@charles_moody said in Trunk/LAGG problem / pfSense UniFi 24-250W PoE Switch and VLANs:

Can anyone tell me how to get the switch to adopt

So this is crux of your issue?

That has nothing to do with pfsense.. Your controller and switch need to be on the same L2 network for adoption... Or you need to use L3 adoption.. This has everything to do with unifi, and not related to pfsense at all.

https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

behind that about 10 smart-managed Netgear switches

This seems nuts - are they all in closets somewhere.. How big is this house? If you were running cable - why would all your cables not just home run back to your core switching area? Curious where exactly all these switches are?

want LAN just for troubleshooting and because it’s often stated that LAN will strip of the VLAN tags from the traffic

Huh? You can run vlans on lan just like any other interface.. So not sure what your thinking with this statement... Sure you can use lan interface as your management interface.. But it can run vlans on it as well if you want.

@JKnott

I tend to heir on the side of caution when it comes to using terminology I'm not 100% familiar with, but I have the basics down that's for sure.

Regardless, after some extensive troubleshooting I got rid of the Aruba switch and swapped it out with a Ubiquiti.
Had my network infrastructure team troubleshoot the Aruba... nobody could get it working. They let me know about how others have not been able to use Aruba equipment in the past, so i chalked it up to the switch.

While captive portal could be blocking.. You clearly have issue there with only allowing tcp.. Unless your client is doing doh or dot there is now way he could get any dns.. DNS runs on UDP 53..

You can see right there in your block 53 to 8.8.8.8 was blocked.

@j24 I added a NAT rule that redirects the DNS requests from the VLAN to a known DNS e.g. 8.8.8.8. It's not the best solution I hope someone can help us separate pfBlocker from the other VLANs.

@CalTommo

I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.

@xyzzyz said in VLAN question for noob moving from Cisco ASA:

My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?

No.

Trunk your VLANs on a single pfSense interface.

The Netgear docs suck big time.

https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

Bonjour,

Alors moi aussi je suis en train de faire ce setup avec comme but de garder Livebox , TV et phone de coté.
Donc je regarde cette doc :
https://wiki.csnu.org/index.php/Fibre_orange_en_DHCP_avec_routeur_pfsense
J'ai acheté un switch microtik 260gs, parce que je suis un geek et que c'est bien foutu ces switch pour pas chère :)

Bref en attendant d'avancer sur ce setup j'ai ma solution intermédiaire pour la partie TV
Sur un switch qui supporte les vlan je créé un vlan spécial ou je branche et j'isole du reste de mon réseau la livebox et la box tv. Bien entendu j'ai du tirer un câble de mes serveurs vers ma tv mais je suis bien content du résultat.
Après je n'ai rien inventé j'ai suivi l'idée de la doc ci dessus :
"Enfin, dans le cas ou vous ne pourriez pas brancher directement le port LAN de la livebox à votre décodeur, il est possible (à condition que le switch gérant votre lan soit manageable et supporte les VLANs) de brancher le port LAN de la livebox directement à votre switch de LAN et d'y taguer les paquets sur un VLAN (666 dans cet exemple). Cela impose d'avoir un second switch sur votre lan, qui sera, lui, directement connecté au décodeur et qui doit être lui aussi manageable afin de détaguer du VLAN 666 les paquets pour le décodeur. "

Tous ça pour dire que je pense que virtualiser pfsense dans proxmox peut ajouter plus de complication que de solution. Mais c'est intéressant de monter ce setup

Quand j’aurais le temps d’avancer sur ce setup j'ajouterais des infos.

@+

@Overclock said in Non local gateway IPv6:

I let you inform about OVH response.

Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

Dick? Really? Calling you out on calling yourself a ccie when clearly everyone knows that is not even close to true is not being a dick... That is just calling someone out on their BS!

So what was the problem, only tcp for the rule? Wrong source?
Maybe you had policy route on the rule? But that wouldn't of stopped ping to pfsense IP? Only ping to other lan.. That is another common mistake.

No, no reboot required.

@Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file.

Untitled.png

mssfix1400_full_cap.pcapng

I have not been able to reproduce the problem here, but I can see how it might happen. I opened https://redmine.pfsense.org/issues/9582 to track it and committed a fix: https://github.com/pfsense/pfsense/commit/45f95753963e497b5ce14493f9cca05336d75c7b

You can install the System Patches package and then create an entry for 45f95753963e497b5ce14493f9cca05336d75c7b to apply the fix.

Alternately, you can use viconfig to edit the config and remove that <vlans></vlans> line, or download a backup, edit it out, then restore.

For anyone finding this in 2024, I had to enable "Multicast Enhancement" for the Unifi Wifi network AND I had to disable Hotspot 2.0. Only then did the Router Advertisements flow down to wifi clients. I was sitting in wireshark on a MacOS 14.6 laptop client and suddenly there was a flurry of traffic.

Pro-tip: You may have to wait for the RA interval for the Unifi change to make a difference. Default is 200 seconds, you can change this in the RA Server settings. I set mine to 10 seconds then clicked the button to restart the RA server.

This worked!

Screenshot 2024-11-06 084436.png

Screenshot 2024-11-06 084835.png

@johnpoz
My drawing above is the existing config. The Netgear switch is completely unused. I would be fine using that if need be for the VLAN or port 5 or 6, although from Example 1 here, which I was going to loosely follow for the VLAN tagging, it appears to me, I should be able to remove a port from VLAN 1.

https://www.tp-link.com/us/faq-788.html

Tim

Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch?

Post your server1.conf

What are the IP's in the VLAN you're trying to access?

What do the rules look like on your LAN and OpenVPN tab?