So the problem is that my networking is overkill then. I'm fine with that. I'm using an enterprise level server, albeit an old one, to manage a small home network. What isn't overkill about that already? The reason I wanted to use pfSense in the first place was to learn a little more about networking and get some more control over my network in the meantime. The current setup I have gives me the opportunity to play around with a network that is much more complex than everything plugged into a single router. If that results in me doing things "wrong" from time to time while I'm still learning, well I'll call that an acceptable loss. Thanks for the information, though. EDIT: This guy explains another reason to have this infrastructure set up a bit more elegantly: http://dotbalm.org/a-technical-professionals-home-network/ The shape of the network is driven by my particular situation with my available resources in mind. I’m a fan of segmentation, which is really just an extension of the principle of least privilege as applied to networking. Thus the firewall ends up doing some internal routing and security segmentation duties which would normally be delegated to core routing infrastructure in a large organization. But since this is just a humble home network, my firewall will not be a substantial bottleneck for any traffic which will need to traverse it.

what vlan interface would pfsense have setup ? There is no vlan interface on pfsense. Pfsense does not give a shit about any vlans or tagging? I don't give any vlans or tagging on pfsense. Are you trying to tag your vlan 1 which is your transit network here I don't tag vlan 1 on my network,vlan 1 is untagged native vlan. So devices on same transit network this 192.168.1/24 network can not ping pfsense???  And pfsense can not ping them??  .254, .247 ??  Then there is something wrong in your switching setup or firewall rules. Devices on same transit network can ping pfsense ,pfsense also can ping them. .254 and .247 can ping each other including pfsense. Edgeswitch 1 is what?  Just a dumb switch since this is vlan 1 only (untagged traffic) L2??? Edgeswitch1 is a cisco 2960 series switch , I have some vlan on them and vlan 1 is untagged vlan. EdgSwitchB1#show vlan VLAN Name                            Status    Ports –-- -------------------------------- --------- ------------------------------- 1    default                                active    Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14,                                                 Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28,                                                 Fa0/29, Fa0/30 Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41,                                                 Fa0/42, Fa0/43,  Fa0/47, Fa0/48 11  ACCOUNTING                      active 12  RD                                      active 13  MANAGE                              active 14  TESTING                              active 15  WIFI                                    active 51  PANTEC                              active    Fa0/20, Fa0/45, Fa0/46 1002 fddi-default                        act/unsup 1003 trcrf-default                      act/unsup 1004 fddinet-default                  act/unsup 1005 trbrf-default                      act/unsup I'm going to move FreeBSD router to L2 , finally change 10.1.2.0/24 to L3 and let FreeBSD just doing DHCP job. FreeBSD has a static route to 10.5.1.0/24 . What does it mean of routing stuff to network connected to freebsd router bouncing off pfsense is wrong ? Does this mean that if a packet is sent to the router it should be processed , rather than resent to pfsense ? (hairpin network?) Client asking for dns is .254 , and .254 has stacic route to downstream networks. #netstat -nr Routing tables Internet: Destination        Gateway                Flags        Netif Expire default                192.168.1.1          UGS        em0 10.1.1.0/24        192.168.1.247      UGS        em0 10.1.2.0/24        192.168.1.244      UGS        em0 10.5.1.0/24        192.168.1.247      UGS        em0 127.0.0.1              link#2                UH          lo0 192.168.1.0/24    link#1                  U          em0 192.168.1.254      link#1                UHS        lo0 How should I fix freaking HUGE transit network? What does it mean of dns not on one of your other vlans ? Does this  represents 10.1.2.0/24 to has its own dns server, for example 10.1.2.1. If this is true , then I have to create three dns server for three different networks. Sorry I forgot to say that there is a static route to 10.1.2.0/24 via 192.168.1.244 on L3. So far, I manually add static route on all the routers. In the end  I will only routing on L3. Thanks your reply and suggestion. and sorry for my bad English and grammar.    

Ok, it seems that pfSense was dropping relevant packets because of the "Default deny rule IPv4". I thought I had entered the correct rules to let these packets pass (screenshot attached), but apparently that was not good enough. System -> Advanced -> Firewall & NAT -> Bypass firewall rules for traffic on the same interface did the trick. If someone could explain (or point me to the explanation) why my rules don't work, that'd be great!  

if you were thinking rp3, then you can perhaps consider ODROID XU4, linux supported, usb 3.0 supported I personally have Synology DS415+ (4 bay, 2 lan) and I think it's an overkill for a home network of few people and perhaps 2-3 simultaneous streams…  It takes too much space, consumed easily between 15-30watts  and the memory/cpu rarely goes high.  I should have went with a 2 bay and just put bigger drives in mirror mode and save space under my TV cabinet... With a Synology NAS, you can access the data via SMB, NFS, Plex, DLNA/UPnP, FTP.

Sorry for all the spamming. I found the culprit: pfBlockerNg. It was installed, but disabled, on firewall2. I enabled it, selected all interfaces (because if would nag me otherwise), then disabled it again. Then uninstalled it completely and reinstalled it. Voila, no more problems.

I actually have no idea if it works like I thought it might. I'd need to test it, but for that I would somehow need to replicate your setup.

Hi, A vlan rooting screenshot will be very munch appreciated  :) Please go throw beautiful slavic women Thanks

@McMurphy: Just had a thought… We run a mail server using the Sat static IP. With a WAN based schedule would this simply redirect outbound traffic and still allow the inflow of mail via the Sat or would the Sat WAN connection completely stop? A solution may be to run both connections during the day and prioritise the 3G over sat (if possible) then block the 3g during off peak times... just create a rule, higher up the ruleset, specifically for the mail server to use the sat ip …. mail server needs corresponding mx records to be able to receive mail

Hi All, I'm having the same issue but when I tried to revert using the following command: pkg add -f http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/quagga-0.99.24.1_2.txz The OSPF and ZEBRA service no longer started. If I ran the following command via SSH, I received this error: Exec format error Anyone have an idea of what I may be doing wrong or perhaps a configuration incompatibility that I must remove?  I tried uninstalling the packages, rebooting then reinstalling but didn't help.  I tried removing all the interfaces from the configuration but services still didn't start. This is a MAJOR issue for us because we rely on OSPF for redundancy, at the moment, without it working, if a link goes down, we have to manually reboot the pfSense units so that the new routes are written. I've attached my ospfd.conf and zebra.conf files with some of the IP's and passwords changed. ospfd.conf.txt zebra.conf.txt

Tone?  How exactly did you hear tone?  Do you have something reading the text to you?  You should adjust it to happy go lucky tone then.. Sounds like you have it configured wrong if you perceived anything but wanting to help you.. Adjust it more to a Bob Marley sounding, if you have it set for say Samuel L. Jackson screaming about snakes or something ;)

I get that error when cable modem goes offline. Never used bgp,  so can't help there

what is the FQDN that is checked? Should be able to just use openssl to check the details of the cert, etc.

Wow! I really appreciate this! Thank you!

When you add multi-wan, you add policy routing. You need to bypass policy routing for local destinations including remote VPN endpoints. Policy routing bypasses the firewall's routing table, including IPsec traffic selectors. https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Were you able to get it to work?