What ip(s) are port 80 and 22 being forwarded to? You would need to setup a superseding rule to make the gateway of that IP address be pfsense's default gateway. I suspect the IP address is pfsense's LAN IP so just make the rule and the mask would be /32 and move it ahead of the rule that directs all the other traffic over the VPN.

By the way if I'm right about the LAN IP I suggest you use https.

I did the same. All kind of interesting questions come up and resolve themselves by the passing of time. 🙂

Configure Sophos in bridge mode ? It is weird at start, but it grows on you.

Wouldn't it be simpler to just create the vpn client connection on pfsense directly… Vs what is a hairpin and asymmetrical routing mess that you have to bypass rules on your interface, etc..

Other solution is to put this vpn endpoint on transit network connected to pfsense, so you remove the asymmetrical routing..  You could still have hairpins depending on where you put the transit vlan or its own physical interface and what other vlans are using the transit to get to this downstream machine.

Sure that works.. Another solution would not to multi home you boxes like that.. Seems kind of pointless if you ask me..

Also such a setup doesn't stop them from talking to each other on their other network..  Why would you not just put the clients behind pfsense for everything?

What is the point of the multihomed setup?  That you want/need to firewall?

no it appears peplink can balance or aggregate with added service
and pfsense works fine with unequal speeds

have to have unique gateways but pppoe works but have been told its not supported

Ok, I've found the solution (thanks @pruiz)

I've read in many messages that it was not possible, and following all the guides I found it didn't work. Maybe all I found only applied to old versions.

This is how it worked:

Define the gateway for each wan interface in the interface configuration Define the rules on each WAN interface. It can also be a floating rule, but in that case it has to be defined as a IN direction rule and applied ONLY ON ONE WAN INTERFACE. So, you will have to define a rule for each WAN, what makes useless using floating rules… DO NOT go to advanced options and define the gateway, the reply-to will be correctly defined based on that WAN's gateway

They still need to know to route that network to you.

Just an indication that such a configuration is possible with pfsense would be extremely helpful.  Thanks

179.142.X.X = 179.142.0.0/16
179.142.15.X = 179.142.15.0/24

If you're unsure use a CIDR calculator like http://www.subnet-calculator.com/cidr.php.

Got this working now. Dns was not.set by pfsense without a static mapping. Once that was sorted it worked.

@johnpoz thanks for pointing me in the right direction and confirming the basic vlan config was somewhat.ok.

/d

It should be possible. But how to do depends on the stated routes.

If pfSensebox1 is the default gateway in the LAN and you push the default route or the route to LAN network to vpn clients (redirect gateway), it should work without adding routes.

If that is not given you need to add routes…

@finadmin:

Should this be possible when client1 has a route to 10.80.0.0/16 via 192.168.1.245 + pfSensebox1 has a static route from 192.168.1.245 to 10.80.0.0/16 ?

The client route is fine. It is only necessary if pfSense is not the default gateway in LAN.

The second route on pfSense does nothing.
You need a route on the vpn client for 192.168.1.0/24 pointing to the vpn server. This can be set by entering 192.168.1.0/24 in the "Local Network/s" box in the server settings.
If you use the wizard for setting up the vpn server, this is set by default.

Consider that the vpn clients firewall will block such access by default. So you have to open some ports.

@dmjar:

Effectively the main issue is getting the traffic from a port forward (incoming from WAN) to actually go further than the PFSense box as currently it is not hitting the device in LAN2.

So this should be solution for that already:
@dmjar:

I am assuming it is a Routing issue however I have tried adding the downstream router as a gateway and creating a static route for both the whole 192.168.2.0/24 range and alternatively just the 192.168.2.200/32 range in this example.

Maybe you have done something wrong?