Just wanted to update my post now that I figured out the problem and solution. Turns out the reason I could not access the cable modem has to do with my recent change to a WAN failover gateway setup. My fiber provider is tier1 and comcast is tier2. Once I thought through, why can't I get packets to my cable modem, I realized, doh, It is because the cable modem is backup and rarely is the active gateway. I created a firewall lan rule allowing 192.168.100.1 with a gateway override to the comcast cable modem gateway and it now allows this page to load. It is amazing how many problems we can induce when we do not realize it.

@mikael-0 Skimming that, is 192.168.1.2 the IP set on OPT1? Then it seems like the gateway of that interface should be the IP of the 4G router. You wrote you set no gateway...? Also a /32 mask is only that IP address, usually the mask is /24. a /32 can't talk to any other IP on the network. doc on isolating a port: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

@nevolex Who is your ISP? What type of device did they provide you? It's possible that the firewall and modem had different DHCP renewal timing in mind.

I tcpdumped on the VLAN in question. With avahi off I do not see any multicast packets to port 5353 coming from the pfsense. No matter what configuration I do in PIMD. Once I enable AVAHI however I see tons. Something with pimd is not working (at least here) and I would greatly appreciate any suggestions.

This is fundamental to a decent Fw in todays world. If PfSense intend to play a part in that world, this is basic stuff that needs to be fixed asap.

@kiokoman Hi, thanks for your interesting about the question. Yes I tried several time with multiple configurations: the most obviously was create vlan 0.836 where igb0 is the main interface where is still attached vlan 0.835 for internet traffic. Telecom says 10.10.10.2/30 so I supposed gw for vlan 0.836 is 10.10.10.1, but with or without gateway the connection isn't really active. So I disabled "monitor gateway" considering it active (i have so many doubts about it as i can't see any relevant traffic on this interface), then I created firewall rules on new WAN 0.836 "any to 224.0.0.0 proto IGMP with applied "allow IP control" option and "any to 239.0.0.8 proto UDP "with applied "allow IP control" option - then on interested internal lan (called IPTV) "allowed IGMP and UDP from network IPTV to 224.0.0.0", in the end I enabled IGMP PROXY with upstream WAN 0.836 and downstream LAN IPTV, nothing to do, I'm missing something, pheraps more than something ;)

It seems that it can't be fix at the moment. Other people stumbled upon the same problem.

Using a phone hotspot doesn't work for my use case. I was really hoping there would be a way to make pfSense obey the firewall rule to route out the specified gateway.

@viragomann Finally got around to reinstalling and reconfiguring from a clean install. I am happy to say that it solved the problem.

@viragomann Hi, sorry for the late feedback. I got it running. Connected the WAN part from the NanoPi to the eth3 and gave him LAN network. And the LAN port from the NanoPi then to the switch.

@viragomann Many thanks!! That makes sense, although this is really bad :( With your keyword I found an article in the A1 forum. There they indicated that the A1 support could fix that somehow for the guy. The only thing I need is that they forward the ports, well, I will chat with them, let's keep fingers crossed. Thanks again!

@mushymiddle all good points :)

Seems the issue was with my route. I had to specify the ip and not only the dev e.g. route add 10.0.0.0/16 via 10.240.0.1

@swemattias I learned somethings from these websites: https://github.com/ahuacate/pfsense-haproxy/blob/master/README.md https://docs.deeztek.com/books/pfsense/page/pfsense-haproxy-softether-vpn https://cbonte.github.io/haproxy-dconv/2.2/configuration.html