Routing???  There is ZERO routing you would be doing.. If you were adding routes in pfsense you were doing it WRONG!!! Pfsense automatically like any router if it has a directly attached knows how to get there.. As to firewall rules. Your first rule on your vlan should of been any any until you understand what your doing.. The gateway on a device in a vlan would be pfsense IP address in that vlan - this is auto handed out by the dhcp server.. When you setup a new network in pfsense there would be NO gateway added to pfsense or you just turned it into a wan interface.

No. You want to set up a gateway group for the ones that actually give you internet access. But it is usually FAR better if they are all on their own interface.

@thompsonm: Can you elaborate a little bit? You're not being very clear. I just want to know, in a setup with multiple VLANs, WANs, and multiple physical NICs, is there a way to have only instance of snort running? Run snort on each parent interface, it picks up all the vlan traffic.

That's unfortunate to hear. Okay. Thanks for the clarification.

Provider equipment may reside on different switches. Probably different rooms, floors or buildings.

thank you again, to finish my explanation…still I have home router (no manage inter-vlan) so long time ago I bought switch Layer 3 to create different subnet for each department in my office. In few days I want to replace my router with the firewall and I thought to keep the same configuration for switch (it's a pity downgrade to L2) and the setup properly the firewall but I see nosense... bye

Thanks alot. It was a firewall issue. One of the devices i tried to ping was a NAS which had the firewall enabled eventhough it said "off".

why dont you use LAGG on lan interfaces?

@Derelict: If you do the ping from pfSense, the traffic is same-subnet. If you do it from another VLAN the traffic is from a remote subnet. Check the software/windows/symantec/etc firewall on the target node. how does that work? The target does not have any firewall.. And now i'm having another issue with a port forward, which seems not to be working at all…. this is weird...

Okay, after reading and testing some stuff i could answer the question myself. I enabled forwarding in the unbound / Dns-Resolver settings and set up some dns server for each gateway in general setup. Then i set my LAN ip Address of the firewall as DNS Server for OpenVPN and Ipsec clients.

It has been a while. So I'm happy to present to you my final working solution. Using Version 2.4.2-RELEASE-p1 (amd64) Have a pfSense Firewall with 2 WAN connections (Failover). Created Gateway Group [FAILOVER] with 1 x Wan Tier 1 und 1 x Wan Tier 2. Wan Tier 1, is a DSL Connection. Call it WAN_Main Wan Tier 2, is a 4G backup connection. Call it WAN_4G On my firewall, I configured an OpenVPN client. [u]This client should always be connected to a server in the cloud AND use WAN_Main if online[/u]. So, if WAN_Main fails, the vpn should fallback to WAN_4G. As soon, WAN_Main is back online, the vpn client reconnects with WAN_Main. To do so, create a VPN Client as usually, but use Gateway Group [FAILOVER] as interface.

Nobody any ideas? Can't make it work sadly…

If your running the connection from pfsense to a vm host… Then you don't need a switch even and you can do tagging and use vswitches with port groups to accomplish what you want. But if your going to break this out into the real world network and connect to a switch and send use multiple layer 3 networks.. Then yes your going to want to isolate said networks at layer 2 with vlans. Don't be that guy - forgo that pizza or that case of beer and get a switch that can do tags.. I mean really its 30 freaking $'s - shit you can drop that in after work beers on a tuesday..  Which I am sure I will prob do tonight ;) Don't be that guy [image: wrong-tools2.jpg] Your switch may or may not pass the tags… But that is really not the point..  Its not going to teach you anything, and all it does is promote bad habits... There is one thing when hey this needs to be up and running in 30 minutes, and all I have is this dumb switch and production is down.. Can we connect using this dumb switch and run multiple layer 3 on the same layer 2 until the replacement switch comes in. And then there is oh lets save $5 and just use this dumb switch.. You get a pat on the back for scenario 1, you get fired and ridiculed by your peers in scenario 2.. So there is knowing that it "can" be done.. And then there is being smart enough to know that nobody should do that.. Your not using duct tape to save yourself on Apollo 13 here.. What your doing is breaking out your hack saw to cut the pizza because your tool lazy to open the drawer and pull out the pizza cutter.