@CalTommo I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.

@xyzzyz said in VLAN question for noob moving from Cisco ASA: My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port? No.

Trunk your VLANs on a single pfSense interface. The Netgear docs suck big time. https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

Bonjour, Alors moi aussi je suis en train de faire ce setup avec comme but de garder Livebox , TV et phone de coté. Donc je regarde cette doc : https://wiki.csnu.org/index.php/Fibre_orange_en_DHCP_avec_routeur_pfsense J'ai acheté un switch microtik 260gs, parce que je suis un geek et que c'est bien foutu ces switch pour pas chère :) Bref en attendant d'avancer sur ce setup j'ai ma solution intermédiaire pour la partie TV Sur un switch qui supporte les vlan je créé un vlan spécial ou je branche et j'isole du reste de mon réseau la livebox et la box tv. Bien entendu j'ai du tirer un câble de mes serveurs vers ma tv mais je suis bien content du résultat. Après je n'ai rien inventé j'ai suivi l'idée de la doc ci dessus : "Enfin, dans le cas ou vous ne pourriez pas brancher directement le port LAN de la livebox à votre décodeur, il est possible (à condition que le switch gérant votre lan soit manageable et supporte les VLANs) de brancher le port LAN de la livebox directement à votre switch de LAN et d'y taguer les paquets sur un VLAN (666 dans cet exemple). Cela impose d'avoir un second switch sur votre lan, qui sera, lui, directement connecté au décodeur et qui doit être lui aussi manageable afin de détaguer du VLAN 666 les paquets pour le décodeur. " Tous ça pour dire que je pense que virtualiser pfsense dans proxmox peut ajouter plus de complication que de solution. Mais c'est intéressant de monter ce setup Quand j’aurais le temps d’avancer sur ce setup j'ajouterais des infos. @+

@Overclock said in Non local gateway IPv6: I let you inform about OVH response. Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

Dick? Really? Calling you out on calling yourself a ccie when clearly everyone knows that is not even close to true is not being a dick... That is just calling someone out on their BS! So what was the problem, only tcp for the rule? Wrong source? Maybe you had policy route on the rule? But that wouldn't of stopped ping to pfsense IP? Only ping to other lan.. That is another common mistake.

No, no reboot required.

@Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file. mssfix1400_full_cap.pcapng

I have not been able to reproduce the problem here, but I can see how it might happen. I opened https://redmine.pfsense.org/issues/9582 to track it and committed a fix: https://github.com/pfsense/pfsense/commit/45f95753963e497b5ce14493f9cca05336d75c7b You can install the System Patches package and then create an entry for 45f95753963e497b5ce14493f9cca05336d75c7b to apply the fix. Alternately, you can use viconfig to edit the config and remove that <vlans></vlans> line, or download a backup, edit it out, then restore.

So looking at the new 5.11.10 release, looks like they have added ipv6? from 5.11.5 in the release notes? Add subnet for IPv6 networks in Networks Table. I am currently running 5.10.21 which is not viable direct upgrade.. So can not test for sure until I get on 5.11.10, but you might want to try 5.11.10 if you want ipv6 with guest policy enable. But not captive portal.

@johnpoz My drawing above is the existing config. The Netgear switch is completely unused. I would be fine using that if need be for the VLAN or port 5 or 6, although from Example 1 here, which I was going to loosely follow for the VLAN tagging, it appears to me, I should be able to remove a port from VLAN 1. https://www.tp-link.com/us/faq-788.html Tim

Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch? Post your server1.conf What are the IP's in the VLAN you're trying to access? What do the rules look like on your LAN and OpenVPN tab?

Two things that I forgot to mention are that I already have OpenVPN set up successfully for my normal network and that since I'm new to the pfSense concept, I've never worked with VLANs on it before. I do, however, understand the VLAN broad concept since I've taken a Principles of Networking class as a computer systems administration student at my university.

teşekkür ederim ilginiz için

Create a LAGG on pfsense and on the switch stack. Use the LAGG as the vlan parent.

Correct, the patches above are copies of the changes made in the repository that will be used to build pfSense 2.4.4-p1. So not "hacks" exactly. If it's all working for you now then there shouldn't be anything to worry about. When you upgrade to 2.4.4-p1 the manually edited files will be replaced with the copies from the new release, which already contain these changes.

You will neef IGMP proxy for 'discovery' to work. Unless you can use mDNS instead in which case try Avahi. Of coarse if you can enter the IP address of the NAS directly in the devices then you don't need either. But alas that's too easy for most manufacturers it seems. Steve

@johnpoz When I installed pfSense on the new router I created two interfaces... I had read on the basic firewall page that OPT interfaces have no rules and forgot that - thanks for setting me straight and waking me up. Firewall rules are scary but I'm getting there.

@dbinoj I'll try that as soon as I get home. Thanks :)

The copy jobs will be between nas to vsphere and external. Probably it will be smb3, i did not decide yet. After removing the whole lagg config on pfsense and switch it works! I can work with that but i'm still interested why it did not work with lag...