@johnpoz: "MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2" "When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. " Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz" Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz. Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet. BR, Adrian

Pfsense 2 vcore… A small share,  2vcore... plex - 4vcores It can take it.  Its fast.  Assuming its just 1 or 2 people on the plex at a time. You bought a fast machine.

So lets repeat, since clearly your not grasping this "IPv4 *  OPT1 net  *  WAN net  *  *  none            " No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network. Lets say your wan is 1.2.3.4/24… Wan net is means you could only talk to devices with IP 1.2.3.1-254...  That is the WAN net, this is NOT the interent...  The internet is ANY!!!  Since pretty much the internet could be ANY public IP address.. You have no rule listed that would allow you to say googledns 8.8.8.8 or say forums.pfsense.org forum.pfsense.org [208.123.73.18] Your internet is only working via proxy because pfsense itself can get to the internet, and with proxy your just asking pfsense - hey go to this place for me..  If you want to get there direct than you have to allow that on the firewall. How hard its it put up a screenshot?  From those can not tell if those are blocked or allowed.. You can see here I allow ping to wlan guest address, ipv4 and ipv6 I allow access to my ntp servers that are on different vlans ipv4 and ipv6 I allow the guest to go to public DNS, I hand out google in the dhcp server for this guest wifi network.  Via rule that is allow for anything NOT rfc1918(see alias created) I then block (reject actually with logging) any other access to any other firewall IP, be it lan, wan, or any other vlan IP. I then allow guests to go anywhere else as long as not rfc1918, or my local IPv6 networks. Where in you rules top down, first rule to trigger wins - no other rules allowed would your clients be able to go to any IP on the internet..  This is why the rules out of the box on pfsense are ANY ANY on the lan… [image: examplerules.png] [image: examplerules.png_thumb]

They're using weird lingo. I have a subnet of IPs routed to me as well. Have many ports do you have on your pfSense box? Also, I don't think anything is coming in over L2TP.

Port were used enough, provide VPN. IP check before.

What ip(s) are port 80 and 22 being forwarded to? You would need to setup a superseding rule to make the gateway of that IP address be pfsense's default gateway. I suspect the IP address is pfsense's LAN IP so just make the rule and the mask would be /32 and move it ahead of the rule that directs all the other traffic over the VPN. By the way if I'm right about the LAN IP I suggest you use https.

I did the same. All kind of interesting questions come up and resolve themselves by the passing of time.

Configure Sophos in bridge mode ? It is weird at start, but it grows on you.

Wouldn't it be simpler to just create the vpn client connection on pfsense directly… Vs what is a hairpin and asymmetrical routing mess that you have to bypass rules on your interface, etc.. Other solution is to put this vpn endpoint on transit network connected to pfsense, so you remove the asymmetrical routing..  You could still have hairpins depending on where you put the transit vlan or its own physical interface and what other vlans are using the transit to get to this downstream machine.

Sure that works.. Another solution would not to multi home you boxes like that.. Seems kind of pointless if you ask me.. Also such a setup doesn't stop them from talking to each other on their other network..  Why would you not just put the clients behind pfsense for everything? What is the point of the multihomed setup?  That you want/need to firewall?

no it appears peplink can balance or aggregate with added service and pfsense works fine with unequal speeds

have to have unique gateways but pppoe works but have been told its not supported