@wmheath586 you might also want to drill down further to the MAC address tables in your router. If you are using a managed switch you should be able to telnet into your router and inspect the MAC address table. This would be relevant if you are running multiple VMs and have left the MAC addresses at their defaults.

That is what I do as well, some interfaces run multiple vlans. Others have only single interface. My high volume vlans have their own uplink. Other vlans like my wireless ones share an interface. Wireless clients not going to be able to use a full gig interface anyway - not a single device for sure.. Maybe as you move to AX.. But until that time with wifi 5, not really possible for a wireless client to use full gig. So yeah they can share an interface, and rare that any wifi vlan would ever talk to another wifi vlan, etc. This is what is nice about having multiple interfaces on your router. One of the reasons went with the 4860... Lots of discrete interfaces, gives you more options. I don't really have any use for switch ports in my router ;) That is why I have switches... heheh Now what I would love to see, would be a netgate box that has multigig interfaces - support for 802.3bz.. Love to have interfaces that can do 10/100/1000/2.5/5/10ge Multigig switch ports be great.. This could allow for say future connection of AX APs that support say 2.5ge uplink into the router, when you don't actually have a muligig switch, etc.

@gabriel-silveira Se você tem 2 provedores, os 2 estão conectados no pfsense, certo? O Gateway group permite você configurar essas saídas de Internet em failover por exemplo, caso provedor A caia, utilize o provedor B até que o A seja restabelecido. Ou caso você queria por exemplo que a VLAN20 utilize o provedor A apenas, você adiciona na regra de Firewall que permite o acesso a Internet dessa VLAN o gateway apontando para o gateway do provedor A. Você fez alguma configuração nesse sentido? Pois caso tenha feito, você precisará criar regras de Firewall, permitindo a conexão entre as VLANs, com gateway sem alteração, ou seja, em default, e essa regra deverá estar no topo. Ela precisa estar antes das regras que permitem o acesso a Internet com gateway específico, ou seja, que não seja default. Uma recomendação para que possamos te ajudar melhor, é sempre postar uma topologia do ambiente. Estou tendo que fazer suposições sobre o problema e o ambiente.

edit: on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

Good day, I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...

Trunk your VLANs on a single pfSense interface. The Netgear docs suck big time. https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

@Gertjan said in Trouble With CaptivePortal on Two VLANs in One Interface: You are already using multiple interfaces - a VLAN is considered as a interface. Typically, each interface has its own dedicated AP(s) - using a dedicated radio (== Wifi) setup. A user should choose the correct Wifi SSID first to use the correct network. You can't automatize this. I just wanted to make it happen. I was planning to redirect the user to the correct VLAN by using just one SSID. But I completely got that I can not do it. Thanks for your helps. @free4 I still can not find an opportunity to try PacketFence. I will write down here if I can be successful on it.

@ak-0 said in Internal routing of Vlans: @Derelict Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0. Actually what i want to achieve is if traffic from Vlans goes out first it should reach Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port. Tracert should be 1.Vlan IP (192.168.100.1) 2.Lan IP (192.168.10.1) 3.Gateway IP (1.2.3.4) instead of 1.Vlan IP (192.168.100.1) 2.Gateway IP (1.2.3.4) I`m trying to double NAT for Vlans, first NAT should be internal and then gateway. @tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN. I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.

@telescopedepth I appreciate people's goodwill. I understand you, also networking's jobs. you can learn enough, trought forum and community, as I do... If you really want, nothing is impossible! Meanwhile I'll reading some nice book like this Some page for a day, it's easy to follow and full of good pratice, for me. Regards. (Indeed pfSense book it is) Finally I need to thank so much pfsense team for this pretty nice gift, I dicovered few days ago, pfsense book for everyone is a must to have. Cool!