What ip(s) are port 80 and 22 being forwarded to? You would need to setup a superseding rule to make the gateway of that IP address be pfsense's default gateway. I suspect the IP address is pfsense's LAN IP so just make the rule and the mask would be /32 and move it ahead of the rule that directs all the other traffic over the VPN. By the way if I'm right about the LAN IP I suggest you use https.

I did the same. All kind of interesting questions come up and resolve themselves by the passing of time.

Configure Sophos in bridge mode ? It is weird at start, but it grows on you.

Wouldn't it be simpler to just create the vpn client connection on pfsense directly… Vs what is a hairpin and asymmetrical routing mess that you have to bypass rules on your interface, etc.. Other solution is to put this vpn endpoint on transit network connected to pfsense, so you remove the asymmetrical routing..  You could still have hairpins depending on where you put the transit vlan or its own physical interface and what other vlans are using the transit to get to this downstream machine.

Sure that works.. Another solution would not to multi home you boxes like that.. Seems kind of pointless if you ask me.. Also such a setup doesn't stop them from talking to each other on their other network..  Why would you not just put the clients behind pfsense for everything? What is the point of the multihomed setup?  That you want/need to firewall?

no it appears peplink can balance or aggregate with added service and pfsense works fine with unequal speeds

have to have unique gateways but pppoe works but have been told its not supported

They still need to know to route that network to you.

Just an indication that such a configuration is possible with pfsense would be extremely helpful.  Thanks

179.142.X.X = 179.142.0.0/16 179.142.15.X = 179.142.15.0/24 If you're unsure use a CIDR calculator like http://www.subnet-calculator.com/cidr.php.

Got this working now. Dns was not.set by pfsense without a static mapping. Once that was sorted it worked. @johnpoz thanks for pointing me in the right direction and confirming the basic vlan config was somewhat.ok. /d

It should be possible. But how to do depends on the stated routes. If pfSensebox1 is the default gateway in the LAN and you push the default route or the route to LAN network to vpn clients (redirect gateway), it should work without adding routes. If that is not given you need to add routes… @finadmin: Should this be possible when client1 has a route to 10.80.0.0/16 via 192.168.1.245 + pfSensebox1 has a static route from 192.168.1.245 to 10.80.0.0/16 ? The client route is fine. It is only necessary if pfSense is not the default gateway in LAN. The second route on pfSense does nothing. You need a route on the vpn client for 192.168.1.0/24 pointing to the vpn server. This can be set by entering 192.168.1.0/24 in the "Local Network/s" box in the server settings. If you use the wizard for setting up the vpn server, this is set by default. Consider that the vpn clients firewall will block such access by default. So you have to open some ports.

@dmjar: Effectively the main issue is getting the traffic from a port forward (incoming from WAN) to actually go further than the PFSense box as currently it is not hitting the device in LAN2. So this should be solution for that already: @dmjar: I am assuming it is a Routing issue however I have tried adding the downstream router as a gateway and creating a static route for both the whole 192.168.2.0/24 range and alternatively just the 192.168.2.200/32 range in this example. Maybe you have done something wrong?

"My anti-virus connects to the database server using a public address" So its hardcoded IP or it uses a FQDN to access.  Hard coding IPs BAD… FQDN good! If you use FQDN its a simple host dns configuration to have that fqdn resolve to the rfc1918 address of your database server while inside.. And while outside you hit the public IP.

Hi johnpoz Thanks for your reply. Yes on the Network 10.0.x are hosts. But this are two different customers and I don't can change the Subnet 10.200.201.0/24. I have draw another picture. I think, we need a policy based routing with the possibility to define Gataways on the IPSec Interface.