@GruensFroeschli:

Without knowing the rb750:
to me it seems as if the rb750 has an integrated switch which is not VLAN capable.
You simply need a VLAN capable switch.

The default configuration is one wan port, and four ports configured as a switch. RB750G can be reconfigured to have five independent LAN ports. In the following manual pages, you can see that the switch chip in RB750G supports VLAN.

http://wiki.mikrotik.com/wiki/Switch_Chip_Features

Additional VLAN features can be configured in MikroTik RouterOS, for example VLAN trunking (feature called service-tag in RouterOS).

http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

RB750G is a very feature rich and powerfull router/switch.

If you only need a VLAN aware switch, take a look at RB250GS.

http://www.routerboard.com/index.php?showProduct=101

For OPT1 did you add your "allow ICMP' rule as well?
Post your LAN– WAN firewall rules ,,,either copy/paste or screenshot them
Does WAN work as expected?

Barry

On 2.0 you can do it by either picking 'address' for the type, or just enter x.x.x.x/32 for a single IP. On 1.2.3 just do x.x.x.x/32.

thank you very much.

cirkit,

Thank You for the informative response!
I will give a try what solved this prob for you on our pfSense box and report back when this same problem arises.

Take Care,
barry

Also make sure your rule is above the Default LAN -> any rule.

Hopefully I understand your question correctly.  But here goes.  You certainly can utilize the single LAN interface for all of the subnets.  Make sure the card supports 802.1q trunking.  It will probably work even if it doesn't but you can run into some weird things. Sounds like you may be doing this already.  In this case you would have 2 physical adapters in your pfSense box.  One would be the WAN.  The other would be multiple networks…the LAN (VLANx with 10.1.1.0/24), OPT1 (VLANx with 10.1.100.0/24), OPT2 (VLANx with 192.168.106.0/24).  Simply point the dfgw of the hosts on these subnets at the pfSense box and allow them to talk to eachother as I believe you've stated you needed.  Hopefully this helps!!

Oh, that behaves different from inside the network than it does for traffic actually initiated by the firewall. Still the result is the same, that traffic isn't going out the Internet, and the ICMP redirect it's sending isn't going to hurt anything.

Yes, Firewall > Rules, LAN tab.

exactly.

my main concern is that I can only get to the network via a wireless bridge.

I've found one solution to this would be to vlan each of the buildings and trunk ports to the LAN side of the FW.  Set the priority for each building's vlan to keep the gateway local.  Anyone else have any other ideas?

4000 VLANs?! That's more than enough for me :D

Yes, this would be deployed under 2.0 anyway. Given the current good stability of 2.0, I think the extra features added (that we need) outweigh the risk. Nonetheless we have a box in testing set up yesterday. Hasn't skipped a beat yet!

And provided that the ports on the switch (or bridge ports in my case as this is a Xen setup) that connect to the servers are not VLAN aware and have a PVID of the respective VLAN they are supposed to be on, does that provide a secure solution?

I've read a lot of nasty things regarding VLANs, however they seem to be used everywhere. For exmaple, most colocation providers use VLANs for their customers.

Thanks

You must have a gateway configured on the interface for it to be a WAN, and to show up there. Set it to whatever IP info your ISP assigned.