@johnpoz Thank you so much again. Understand all.
Couple of clarifications:
Yes, understood, I was looking to be able to access pfsense and the LAN, but not the internet, in this instance. Either way, everything you said helped clarify it for me and I both understand it and got it configured and working. :))2a. Mine is manual, but yes, great points and idea.
The allow rule you are referring to, would be an allow any and the gateway or default gateway correct?
Also, on one of the switches I am looking at (all are good, one is high-end) I noticed that VLAN 1 (under its VLAN ID tab in membership), is an untagged member in every port as well. This includes ports with the assigned untagged VLAN also. That is incorrect?
Should only be the vlan assigned to that port untagged, correct?
Okay, and if a block egress rule in floating, that would go on the WAN or other gateway as previously discussed, correct?
edit: 1 neither tagged nor untagged now in ports with other vlans untagged on them. All seems to be working, so thinking that is the correct config. :)
Therefore, now not all ports are members on vlan 1, but port 1 (trunk) is tagged on each vlan on other ports.
ex: VLAN ID. ** Port Member
1 ** 1 17 27 (not a member of ports with vlans assigned untagged)
10 ** 1 2 (vlan 10 U on port 2)
Port 1 tagged on every vlan
(formatting issue so had to use * to separate rather than columns)