@gsemet
In Interfaces > Bridges you can define a new bridge and add interfaces to it. The go to Interface Assignments, assing an interface to the new bridge and enable it. No further settings are needed on the bridge interface.
But befor you have to ensure that there is no configuration on the vlan 10 interface. It has only to be enabled.

However, with this setting results in the vlan 10 going down, when WAN goes down. To avoid that you can move the IP settings from the WAN interface to the bridge.

Thank you both for your suggestions, I've been away so I didn't have time to test. I'll try both approaches (believe the one suggested by @fireodo will do the trick).

@godhead83

Start simple. Get the main LAN going first, including DHCP. Once that is done, you can do the same with the VLANs, including a DHCP server for each one. By doing things one step at a time, it's easier to resolve problems. Also, you should get handy with Wireshark, to see what's actually happening on the wire. You can also enable a column in it to display VLAN ID.

I solved the issue a while ago and forgot to answer here.
After entering the IP in Captive Portal / Allowed IP Addresses, everything was perfect.
As my CP is authenticated, so I believe that the question was precisely at that point. The other end had no way to authenticate itself to be able to pass and from the moment I released the IP there, he started to communicate. I even thought about doing a test of this type, taking the CP's authentication to see if it worked directly, but I ended up not having time.

Anyway ... it's resolved.
Thanks to everyone who was willing to try to help.

@gabriel-silveira Se você tem 2 provedores, os 2 estão conectados no pfsense, certo?
O Gateway group permite você configurar essas saídas de Internet em failover por exemplo, caso provedor A caia, utilize o provedor B até que o A seja restabelecido.

Ou caso você queria por exemplo que a VLAN20 utilize o provedor A apenas, você adiciona na regra de Firewall que permite o acesso a Internet dessa VLAN o gateway apontando para o gateway do provedor A.

Você fez alguma configuração nesse sentido?

Pois caso tenha feito, você precisará criar regras de Firewall, permitindo a conexão entre as VLANs, com gateway sem alteração, ou seja, em default, e essa regra deverá estar no topo.

Ela precisa estar antes das regras que permitem o acesso a Internet com gateway específico, ou seja, que não seja default.

Uma recomendação para que possamos te ajudar melhor, é sempre postar uma topologia do ambiente. Estou tendo que fazer suposições sobre o problema e o ambiente.

Good day,
I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...

I have now added a VLAN to the LAN port in proxmox and created a bridge from that. This I have added to pfSense with the first address of the ip subnet which will act as gateway for the /29 addresses from the guests/hosts on the network.

So far so good.

@johnpoz

Luckily i'm in a controlled environment where only PC's and Desktop Phones approved by (me) are allowed to have access via WiFi.

No phones or personal devices are allowed on that segment.

/Bingo

@charles_moody said in Trunk/LAGG problem / pfSense UniFi 24-250W PoE Switch and VLANs:

Can anyone tell me how to get the switch to adopt

So this is crux of your issue?

That has nothing to do with pfsense.. Your controller and switch need to be on the same L2 network for adoption... Or you need to use L3 adoption.. This has everything to do with unifi, and not related to pfsense at all.

https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

behind that about 10 smart-managed Netgear switches

This seems nuts - are they all in closets somewhere.. How big is this house? If you were running cable - why would all your cables not just home run back to your core switching area? Curious where exactly all these switches are?

want LAN just for troubleshooting and because it’s often stated that LAN will strip of the VLAN tags from the traffic

Huh? You can run vlans on lan just like any other interface.. So not sure what your thinking with this statement... Sure you can use lan interface as your management interface.. But it can run vlans on it as well if you want.

@JKnott

I tend to heir on the side of caution when it comes to using terminology I'm not 100% familiar with, but I have the basics down that's for sure.

Regardless, after some extensive troubleshooting I got rid of the Aruba switch and swapped it out with a Ubiquiti.
Had my network infrastructure team troubleshoot the Aruba... nobody could get it working. They let me know about how others have not been able to use Aruba equipment in the past, so i chalked it up to the switch.

While captive portal could be blocking.. You clearly have issue there with only allowing tcp.. Unless your client is doing doh or dot there is now way he could get any dns.. DNS runs on UDP 53..

You can see right there in your block 53 to 8.8.8.8 was blocked.

@j24 I added a NAT rule that redirects the DNS requests from the VLAN to a known DNS e.g. 8.8.8.8. It's not the best solution I hope someone can help us separate pfBlocker from the other VLANs.

@CalTommo

I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.

@xyzzyz said in VLAN question for noob moving from Cisco ASA:

My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?

No.

Trunk your VLANs on a single pfSense interface.

The Netgear docs suck big time.

https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

Bonjour,

Alors moi aussi je suis en train de faire ce setup avec comme but de garder Livebox , TV et phone de coté.
Donc je regarde cette doc :
https://wiki.csnu.org/index.php/Fibre_orange_en_DHCP_avec_routeur_pfsense
J'ai acheté un switch microtik 260gs, parce que je suis un geek et que c'est bien foutu ces switch pour pas chère :)

Bref en attendant d'avancer sur ce setup j'ai ma solution intermédiaire pour la partie TV
Sur un switch qui supporte les vlan je créé un vlan spécial ou je branche et j'isole du reste de mon réseau la livebox et la box tv. Bien entendu j'ai du tirer un câble de mes serveurs vers ma tv mais je suis bien content du résultat.
Après je n'ai rien inventé j'ai suivi l'idée de la doc ci dessus :
"Enfin, dans le cas ou vous ne pourriez pas brancher directement le port LAN de la livebox à votre décodeur, il est possible (à condition que le switch gérant votre lan soit manageable et supporte les VLANs) de brancher le port LAN de la livebox directement à votre switch de LAN et d'y taguer les paquets sur un VLAN (666 dans cet exemple). Cela impose d'avoir un second switch sur votre lan, qui sera, lui, directement connecté au décodeur et qui doit être lui aussi manageable afin de détaguer du VLAN 666 les paquets pour le décodeur. "

Tous ça pour dire que je pense que virtualiser pfsense dans proxmox peut ajouter plus de complication que de solution. Mais c'est intéressant de monter ce setup

Quand j’aurais le temps d’avancer sur ce setup j'ajouterais des infos.

@+

@Overclock said in Non local gateway IPv6:

I let you inform about OVH response.

Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

Dick? Really? Calling you out on calling yourself a ccie when clearly everyone knows that is not even close to true is not being a dick... That is just calling someone out on their BS!

So what was the problem, only tcp for the rule? Wrong source?
Maybe you had policy route on the rule? But that wouldn't of stopped ping to pfsense IP? Only ping to other lan.. That is another common mistake.

No, no reboot required.

@Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file.

Untitled.png

mssfix1400_full_cap.pcapng

I have not been able to reproduce the problem here, but I can see how it might happen. I opened https://redmine.pfsense.org/issues/9582 to track it and committed a fix: https://github.com/pfsense/pfsense/commit/45f95753963e497b5ce14493f9cca05336d75c7b

You can install the System Patches package and then create an entry for 45f95753963e497b5ce14493f9cca05336d75c7b to apply the fix.

Alternately, you can use viconfig to edit the config and remove that <vlans></vlans> line, or download a backup, edit it out, then restore.

So looking at the new 5.11.10 release, looks like they have added ipv6?

from 5.11.5 in the release notes?
Add subnet for IPv6 networks in Networks Table.

I am currently running 5.10.21 which is not viable direct upgrade.. So can not test for sure until I get on 5.11.10, but you might want to try 5.11.10 if you want ipv6 with guest policy enable. But not captive portal.

@johnpoz
My drawing above is the existing config. The Netgear switch is completely unused. I would be fine using that if need be for the VLAN or port 5 or 6, although from Example 1 here, which I was going to loosely follow for the VLAN tagging, it appears to me, I should be able to remove a port from VLAN 1.

https://www.tp-link.com/us/faq-788.html

Tim

Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch?

Post your server1.conf

What are the IP's in the VLAN you're trying to access?

What do the rules look like on your LAN and OpenVPN tab?

Two things that I forgot to mention are that I already have OpenVPN set up successfully for my normal network and that since I'm new to the pfSense concept, I've never worked with VLANs on it before. I do, however, understand the VLAN broad concept since I've taken a Principles of Networking class as a computer systems administration student at my university.

teşekkür ederim ilginiz için

Create a LAGG on pfsense and on the switch stack. Use the LAGG as the vlan parent.

Correct, the patches above are copies of the changes made in the repository that will be used to build pfSense 2.4.4-p1. So not "hacks" exactly.

If it's all working for you now then there shouldn't be anything to worry about. When you upgrade to 2.4.4-p1 the manually edited files will be replaced with the copies from the new release, which already contain these changes.

You will neef IGMP proxy for 'discovery' to work. Unless you can use mDNS instead in which case try Avahi.

Of coarse if you can enter the IP address of the NAS directly in the devices then you don't need either. But alas that's too easy for most manufacturers it seems.

Steve

@johnpoz When I installed pfSense on the new router I created two interfaces... I had read on the basic firewall page that OPT interfaces have no rules and forgot that - thanks for setting me straight and waking me up. Firewall rules are scary but I'm getting there.

@dbinoj I'll try that as soon as I get home. Thanks :)

The copy jobs will be between nas to vsphere and external. Probably it will be smb3, i did not decide yet.
After removing the whole lagg config on pfsense and switch it works!

I can work with that but i'm still interested why it did not work with lag...