That worked! Thank you very much!

I have to use the VPN Router from our provider - so I can't move the VPN over to PFSense :-( Flemming

@GruensFroeschli: Without knowing the rb750: to me it seems as if the rb750 has an integrated switch which is not VLAN capable. You simply need a VLAN capable switch. The default configuration is one wan port, and four ports configured as a switch. RB750G can be reconfigured to have five independent LAN ports. In the following manual pages, you can see that the switch chip in RB750G supports VLAN. http://wiki.mikrotik.com/wiki/Switch_Chip_Features Additional VLAN features can be configured in MikroTik RouterOS, for example VLAN trunking (feature called service-tag in RouterOS). http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN RB750G is a very feature rich and powerfull router/switch. If you only need a VLAN aware switch, take a look at RB250GS. http://www.routerboard.com/index.php?showProduct=101

For OPT1 did you add your "allow ICMP' rule as well? Post your LAN– WAN firewall rules ,,,either copy/paste or screenshot them Does WAN work as expected? Barry

On 2.0 you can do it by either picking 'address' for the type, or just enter x.x.x.x/32 for a single IP. On 1.2.3 just do x.x.x.x/32.

thank you very much.

cirkit, Thank You for the informative response! I will give a try what solved this prob for you on our pfSense box and report back when this same problem arises. Take Care, barry

Also make sure your rule is above the Default LAN -> any rule.

Hopefully I understand your question correctly.  But here goes.  You certainly can utilize the single LAN interface for all of the subnets.  Make sure the card supports 802.1q trunking.  It will probably work even if it doesn't but you can run into some weird things. Sounds like you may be doing this already.  In this case you would have 2 physical adapters in your pfSense box.  One would be the WAN.  The other would be multiple networks…the LAN (VLANx with 10.1.1.0/24), OPT1 (VLANx with 10.1.100.0/24), OPT2 (VLANx with 192.168.106.0/24).  Simply point the dfgw of the hosts on these subnets at the pfSense box and allow them to talk to eachother as I believe you've stated you needed.  Hopefully this helps!!

Oh, that behaves different from inside the network than it does for traffic actually initiated by the firewall. Still the result is the same, that traffic isn't going out the Internet, and the ICMP redirect it's sending isn't going to hurt anything.

Yes, Firewall > Rules, LAN tab.

exactly. my main concern is that I can only get to the network via a wireless bridge.