I got it to work. It had to do with not setting mtu of 1400. I can now do dns lookup and it works! Thank you for your suggestions.

@HHUBS and where is the simple packet capture I told you to do? We already knew your device didn't answer.. I just want to show you its not pfsense problem..

If your tagging out of pfsense?

tag.jpg

Which port on the er605 is connected to pfsense - that port would have to be tagged for 40. The port connected from the er605 to your kvm wouldn't be tagged.

I don't show any ports tagged with 40 on your er605.. I show port 3,4 and 5 untagged 40.. So then your setup on pfsense that port should be just a native network and not a vlan.

if you connect pfsense igb1 to port 3 on your er605 and your tagging on pfsense (ie a vlan) then port 3 should be tagged 40 in your er605,f and then if port 5 is connected to your kvm - that would untagged 40.

If your going to set the er605 up with 3 ports in vlan 40 as untagged then pfsense interface needs to be just native untagged network.

@scottlindner if the goal is leverage 2.5ge connection - yeah a small 2.5ge seems like a good solution.

You could then if enough ports on this new switch - leverage lacp from the 1 gig switch to provide for more bandwidth to the router.

This wont help with a single connection, but it would provide for more bandwidth for multiple devices on the 48 port to the router interface through the 2.5ge switch.

Yeah a 48 port 2.5ge managed is prob not all that cheap ;)

You could then also move a vlan or both off your current lan interface onto their own 2.5ge interface. Maybe a 16 port 2.5ge switch price is more budget friendly? This would give you plenty of ports to work with - you could have 3 different uplinks for your networks, and then 2 or more as lacp to your 1 ge switch, and leave plenty of ports for 2.5ge APs into the new switch. Or maybe 8 port is enough?

@Gblenn
I would have followed up earlier but have been busy with both the network and other stuff.
I still appreciate your advice. And I have been reading more about the concept of VLANs.
The old D-Link is still in the rack and I use it for a "backup" so I can go back to this if the Unifi switch does not work.
Theres is another problem that I haven't been able to solve.
The Unifi controller holds all the configured wired and wireless networks even if I use hardware reset on the switch. But no matter what I do, the switch appears to be offline after a few moments.
And even if it still handles the traffic according to the configuration, it is offline in the sense that I can't ping it or log in with ssh.
When I use the old switch and just connect the new one through a single cable, the switch can be adopted and configured.
I have read a lot of post about similar issues at the Ubiquiti Forum. Some suggests to manually change the inform host like this set-inform http://ip-of-controller:8080/inform. This seems not to change anything.
Other suggestions are to add an 43 option to the DHCP server (pfSense) or make a host override at the same place.
Do you have any suggestions?

@dj_jc_jase glad to hear sorted.. Possible something got messed up with during the double change at same time? I don't have anything on poe switch from unifi - so not sure if AP might reboot on switch IP change because of loss of poe? And then possible loss of talking to the controller to get info.. Something was not right.

But from a actual network pov - the management IP of the switch and ck has zero to do with anything.

@Antonio1971 if you setup a bridge - then your firewall rules would have to allow the traffic over your bridge..

While bridging can "some what" simulate the actions of a switch - it is not a switch.. A 20$ gig switch would solve your issue ;) shoot if your only after 3 connections a 10$ 5 port gig switch solve your problem

The time you have spent on this clearly exceeds the cost of a switch - I can tell you for sure if I charged for my time in answering you could of gotten multiple smart switches, and I have spent only a couple of minutes - hehehe

A bridge does have specific uses cases.. Trying to turn 2 discrete interfaces into a switch is not one of them. The only time I would even think of doing it would be if production was down and it needed to be up NOW.. And the switch won't be here til tmrw..

Got it sorted. For anyone reading, the main issue was I have manual outbound NAT rules setup. I had to set up a NAT rule for the VLAN IP address range and the WAN as the interface (thanks ChatGPT for correcting my mistake of putting the VLAN assignment as the interface). All is now working and bypassing NordVPN

@patient0

Thank you very much for your help.

@louis2 These are the only 2 machines talking to each other at the same time? Then it isn't a problem, your acks are going to go on the same wire as well now.. So you would never be able to see full throughput. be it that small.

Your talking about a optimization of jumbo, but then are not caring about your overall bandwidth being reduced.

What if you have machines C and D talking to each other on a completely different vlans - but they share the same wire now. Or could be.

If your happy with your setup.. Have at it.

All of that aside - you still haven't shown that your disks can read/write at the extra throughput jumbo could bring.. If the disks can not write/read even bandwidth X (standard 1500).. Does it make any sense to complex up the network with jumbo to gain that extra speed jumbo could provide?

There is no freaking way jumbo gives you this sort of boost

speed.jpg

You have something else going on there.. If you are only seeing 3.2 on 1500, and 9.4 on jumbo.

@mythos1357 said in The Dreaded PFSense as a Switch (Temporarily):

Stress is always self induced and a silly thing to do

Wise words for sure..

Life throws things at you - but yeah stressing about anything for sure is always self induced ;)

@froussy if you're local.. Sure just change the ip on the lan and your good to go.. Since you would be able to touch anything that is not dhcp, etc.

And you can always console into pfsense, etc

@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:

You have port 4 on the router going to port 1 on the switch, correct?

correct

@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:

PVID 1 on port 1 is not a problem, that would just carry your untagged traffic on igc3.

check

@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:

Turn on the DHCP server on all the vlans and then plug in to switchport 5, do you get an address?

I don't understand what just happened. I have switched on DHCP for all VLANs and have received a correct IP on the corresponding ports and was also able to call up the interface and reach the gateway via ping.

I then switched the DHCP servers off again, manually set IP addresses on all ports again for the client to match the port and tested... Still works.

Apart from that, I have not made any other changes.

So yes, it works now - so I seem to have understood the principle correctly after all. Shall we blame the switch? :D

BIG THANKS TO YOU! You rarely experience such patience with a newbie these days!

@Gazza77

do not include downstream interfaces (WAN)
in dhcp-relay

for doing this task ,
you'd better buy hardware with multiple network cards for the NUC

Mini PC Windows Intel N100, Celeron J6412, HDMI, DP, RS232, COM, RJ45, LAN, PCIE, Wi-Fi, fanless,

@DominikHoffmann, it looks like multiple things may need to be addressed.

As @patient0 mentioned, it appears the VLAN table on Interfaces -> Switch -> VLANs needs to be adjusted. You'll want to remove members 1-4 from group 0, e.g similar to this.:
6f784608-ba67-4579-be78-1a05c24888af-image.png

It looks like the switchports on the Netgate are misconfigured. From the vids and articles I've seen, your Interfaces -> Switch -> Ports section should look something like this:
6a1b6a6a-981b-4688-b7b2-2af698f7a9f6-image.png

Another discrepancy I noticed, unless done by design for your use case, is on the Interfaces -> VLANs section. VLAN 4084 was created on the WAN interface instead of the LAN:
74a76525-9e9d-4a73-82e7-197f9974ae1a-image.png

This is unrelated to the main issue, but regarding your "InternalNetworks" alias, I would modify the line items for Guest, IOT, and OpenVPN to reflect the actual network addresses. It's possible that what's listed may be accomplishing the same thing, depending on how the alias interprets it, but ideally, you'd want to list the network address if the intent is to block the network. I.e.:
192.168.39.0/24 - Guest Wi-Fi LAN
192.168.40.0/24 - IoT Wi-Fi LAN
192.168.41.0/24 - OpenVPN network

I also have a curious streamlining question for your firewall rules... at a glance, it would appear blocking management ports on the first line is redundant:
a10319ce-858d-4af0-91ce-d2b27d69fb6d-image.png
If we're already blocking all traffic to the firewall here:
064c73c6-103d-4e2e-9f49-4557319f28bd-image.png
You likely have your reasons, just curious about your thoughts.