@algo7 said in Another vlan w/o network access issue:

It's always Netgear. Their VLAN configuration is always a PITA. Ran into almost the exact issue today.

What issue? There was nothing wrong with Netgear, just the port assignments...

@Stp well if you can ping 8.8.8.8 then internet is working.. Your problem is prob dns related.

It might have a DMZ pass-through option that simply forwards traffic to pfSense. But that may not be useful if you want to use the public IPs separately.

First, configure mvneta1 interface with an IP address in a MGMT network that you choose (not vlan). And use this same network in the switch and AP for management purposes.

Checking your screenshots, everything seems to be correct at the pfSense side.
Check your netgear, make sure the MGMT network is correct (untagged) and in the same network as mvneta1 in pfsense, check if this same port is configured to receive vlan20 and vlan30 tagged, and the downlink has the same configuration.

The port connecting pfSense to Netgear switch should be like this:
VLAN 1 Untagged (MGMT of the switch)
VLAN 20 Tagged
VLAN 30 Tagged

Netgear Switch to AP:
VLAN 1 Untagged (MGMT of the AP)
VLAN 20 Tagged
VLAN 30 tagged

Then, assign the wifi networks to use VLAN 20 and VLAN 30 respectively.

go to the proxmox forum

@Jarhead
Thank you man!
I wasted a lot of time without trying the most banal thing.

Thank you again!

@nfaheem said in Trying to Access Home Assistant from outside network:

but recently tried to migrate to Home Asisstant and using their cloud service, I still cannot using certain services because my network blocks traffic.

If Home Assistant has a cloud service then I wouldn't expect any of this to be necessary. Everything would be accessed via the cloud. I could be misreading that though.

@ChrisJenk What he meant was of course it's tagged. The parent (or trunk port if you're more familiar) will carry the untagged traffic. Any vlan on it will have to be tagged.

So I installed the pimd package

Added the two VLANs to the PIMD interfaces list and enabled them Add one pfsense interface as RP address for PIMd (192.168.12.1) left all other pimd configuration options at defaults

In addition, I add on each of the interfaces a firewall rule to pass everything, also checked the "Allow IP options" on those rules. Logging enabled.
In addition, I add on each interface at the very end a "catch all" blocking rule, also with logging enabled. This is so that I can see if my "pass" rule misses anything.

Then I started VLC multicast streaming server on 192.168.12.101 (vlan12):

cvlc BigBuckBunny_320x180.mp4 --sout "#rtp{dst=239.255.1.2,port=5004,ttl=10,mux=ts,sap,name=Bunny}" --no-sout-all --sout-keep --loop

PIMD status shows the server in its routing table:

Virtual Interface Table ====================================================== Vif Local Address Subnet Thresh Flags Neighbors --- --------------- ------------------ ------ --------- ----------------- 0 192.168.1.1 192.168.1 1 DR NO-NBR 1 192.168.2.1 192.168.2 1 DR NO-NBR 2 192.168.10.1 192.168.10 1 DISABLED 3 192.168.12.1 192.168.12 1 DR NO-NBR 4 79.239.182.225 79.239.182.225/32 1 DISABLED 5 192.168.1.1 register_vif0 1 Vif SSM Group Sources Multicast Routing Table ====================================================== ----------------------------------- (S,G) ------------------------------------ Source Group RP Address Flags --------------- --------------- --------------- --------------------------- 192.168.12.101 239.255.1.2 192.168.12.1 CACHE SG Joined oifs: .....j Pruned oifs: ...... Leaves oifs: ...... Asserted oifs: ...... Outgoing oifs: .....o Incoming : ...I.. TIMERS: Entry JP RS Assert VIFS: 0 1 2 3 4 5 205 60 0 0 0 0 0 0 0 0 ----------------------------------- (S,G) ------------------------------------ Source Group RP Address Flags --------------- --------------- --------------- --------------------------- 192.168.12.101 239.255.255.255 192.168.12.1 CACHE SG Joined oifs: .....j Pruned oifs: ...... Leaves oifs: ...... Asserted oifs: ...... Outgoing oifs: .....o Incoming : ...I.. TIMERS: Entry JP RS Assert VIFS: 0 1 2 3 4 5 205 60 0 0 0 0 0 0 0 0 --------------------------------- (*,*,G) ------------------------------------ Number of Groups: 4 Number of Cache MIRRORs: 8 ------------------------------------------------------------------------------

Then I start client on 192.168.1.196 (vlan1):

vlc rtp://239.255.1.2:5004

but dont get a video. This works fine, if client and server are on the same VLAN.

Packet capture on pfsense vlan1 interface shows that the client is trying to join the group:

22:31:55.963481 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_in { }] 22:31:56.735594 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_in { }] 22:31:57.327523 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_ex { }] 22:31:57.827784 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 48, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 239.255.1.2 is_ex { }] [gaddr 224.0.0.251 is_ex { }] 22:31:57.955683 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_ex { }] 22:32:11.647572 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 48, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 239.255.1.2 is_ex { }] [gaddr 224.0.0.251 is_ex { }]

But I can't see anything in the firewall logs, though logging is enabled (see above).

Any ideas how to further debug this problem?

Wireless client isolation is a layer 2 function on the access point itself.

@root1ng said in Can someone explain to me how i can do this ?:

the network card of the motherboard is disabled in the bios

Most of us who use Proxmox reserve that port for Proxmox...makes it a lot easy, and once you passthrough the PCIe NIC in your setup, Proxmox won't have a gateway. Please visit here: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

Edit3: Finally the things have worked. What I did based on @jasonlitka post on another thread. I open up the cli to check the running config file on the ports 3 and 36. I have cleaned all the configurations on each port. So the configurations are below:

Switch01 Core(config)#do show running-config interface GigabitEthernet1/0/03 interface gigabitethernet1/0/3 description "Live Esquerda" switchport access vlan 10 ! Switch01 Core(config)#do show running-config interface GigabitEthernet1/0/36 interface gigabitethernet1/0/36 switchport mode general switchport general allowed vlan add 10 tagged switchport general allowed vlan add 1 untagged !

And bang! Machine is addressed and working.

@p2ranger @michmoor gave the link where it is explained for pfSense but it is not timebased:

server: access-control-view: 192.168.1.69/32 blocksites view: name: "blocksites" local-zone: "youtube.com" static

I don't think that there is a more integrated solution for youtube.com in pfBlocker. You can force save search for youtube though.

If it'll help, some further details about my setup, everything is connected by Unifi switches that are vlan capable, but not all of the ports are specifically configured to be on a vlan.

I've been doing fping tests just to see what can be seen through a few different systems, and below is my findings.

From a system that is connected to a port designated with vlan 3220 [10.32.2.0 network]:

uquevedo@ubence-air-wired ~ % fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From the VM itself that is configured with the bridge interface to vlan 3240:

uquevedo@kea-testing:~$ fping -qga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From a system that is connected to a port designated with vlan 3230 [10.32.3.0 network]:

[uquevedo@fedora-system ~]$ fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From the actual RHEL9.2 host system, which of course can ping the IP address:

[uquevedo@rh-vm01 ~]$ fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.9 10.32.40.10

There are many bridged interfaces on the host system connecting to various vlan tagged interfaces:
Screenshot 2023-05-17 at 7.13.36 AM.png

The bridge0 interface is a non-vlan tagged interface [vlan1?] and is accessible to all systems on the network.

I was under the assumption that if a network interface was tagged with vlan information that it would be accessible to other systems that are part of that same vlan?

Another thing about my setup is that these vlans are configured on a pfSense box for lab purposes, they are not configured on my main pfSense box [which I don't think matters]. So even though the opt ports of this system are technically on their own network, they are connecting to my main network.

@chrisjx Hi,
I also have a location with two ISPs, one is the primary and the second is a Starlink.
So I know how to setup the LAN4 as a OPT and assigned VLAN 40 to it. But how do I make sure the Starlink is on VLAN 40 then?

Did you managed to get this working?

BR
Nick

@hudri said in Assigning Clients to VLANs:

where they just manually switched back and forth between the VLANs,

You can - where you set the pc to understand the tag, but again that is not a vlan... That is some user without a clue to networking thinking they have setup a vlan and all they did is run multiple IP schemes on the same network. There is no actual security there, anything can talk to anything, be it you setup a firewall rule or not - broadcast and multicast traffic is going to be seen by every device.

That is not a vlan. A vlan actually isolates traffic at layer 2..

You could move your pc into another vlan that is on that port, by changing the pvid on trunk port so the untagged traffic is now in X vs Y, etc. But just changing on the IP on the pc isn't going to work if you actually have vlans setup.

@onepiece said in Creating VLANs and subnets (and SSIDs) using pfSense:

Do most modern APs allow multiple SSID transmissions using separate subnets simultaneously?

Proper APs usually do, but using a router as an AP won't. Just read the specs to see what an AP can do.

I have a Unifi AC-Lite AP, which supports multiple SSIDs and VLANs, as did a TP-Link AP I used before.

BTW, some people here like the Unifi APs.