It sounds like you do need the functionality of a managed switch. I recently went through this myself. I'm not a professional network engineer but I do understand networking reasonably well. I can help translate what the pros here are saying because I'm not one of these guys .. they know their stuff.

What might help this discussion is to understand your needs a bit more clearly.

How many VLANs do you anticipate? How many clients/ports do you need to support per VLAN? How are you running pfSense? Is it a Netgate appliance, home built, in a VM?

I can safely verify that in 2.4.3-RELEASE-p1 (current stable) works as it should
One interface is left with the dynamicly selected monitor peer and the other
pings a stable ip inside the provider (in my case the cluster ip of the main dns stack)
If the provider changes her policy and blocks ping that would be an issue, but I think I can live with that. :)

Make an alias of sites that you don't want to load balance, then put a lan rule with the destination of the alias and point it to a failover group.

I wonder if this is a more prevalent bug that other people are noticing as well. I had something similar happen and I thought it was rather weird. At least the interface still shows and recognizes the gateway.

After long time of searching i figured out, that one of the upper rules (which was for outgoing traffic) was responsible for the problem. after i set it to the bottom, everithing worked fine.

Thanks for your fast response

Kind regards
Roger

@beekay said in Pfsense and Vodafone fibrex:

So I got my router to see the internet … eventually! Don't know if it is the right way, but My WAN connection is connected through VLAN - igb1.10

Now I need to sort out VPN. I can set up various VPN clients and will finish that up tonight. What I need is the router to recognize a connection to say Netflix from any device and then direct it's traffic through the US VPN client I picked. If I want to connect to another streaming site, I want the router to direct the traffic to an alternate VPN client I set up. Any other traffic which is not geo-locked, must be sent through a general VPN client in my home country.

Please point me in the right direction as I do not know how to set this up.

BUMP

@derelict OMG you saw it so quickly, thank you for your reply ! "beginner mistake"

I don't want to pollute this forum, so you can delete this topic if you want, my problem was not really a problem in fact...

@derelict doh'

I knew it would be something as dumb as that! Jeez.

Thanks a lot to everyone for your help.

it works now :) !!

Sorry for the late reply, thank you very much for helping! In the end, it ended up being NAT reflection on the port forward being set to default instead of enabled. For whatever reason I assumed that this was on by default, I'll RTFM next time!

After enabling that, I can now connect to LAN2 properly through LAN1 using the external WAN2 IP!

@derelict

Ahh.. OK. Thank you! That was exactly what I was looking for!

/Raj

Yes, it's possible, but I would not do it like that.

I would put each pfSense on its own transit network, such as 10.1.10.0/30 for the link to the top pfSense and 10.0.10.4/30 for the link to the lower pfSense.

You can keep them on the same network like they are if you want to, say, enable an OSPF area containing all three routers so they all know where to send the traffic without relying on hairpinning, ICMP redirects and other nastiness. Or maintain static routing tables pointing everything where it needs to go.

@derelict
Yeah that was a typo.

After some digging,

https://developers.google.com/speed/public-dns/faq :
"Google Public DNS is a validating, security-aware resolver. All responses from DNSSEC signed zones are validated unless clients explicitly set the CD flag in DNS requests to disable the validation."

OpenDNS does not indeed. So I moved to some of the verisign servers that do (according to https://wiki.ipfire.org/dns/public-servers).

So far no issues.

Those are fine. The rules on LAN sourcing from ESXi and the rules on ESXi sourcing from LAN don't make any sense but shouldn't be blocking the traffic.

Based on that though you should probably take a look at these:

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Pretty obscure checkbox to have been checked.

Glad you found it.

I would return that switch if v2, they have firmware for v3 that is supposed to fix the vlan.  But v2 model you can not remove vlan1 from every port so its no better than a dumb switch.

That is not a layer 3 switch, so you would do 2 vlans and pfsense would route between them.

your vlans are tagged on the port connected to pfsense, and untagged to your PCs.

@viragomann:

Add a second phase 2 for that site to the IPSec configuration.

On pfSense:
Local Network: 192.168.120.1/24
Remote Network: The network you want to route over the vpn

And also on the Mikrotik with inverted values.

thanks for your reply.
very unexpected sollution, but it works