No it doesn't. Of course we can play in the game "provide more details" for example fro #1, here: https://forum.pfsense.org/index.php?topic=142162.0

You have also created an asymmetric routing scenario.

https://forum.pfsense.org/index.php?topic=142090.msg775011#msg775011

MTNLfiberconnectionGW  Tier 1
CABLENET_PPPOE Tier 2
DVOISINTERNETGW Tier 3

No you do not need it.. Why do you need it?  If your going to put pfsense on that network, and the clients use a different gateway to get to get to other networks then that network becomes a transit.. Hosts on transit networks that need to use multiple gateways to get to other networks need to have host routing.. To tell them which gateway to use, if not then you end up with asymmetrical routing..

Why can pfsense not use the new transit network you create from the isa router to pfsense to get to the 192.168.100 network.

If you want to run it the way your running it then you will have to create routes on every host in the 192.168.100 telling them which gateway to use - or you have asymmetrical mess.

Yes, you should be able to do that.

You have to be connected to an address on the same VLAN.

You can add a VLAN to a physical interface you are connected to on another VLAN.

Its confirmed its not working correctly.

Recommendation is to use FRR instead of OpengBGP package.

Now how to configure FRR?
Its a bit intimidating…

It might work if you use policy-based routing for the 192.168.1.0/24 destination on the LAN interface, bypassing IPsec.

It's a big might.

It sounds like you tried that though. You might want to post what you've tried because, at a minimum, that should at least send the traffic out the correct gateway instead of IPsec.

That's why it is not recommended you configure large swaths of space like 192.168.0.0/16 anywhere. Running into conflicts with other sites is pretty much inevitable when you do that.

:D why do i complicating things, you're perfectly right.

It's now working. \o/

Thank you very much.

Kevin

Sorry for opening an old topic.  Basically my problem was solved by disabling hardware checksum offloading, see:
https://forum.pfsense.org/index.php?topic=87856.0

OK, so lets try some more specific questions,

should the pfsense instance be in one of those subnets, and I just write routing rules to give it access to the other subnets. Or do I create a fourth subnet (maybe public?) to give it access. Presumably I need to set up an interface in pfsense for each subnet? How do I do that in AWS - I'm a bit lost with their strange way of doing things. How do I limit access to certain subnets / machines on a user by user basis. Would I do that in pfsense or in AWS.

What makes sense here. I'm guessing someone must have struggled with this environment before.

You can always subnet a network down..  so that is a /23 so logical break would be /24, since your at 10.2.5 the break to /24 would create 10.2.4.0/24 and 10.2.5.0/24

Here is the thing.. What exactly are you going to do to subnet it down.. They are not routing that traffic to a routers of yours are they?  You are directly attached would be my assumption..  So unless you have some router in your classroom and they route that network to you via some other transit..

Then while sure its easy to subnet any network into smaller networks - your problem is more involved… And without more info its impossible to advice you what direction to go into.

But if all you want is an isolated wifi network you could control - this would be as simple as connecting your typical wifi router which would nat the wifi clients to whatever IP it gets from your 10.2.5/23 network when you plug its wan in.

Better would sure being this with pfsense box and some APs..  But any 20$ soho router you pick up at the computer store would be able to create an isolated wifi network on your current network.

Doh! That's exactly what it was, thank you Derelict. Didn't even think about that.

It's working great now.

Thanks again!
Brooks

Yes. Number that interface as 192.168.2.1/24, create the necessary firewall rules on that interface, and connect another switch to it.

Then your problem is upstream. pfSense cannot control which interface reply traffic arrives on. It can only control which interface is used for sending.

Based on the information given so far….

You will need to provide a lot more details to make a real diagnosis.