You should not have gateways set on LAN or OPT1. (or possibly OPT2). Only the WAN should have a gateway set for pfSense and that is added automatically for DHCP.

When you add a gateway to an interface pfSense treats it as a WAN and that is not the case for LAN or OPT1.

Additionally whatever is at 10.0.2.2 is not responding to ping. That's probably because it's the VBox NAT host. You should set some the external IP address for pfSense to monitor on the WAN.

Steve

@ak-0 said in Internal routing of Vlans:

@Derelict
Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

Actually what i want to achieve is if traffic from Vlans goes out first it should reach
Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
Tracert should be
1.Vlan IP (192.168.100.1)
2.Lan IP (192.168.10.1)
3.Gateway IP (1.2.3.4)
instead of
1.Vlan IP (192.168.100.1)
2.Gateway IP (1.2.3.4)
I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

@tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.

I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.