@johnpoz

The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG

Re: There is really no reason for it
I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.

I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...

From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.

Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.

Thank you. -jeff

While captive portal could be blocking.. You clearly have issue there with only allowing tcp.. Unless your client is doing doh or dot there is now way he could get any dns.. DNS runs on UDP 53..

You can see right there in your block 53 to 8.8.8.8 was blocked.

The copy jobs will be between nas to vsphere and external. Probably it will be smb3, i did not decide yet.
After removing the whole lagg config on pfsense and switch it works!

I can work with that but i'm still interested why it did not work with lag...