How are the two networks connected now? You can't send traffic through a gateway in another subnet like that. You need some kind of transit network. For example, if it's a dedicated circuit, you'd have that plugged into an additional NIC (or VLAN) on both pfSense firewalls, and then you'd have some other unrelated subnet to talk between them there. Then you use the address in that subnet as a gateway to reach the other. If you have your LANs plugged together so they're all in the same Layer 2/flat network that is going to be a huge mess.

@ak-0 said in Internal routing of Vlans: @Derelict Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0. Actually what i want to achieve is if traffic from Vlans goes out first it should reach Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port. Tracert should be 1.Vlan IP (192.168.100.1) 2.Lan IP (192.168.10.1) 3.Gateway IP (1.2.3.4) instead of 1.Vlan IP (192.168.100.1) 2.Gateway IP (1.2.3.4) I`m trying to double NAT for Vlans, first NAT should be internal and then gateway. @tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN. I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.

Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.

I had this same issue and what worked for me is creating a floating rule on the downstream PfSense to allow WAN to LAN connections. YMMW.

https://www.netgate.com/docs/pfsense/virtualization/virtio-driver-support.html

That'll do it!

2.3.2... I just don't get this.. Why would you not be on at least 2.3.5p2? 2.3.2 is no longer supported.. And to be honest the 2.3.x line is EOL here soon.. Like tmrw ;) https://www.netgate.com/blog/pfsense-release-2-3-x-eol-reminder.html

Yes. Just like you would with an rfc1918 network. If they routed 1.1.1.0/25 to you: Interface: 1.1.1.1 /25 Usable: 1.1.1.2 - 1.1.1.126 They'd set 1.1.1.1 as the gateway. Or you could configure DHCP to hand out the addresses if you wanted. You could also just use a /26, /27, /28, /29, /30, /31 on the inside interface and use the rest of the space for other purposes.

@rico I had a similar issue. Thanks for your advice!!

@grimm-spector Exactly, it will work just fine :)