When you talk about a switching device you mean a L3 switch doing routing?

Your transit network would be an interface on pfsense in its own network, and then another interface on your mx100 which is a firewall/router.. While it might have "switch" ports on it its an actual router/firewall just like pfsense.

The transit network would be from an interface on your pfsense router to an interface on your mx100.  How that gets switch would be at L2.. So you could either have a connection going from pfsense directly to the mx100 or over switch (with nothing else on it dumb switch) or over a L2 switch via a vlan (smart/managed switch).

@johnpoz:

pfsense does PBR just fine.. you can create your specific host route to specific IP /32.. You do not need to route to the whole network, what you have is asymmetrical setup..  And no without a route its not going to work..

or create host routes on your DMZ that you want to access via your downstream router when they have default gateway.  If you remove asymmetrical routing then you no longer have a problem, that your trying to overcome with amounts to a hack vs doing it correctly.

I think we just discuss about a question of faith already. PBR is no hack, its designed for this. OK, if you don't use it correctly you create asymetrical routing and screw the route, but if you know what you're doing, it fits perfectly. So PBR works not completly fine IMHO, because I can't set an other gateway on the packets that come back. Thats a hard fact. And because of this it is implemented on routing level and not on a firewall level, so that the changed gateway affecteds all packets, not only outgoing.

@Derelict:

You cannot spoof the MAC to different MAC addresses for each VLAN on an interface. The interface itself sets the MAC address and the VLANs just use that. I think the problem might be that the ISP is seeing the same MAC address on all three interfaces. It is perfectly "legal" and the expected way to behave, but cable modems/ISPs might care about that.

If it worked on three physical interfaces and doesn't work now, there is not much else it could be.

A call to them and an attempt to get someone who might know what you're talking about is probably in order.

OK. I'll do that. I'll also try using another switch some other time.

@Derelict:

Remove all of the IP addresses from the VLANs on the switch. With those in place the switch will be layer 3 on those VLANs and will route traffic between them. You only need one management IP address on the switch.

Done.

@johnpoz:

Your setup on your sg300 for the port that connects to lan (eth1) on your sg300 would be simple trunk port.

Example
interface gigabitethernet3
description "esxi wlan trunk"
switchport trunk allowed vlan add 100,200,300,500,600
switchport trunk native vlan 20

I am not using vlan 1 to this vlan interface in pfsense.  I am using vlan 20 as the native untagged vlan in my setup.  But you can use 1 there vs the 20 I have.

You also have ports unused on your pfsense, you could leverage them for vlans without having to tag.. As long as you have more ports open on your sg300 you could use for the uplinks to pfsense for those vlans/networks.

What are you going to use vlan 1 for exactly?  Is this going to be the vlan you use to manage your switch?  Why do you have 10/24 stated as being management?

No idea…so if I get rid of VLAN 1, what IP address will I use to connect to the switch?  10/24 ins't the preferred method?  I'm going into this pretty much dumb as a mule. How do you have yours setup?

After some googling i think i understand what you mean, I will try to set this up on the test bench today and verify!

Lan interface is connected to a switch (mother switch) then that switch is connected to other switches then those switches are finally connected to the client computers. so its ok to have only 1 nic for lan interface because it only communicates with the mother switch?

I didnt limit the wan itself, I created an alias for a list of ports (80,8080 etc.), I then created limiter in traffic shaping for upload and downlod (dl - 60mbps,  ul-30mbps) and then finally created a firewall rule at lan put my limitter on in/out option at advance.

the left 40mbps internet bandwidth download I split in two for wifi 1 and wifi2… 20mbps each except this time there firewall rule are not restricted to any ports...

"Sticky Connections" might help.

System > Advanced, Miscellaneous, Load balancing, Use sticky connections

I wasn't finding the advanced options on the firewall rules to override the default gateway. Works great. Thank you.

Are these difficult questions?

With microsoft pptp VPN the client is put directly in the local subnet, and can use the remote gateway, and can access other subnets.

I have followed this article
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

There is no gateway, the first client gets the .1 address. I have tried to add firewall rules to allow the traffic, but it does not seem to help.

Again, is vpn traffic routable?

No. They are different broadcast domains.

You might be able to bridge them to the LAN side but not WAN to LAN.

That setup is kind of funky.

I forgot to say: Thank you very much for the info.  I will put it to good use.

Status > Gateways

Diagnostics > Routes

Different tiers provide failover

Please see packet capture and diag>>states

4.png
4.png_thumb
5.png
5.png_thumb

Are you using Google 8.8.8.8 or 8.8.4.4 as your gateway monitoring destination?  If so, change it.  Google will drop packets thereby creating a false positive packet loss.

Manual reset of the states is a good idea when you change your rules in any significant way, Diagnostics > States >Reset States.