Hi @viper91701 

Thanks for posting in our business forum.

1. Full network diagram.

2. Does your router support VLAN interface? Are you configuring 802.1Q VLAN or VLAN interface?

3. What is the VLAN ID of the PC you use to ping?

Hi @viper91701 

Thanks for posting in our business forum.

viper91701 wrote

diagram:

 

WLAN  -->  router --> Switch 

Switch 

--> Raspberry Pi 4B #1 (VLAN 101, IP = 172.10.20.5)

--> Raspberry Pi 4B #1 (VLAN 105, IP = 172.10.20.6)

same subnet

 

Router = fpSense Community edition 2.0.0-RELEASE (amd64)

 

Switch = TL-SG2428P 4.0 (4.0.6 Build 20230602 Rel.73473)

 

Router specifies 2 interfaces: igb0 for WLAN and igb1 for LAN

all local computers are on the LAN side

 

 

 

>Does your router support VLAN interface?

See the online documentation of pfSense support for VLAN

(I am unable to post the link of the pfSense online documentation - look for "pfSense VLAN) to find out more.

 

I have not used any VLAN configuration on the pfSense router.

I am new to VLAN and I do not understand the releationship between router and switch in relation to VLAN's.

 

 

>Are you configuring 802.1Q VLAN or VLAN interface?

On the Switch, I specify the VLAN's in the Web AGUI from menu "L2 FEATURES" | VLAN | 802.1QVLAN in the "VLAN Config" screen.

 

 

>What is the VLAN ID of the PC you use to ping?

problem occurs in both directions (Raspberry on VLAN 101 pinging Raspberry on VLAN 105 and vice versa)

 

 

What I have done since last email:

 

On the switch, I did enable ALL the ports for both VLAN's. This relulted in Rapsberry computer to be able to ping each other, even when specified to be on different VLAN's.

When I changed this for each VLAN, to only have the port enabled connected to the computer assigned to that VLAN, then pings were blocked.

I assume that is what I was trying to achieve.

 

Question:
Should I only enable the ports belonging to a VLAN or should it be able to enable all ports for all VLAN's and still achieve separation?
 

Question:

Now my next problem is, how can establish connections between specific computers across different VLAN's?

Am I correct to assume this needs to be done through ACL's?

 

1) The Raspberry computers cannot see each others traffic (I assume I achieved that by selecting only the used port for each VLAN as described above)

2) I want a 3rd computer (on VLAN 200) to access each Raspberry seperately via RDP

3) I want each Raspberry to access a NAS drive on a static IP address of which the controller sits in yet another VLAN on the same switch (I.e. the Raspberry computers should NOT ping the HAS controller but should be able to access the files on the NAS drive via the static IP over cifs).

 

All computers (Raspberry, RDP computer and NAS controller) are on the same subnet.

 

The TL-SG2428P specifies ACL's via menu "SECURITY" | ACL.

It can specify "MAC ACL", "IP ACL", "Combined ACL".

"ACL COnfig" can specify multiple rules for each ACL.

ACL Binding can assign a specific set of ACL rules to a specific port with direction "ingress".

 

Question:

I am not sure how to define ACL's to achieve what I want.

 

Regards

OK. One RPI with dual NICs?

From what you described, yes, you are using 802.1Q VLAN as far as I can tell. But I don't know pfsense and don't think it relate now.

Can you do a test with a PC and this RPI when they both connect to the switch? Set them up and place them in different VLANs. Will they be able to ping each other?

I suspect that this is because of the dual NIC on the RPI. So let's verify the 802.1Q VLAN on the switch.

If you don't get a ping, then it means the 802.1Q works. It is the problem with the dual NIC on your RPI.

802.1Q, supposedly, does not require additional ACLs to block. Since you cannot tell me if it is VLAN interface on your pfsense, simply from the different VLAN IDs but same subnet, it seems to be the 802.1Q.