Yeah ok bad idea...just trying to cut down on stuff but you guys are right it’s not good architecture.

@sho1sho1sho1 Only the ports you open are exposed. However, why are you using those ports. Ssh is port 22.

@JKnott I definitely need to go study up on the OSI model again. Networking class was so long ago! Thanks for offering some schooling. I will focus my efforts on trying to get a particular subnet to route over the VPN group i have set up then.

see if this helps: https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html

When the Timecapsule dies I’ll LAG the router :)

That is an odd thing to have to do using physical nodes but glad you found it.

@average_joe said in Layer 3 Switch to pfSense - What Am I Missing?: the NAT rule covers the LAN Net, but there was no NAT specified for the other VLANs in the 10.20.0.0/16 Supernet. They would be if you were on automatic nat.. Had you changed this to manual? If so why? Once you create a gateway and create routes to the downstream nats they are automatically added for your outbound nat. edit: Here you can see my auto outbound.. I then created a new downstream gateway off my dmz interface to 192.168.3.32.. I then created a route to downstream 172.16.0/24 network using that gateway and the outbound nats were auto added. [image: 1572909675450-autonat.jpg] You can see that the outbound nats now include the 172.16.0/24 network to be be natted outbound. That drawing Derelict posted - been around for many years that drawing ;) gives you all the info you would need for doing downstream networks with pfsense. But yes you would need to modify the rules on your now transit network to allow the downstream network(s) on your firewall rules.

Check Asymmetric VLAN

I'm added next rule which allowed all trafic to VLAN address. icmp to VLAN IP still don't working. [image: 1572462359628-pfsense003.png] [image: 1572462645424-pfsense004.png]

@JKnott I found an older i5 hp machine in the attic that i just set up with an 64bit pfsense! updated finally! Guess it was the smartest thing to do.

@johnpoz Yes, sorry for poor communication skills on this

@NogBadTheBad Thanks for pointing this out. I have tried setting the net.link.bridge.pfil_bridge to 1 and tested the network capture, sadly still the same result. Therefore this kernel setting doesn't seem to be related. Remember I mentioned remote capturing works properly, and that was done against "bridge0" bridge interface instead of member interfaces whilst the net.link.bridge.pfil_bridge was the default value 0. Regards.

How do you have this all physically connected? If you have a loop and preventing issues with STP does not really sound like an optimal solution.. Why would you not isolate your L2 networks via vlans on your switch? Where you wan is different L2 than your Lan..

@Rai80 Alright, I go try

WPA3 enterprise would be the new way to go ;) It is hopefully going to be viable here soon on the unifi stuff.

It sounds to me like you have all the nuts and bolts necessary to build a pretty decent segmented network. There's no mention of your WiFi gear, but regardless of vendor, as long as it supports VLANs you'll good to go with that component too. Personally, I have networks for servers, kids, media, IoT, guests, etc. I have a fairly beefy server (16-core, 96GB RAM, 12TB RAID 5) running ESXi with everything virtualized (including pfSense). Servers and printers share the same network. Parents devices have their own VLAN with DHCP (responds only to named reservations) and rules allowing access to pretty much anything. Each kids has their own VLAN with DHCP (responds only to named reservations) and rules controlling what they can access, and schedules to ensure they get some sleep! - The WiFi has one SSID to rule them all, it is integrated with AD and does per user RADIUS VLAN assignment, but that's just icing on the cake. Media devices, Roku, PS4, etc have a media VLAN again with DHCP, rules and schedules. IoT devides, fridge, thermostat, cameras, etc have their own VLAN with DHCP and rules (generally allow to Internet only) Guests have a VLAN (accessed via the WiFi) with DHCP and captive portal, and rules. (I also added a MAC filter to the WiFi to prevent the kid's devices from using the Guest WiFi and bypassing the above controls). Several LAB VLANs where I can spin up VMs to test various things Some planning will certainly be required: Figure out how many VLANs you will need. Keep in mind that while you can make it super complicated, managing it also becomes complicated as does troubleshooting. Each VLAN will need a separate non-overlapping subnet. pfSense will be the default gateway for each subnet. Each subnet will need rules to indicate what it is allowed to access (keep in mind that any other interfaces besides LAN have no default rules, so you'll need to create some). You could add VLANs to the LAN interface, or natively to the other interfaces, it makes no difference unless you are passing a lot of traffic between two different VLANs, in which case it might make sense to have them on separate ports. Configure the managed switch with the VLANs and assign them to the port(s) facing pfSense. From there move your devices into the desired VLANs (IP renumbering will be required), and create rules as needed. Lastly, test and test some more.

Hello jimp, Thank you for your useful answer. My original problem was described in another topic, here: https://forum.netgate.com/topic/146476/issue-with-failover-gateway-group-over-vti-tunnels/2 Since Gateway Groups is not working properly on VTI interface, then I decided to do the automatic failover switching on the Mikrotik router (with a script). That is why I wanted to extend the VTI tunnels from pfSense to Mikrotik router by briding them with an ether interface on pfSense. Some sort of (GIF) tunnel over VTI tunnel could have solved the problem, but to use these solutions are very limited at "Site B". I chose a different solution: I installed a second (virtual) instance of pfSense, in this case 2 VTI tunnels were enough instead of three. And because one pfSense had only one VTI tunnel, layer3 connection was enough between Mikrotik and the pfSense routers to do the automatic failover switching on the Mikrotik. So I already solved this problem... but if you have any idea/hint, I'm open to receive it for the future. Thanks, SGábor