need to set it on the pfsense

I would verify with a packet capture that the traffic is crossing into the pfSense side properly.
What's the LAN interface VLAN in the that list? 4084? 4083? 4082?

And logins to other more remote sites will be encrypted with https or similar.

@msid

Voici la configuration du switch (HP) :

PORT 13-14-15-16 -> Agrégat des 4 liens Mode TRUNK -> Untagg le VLAN défault (1) -> TAGG sur les autres TRUNK dont le 160 (LIEN VERS LE NETGATE)
PORT 20 -> untagg sur le VLAN 160

e6a46564-1765-4613-91ee-c3ba37fed005.jpg

@adminproconer said in Firewall rule problems. (Client-to-client forward):

Where should I start troubleshooting the issue?

With the network settings and firewall config of the concerned device.

Ensure that all devices in both subnets use pfSense as gateway.

If you can access a device from within it's own subnet, but not from another network segment check its firewall and ensure that it allows access from outside.

@adminproconer And how about you remove the link aggregation..

If still slow then I would sniff - but if you have full speed, and ping is 1ms - your issue is not network related, but most likely server or performance related.

Sniff to see what is slow, nothing the network the router can do if server answers slowly.

@bob-dig
yes destination is internet.

So this is why I get the NAT3 on the ps4 right?
in short, because the vlan's gateway is not exposed to internet but is behind the wan.. right?

sorry what you mean with If the destination is at your place then number 3
another vlan or the lan?

thanks again

Are you sure hyper-v is passing the tagged traffic? Can you test running baremetal on something?

Steve

I assume you only have one NIC in that device?

You can still leave LAN assigned as the parent interface directly and assign VLAN99 as an OPT interface.

Steve

@johnpoz Since both my phone and desktop are on LAN and the phone can see the chromecast and cast to it and the desktop cannot.

doesn't that mean something is wrong somewhere?

@johnpoz : Linksys EA7300 - You said it would work, but it doesn't!!! 😆 🤣

Not listed as supported on the DD-WRT web site. 😞

But it is supported on OpenWRT with vLan! Yay!

So, cool beans! I can (probably) take it from here.
Thanks for your, and everyone's, help!!!

No worries, glad you're up and running. 👍

@gertjan The suggested system patch fixed the issue. Thank you!

@g-luke said in Configurazione OpenFiber WAN - PPPoE VLAN:

@wifi75 non mancava nulla.
Avevo fatto tutto esattamente come hai suggerito tu, ma non c'era login.
Ho chiamato il provider il quale ha inizialmente detto che poteva essere un problema del mio router, così mi sono procurato un altro router ma neanche con questo c'era login.
Di conseguenza hanno aperto un ticket con OpenFiber, e alla fine è venuto fuori che quando hanno fatto l'allacciamento si sono dimenticati di attivare qualcosa, per cui non c'era possibilità di connettersi.
Io avevo dato per scontato che fosse un problema di configurazione perché dopo che OpenFiber ha fatto l'allacciamento ho chiesto espressamente se la linea dovesse essere attivata dal provider, ma mi hanno assicurato che "potevo già navigare!"

Che provider?

@viragomann said in Multiple VLANs in HA config:

So ensure the VLAN is also properly configured on the switch.

omg , so stupid :)

Thx it all works now

@waldy327 said in FTTH (AON): Fritz!Box 5530 works, pfSense not:

Or is it enough to disable
"Hardware TCP Segmentation Offloading"
"Hardware Large Receive Offloading"

Those should be disabled anyway, they are disabled by default so definitely disabled them if you have set them enabled.

Hardware offloading requires the driver and hardware to work correctly together. Something that works on an igb NIC might work on ix. It might not even work on a different NIC that also uses the igb driver.
They usually do though because those Intels are the best supported. Intel contributes their own driver code to FreeBSD.

To disable that as a test you can run at the command line:

ifconfig ix0 -vlanhwfilter -vlanmtu -vlanhwtag -vlanhwcsum

I had assumed your igb NICs are not SFP?

Steve

Yes you could use pools in one subnet and filter them differently using aliases but you can't filter traffic between the clients on one subnet that way. Traffic would just go between them directly without passing through pfSense. Only one interface.
Really you need to use VLANs in there to separate the traffic at layer 2.

Steve

@autourdupc said in VLAN to LAN ping always possible despite rules:

Next time, i will ask community before spending soo much time !

What we are here for.. If there is some issue you have question on - or not sure if your understanding something correctly.. Yup just stop on by, here to help.

@johnpoz

Yap! You are right... Some times we don’t think as it should be. It’s exactly the same situation that I’ve with the printer – just an IP assign and everything is working.

As far as I know, TrueNAS (before FreeNAS) has not any internal firewall. At least configurable with the GUI. I’ll investigate deeper.

Maybe it’s the gateway (I’ve some doubts that is wrong), so I’ve to confirm.

For testing, I’ll also change the NAS to the LAN (same net where I’ve also the pfSense) and check if anything changes.

Nevermind. It was traffic shaper mucking me up.

OK i got it! when i block UDP traffic from LAN see rule (or image below) to the IPcam ipaddress it works as it should. what i think happened is that default UDP doesn't work, still don't know why btw, then the camera is forced to use TCP. Its just a guess.

alt text

@andyrh said in New 7100 setup:

I moved the WAN by changing the parent interface for the default WAN VLAN.

The VLAN on WAN, 4090 by default, only applies to the internal switch. So simply moving the VLAN parent to ix0 or igb3 would only work if VLAN 4090 is defined correctly on the external switch they are connected to.
If that's not the case the new WAN interface would be directly ix0 or igb3 without a VLAN.

Steve

@djohnson
This is a late reply but it may assist someone else in future.
The VOIP audio traffic (RTP) require separate UDP ports to be open. The exact range will vary depending on your VoIP system.

Hence, if the RTP ports are not open, you can experience a "working" system, but with a complete lack of audio.

@johnpoz

The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG

Re: There is really no reason for it
I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.

I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...

From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.

Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.

Thank you. -jeff

You can only choose a switch port on one interface as you found. If you leave unset it will use the actual VLAN status which takes it's state from the parent interface. In this case though that's the in internal port which is always UP.

No, there's no private VLAN type function. That would need to be on a switch where hosts are connected directly.

Steve

@marvosa said in Some VLANS Route and some don't:

but the IP Range for the MGMT VLAN is incorrect.

Yeah 10.0.12/22 or 255.255.252 would be 10.0.12.0 - 10.0.15.255

What are the rules you put on these vlans?

And yes a drawing would be most helpful.. Your saying the devices pull the correct info via dhcp.. If so that would point to connectivity being good, so first thing that comes to mind is wrong rules or lack of rules on the vlan interfaces.

Use Captive Portal along with FreeRadius. Create a user and restrict no of simultaneous devices to 3. Share the username and password with all the users.... at a time only 3 will be able to connect.

Regards,
Ashima

@gsemet
In Interfaces > Bridges you can define a new bridge and add interfaces to it. The go to Interface Assignments, assing an interface to the new bridge and enable it. No further settings are needed on the bridge interface.
But befor you have to ensure that there is no configuration on the vlan 10 interface. It has only to be enabled.

However, with this setting results in the vlan 10 going down, when WAN goes down. To avoid that you can move the IP settings from the WAN interface to the bridge.