Bump, I am having the same problem, one PPPoE via VLAN works, adding two or more using VLAN fails.

Thanks for your reply, Lan rules image has been attached, [image: Lan-RULE.jpg_thumb] [image: Lan-RULE.jpg]

Same fetch, but our pf ruleset has some tricks with route-to that make it work.

I have the same issue. i think there is a bug in "policy base routing". when you add a rule to "any" destination to change the gateway, it will not work. if you set a specific destination for that rule, it will works. you can add your rule with "!1.2.4.5" destination to change your client GW till pfsense team fix it.

Thanks for help, I just wanted extra connection to boost large multi-session downloads, Steam, torrent etc. I managed to get it all working, for anyone else who is in this position: Follow the PIA guide on how to setup Pfsense for VPN. Make a copy of the VPN so you have one for each connection (in my case two), make sure each one is set to face the corresponding WAN. Assign each VPN to an interface. Under Firewall NAT Outbound where you created rules from PIA guide, you need to duplicate all of them and set the duplicates to the second WAN (if you have more than two connections you'll need a 3rd set of duplicates etc.) Under gateways add one for each VPN interface. Under gateway groups add one with all the VPN gateways you just created with Tiers set to 1 (if you want load balancing like I do). Under Firewall Rules LAN set the IPv4 LAN any rules gateway (under Display Advanced section) to the gateway group you just created, for privacy VPN's it's recommened to disable IPv6, so I set that one to block instead, however if you need this also it to that gateway. 8 ) Reboot Pfsense and check your IP at whatismyipaddress, refresh a few times to double check.

Changed the switch and the problem is gone.

Uh… reported/suggested moving this to Routing forum, and quickly outta here.

True - other than being latest kool thing to play with..  But don't have any clients anyway :(  Or I would prob get one to play with ;)

This is a simple policy route. https://doc.pfsense.org/index.php/What_is_policy_routing Make sure that you do not pull routes from your vpn client you setup on pfsense, or it most likely will set your default route out the vpn.  Then the IP of the devices you want to go out your vpn just create a firewall rule saying these IPs (could use aliases to have them all in 1 rule) use the vpn as its gateway. if these devices need access to other local segments then you would have to put a rule above this routing rule so that they could get access to those networks.

When you talk about a switching device you mean a L3 switch doing routing? Your transit network would be an interface on pfsense in its own network, and then another interface on your mx100 which is a firewall/router.. While it might have "switch" ports on it its an actual router/firewall just like pfsense. The transit network would be from an interface on your pfsense router to an interface on your mx100.  How that gets switch would be at L2.. So you could either have a connection going from pfsense directly to the mx100 or over switch (with nothing else on it dumb switch) or over a L2 switch via a vlan (smart/managed switch).

@johnpoz: pfsense does PBR just fine.. you can create your specific host route to specific IP /32.. You do not need to route to the whole network, what you have is asymmetrical setup..  And no without a route its not going to work.. or create host routes on your DMZ that you want to access via your downstream router when they have default gateway.  If you remove asymmetrical routing then you no longer have a problem, that your trying to overcome with amounts to a hack vs doing it correctly. I think we just discuss about a question of faith already. PBR is no hack, its designed for this. OK, if you don't use it correctly you create asymetrical routing and screw the route, but if you know what you're doing, it fits perfectly. So PBR works not completly fine IMHO, because I can't set an other gateway on the packets that come back. Thats a hard fact. And because of this it is implemented on routing level and not on a firewall level, so that the changed gateway affecteds all packets, not only outgoing.

@Derelict: You cannot spoof the MAC to different MAC addresses for each VLAN on an interface. The interface itself sets the MAC address and the VLANs just use that. I think the problem might be that the ISP is seeing the same MAC address on all three interfaces. It is perfectly "legal" and the expected way to behave, but cable modems/ISPs might care about that. If it worked on three physical interfaces and doesn't work now, there is not much else it could be. A call to them and an attempt to get someone who might know what you're talking about is probably in order. OK. I'll do that. I'll also try using another switch some other time.

@Derelict: Remove all of the IP addresses from the VLANs on the switch. With those in place the switch will be layer 3 on those VLANs and will route traffic between them. You only need one management IP address on the switch. Done. @johnpoz: Your setup on your sg300 for the port that connects to lan (eth1) on your sg300 would be simple trunk port. Example interface gigabitethernet3 description "esxi wlan trunk" switchport trunk allowed vlan add 100,200,300,500,600 switchport trunk native vlan 20 I am not using vlan 1 to this vlan interface in pfsense.  I am using vlan 20 as the native untagged vlan in my setup.  But you can use 1 there vs the 20 I have. You also have ports unused on your pfsense, you could leverage them for vlans without having to tag.. As long as you have more ports open on your sg300 you could use for the uplinks to pfsense for those vlans/networks. What are you going to use vlan 1 for exactly?  Is this going to be the vlan you use to manage your switch?  Why do you have 10/24 stated as being management? No idea…so if I get rid of VLAN 1, what IP address will I use to connect to the switch?  10/24 ins't the preferred method?  I'm going into this pretty much dumb as a mule. How do you have yours setup?

After some googling i think i understand what you mean, I will try to set this up on the test bench today and verify!

Lan interface is connected to a switch (mother switch) then that switch is connected to other switches then those switches are finally connected to the client computers. so its ok to have only 1 nic for lan interface because it only communicates with the mother switch? I didnt limit the wan itself, I created an alias for a list of ports (80,8080 etc.), I then created limiter in traffic shaping for upload and downlod (dl - 60mbps,  ul-30mbps) and then finally created a firewall rule at lan put my limitter on in/out option at advance. the left 40mbps internet bandwidth download I split in two for wifi 1 and wifi2… 20mbps each except this time there firewall rule are not restricted to any ports...

"Sticky Connections" might help. System > Advanced, Miscellaneous, Load balancing, Use sticky connections