Also make sure your rule is above the Default LAN -> any rule.

Hopefully I understand your question correctly.  But here goes.  You certainly can utilize the single LAN interface for all of the subnets.  Make sure the card supports 802.1q trunking.  It will probably work even if it doesn't but you can run into some weird things. Sounds like you may be doing this already.  In this case you would have 2 physical adapters in your pfSense box.  One would be the WAN.  The other would be multiple networks…the LAN (VLANx with 10.1.1.0/24), OPT1 (VLANx with 10.1.100.0/24), OPT2 (VLANx with 192.168.106.0/24).  Simply point the dfgw of the hosts on these subnets at the pfSense box and allow them to talk to eachother as I believe you've stated you needed.  Hopefully this helps!!

Oh, that behaves different from inside the network than it does for traffic actually initiated by the firewall. Still the result is the same, that traffic isn't going out the Internet, and the ICMP redirect it's sending isn't going to hurt anything.

Yes, Firewall > Rules, LAN tab.

exactly. my main concern is that I can only get to the network via a wireless bridge.

I've found one solution to this would be to vlan each of the buildings and trunk ports to the LAN side of the FW.  Set the priority for each building's vlan to keep the gateway local.  Anyone else have any other ideas?

4000 VLANs?! That's more than enough for me :D Yes, this would be deployed under 2.0 anyway. Given the current good stability of 2.0, I think the extra features added (that we need) outweigh the risk. Nonetheless we have a box in testing set up yesterday. Hasn't skipped a beat yet! And provided that the ports on the switch (or bridge ports in my case as this is a Xen setup) that connect to the servers are not VLAN aware and have a PVID of the respective VLAN they are supposed to be on, does that provide a secure solution? I've read a lot of nasty things regarding VLANs, however they seem to be used everywhere. For exmaple, most colocation providers use VLANs for their customers. Thanks

You must have a gateway configured on the interface for it to be a WAN, and to show up there. Set it to whatever IP info your ISP assigned.

One issue I can see is one I've had myself, which is with trackers.  Some will not record information from two IPs as the same user for ratio information.  Also, as a thought, it might be best to limit BT to one WAN, so you won't have issues with both connections being throttled by BT traffic.

Another thought, not sure if this would help but I saw that you said that the ISP manages the pirelli box.  You could just tell them to open ALL ports and forward them, and have pfSense manage it from there.  That would essentially be akin to putting the pirelli in bridge mode, aside from really being in bridge mode. It would be similar to some routers' "DMZ" mode.

I'm not a guru by far, but I think you may need to set a static route in pfSense, and possibly sonicwall as well.  Not sure exactly how to go about that, but maybe one of the people that know what they're doing can give further input?

Many ISPs would block outgoing traffic if the IP is spoofed in that way. There is no way to really tell an "upload" from a "download" if the traffic is all HTTP, FTP, SCP, etc in both directions, but if your uploads vary by protocol, you could just craft some policy-based routing rules to direct out certain WANs based on the port number.

Just to keep you updated: In my case, disabling the scrubbing function did the trick.

Great! I reconnected my router and I got a new IP and Gateway with 255.255.255.255 subnet mask. Thank you very much jimp for taking the time for me and my question. No I can enjoy my vacation ;-)

@lsoltero: I have uploaded a version of the patch apinger for pfSense 1.2.3 to here… THANK YOU!!!

"Block private networks" Is only available to be selected and is turned on, on the WAN interface. "Automatic outbound NAT rule generation (IPsec passthrough)" is selected. The only other firewall rules are for the port forwards  from the WAN to specific PCs

Do both OpenVPN servers know how to route to the remote network, and are they both configured as the default gateway for their networks?