Must the second company's firewall connect to yours? If it's two IP addresses in the same WAN subnet, don't bother chaining them. Put a switch on WAN and let them keep their firewall entirely separate.

Was the openVPN client connection established when this screenshot was taken?

Awesome thanks I will give that a shot!!!

Very strange.  Glad you got it working.

Two WANs to the same ISP are a problem on its own. Usually you get the same gateway from you ISP for both connections which makes it hard for your router to route different way.
And two WANs will NOT sum up to double speed, e.g. you will not be able to download a singe file with 20MBit/s. With load-balancing you can get 2x 10MBit for pulling different data.
A single 20MBit/s line can use the whole pipe with a single download or such.

Still not possible, and unlikely to ever be possible with IPsec.

pf is required for Multi-WAN the way most people use it – using gateway group and policy routing with gateway groups.

Multi-WAN without pf could still be possible in some cases. Specifically: Default gateway switching or having routing protocol to make the decision of which WAN to use.

Seems I may be making this more complicated than it needs to be, I'm going to attempt to use SNAT to match traffic for certain protocols and re-write the source IP to a new dummy range only used by my connection to the VPN provider.

Probably best to ignore my waffle for now :)

Weird - the unit says it is on the latest release… not sure why it isn't updating.
Sorry about that - I thought it was running the current stable!
I just checked again - the auto update url is set, and it checks and says it's:

Downloading new version information...done Obtaining current version information...done You are on the latest version.

Ok - now I see what happened… this unit has a 1GB CF. I guess when the updates switched to 2GB instead of reporting that it could NOT do an upgrade, it started reporting that it was already current. I'll look at a "forklift" upgrade to a new CF.

In my defense, my first port included the version number - which I stupidly thought was current:
Selfquoting "Using the latest release 2.2.6"  :'(

I'll try a current release.  :-X

Thanks!
m

"its not just 'boom' done in pfSense as there is no web interface for stunnel. "

So you seem to be able to do iptables via config file - but stunnel is too hard??

Working as a asymmetrical hairpinning nightmare.. Have fun with that mess!!  WTF..

Simple search and here looks to be instructions on bringing up stunnel on pfsense inbound
https://forum.pfsense.org/index.php?topic=109873.0

I show newer version here http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/stunnel-5.37,1.txz vs the one in that thread.

Tell you for sure the time need to create this sort of connection would of be a fraction of the mess you have!!

Any suggestion would be helpful.

8.8.8.8 gives us a bit of packet loss.
Any other suggestion on something to use for monitoring.

@johnpoz:

If your pfsense is on hyper-v what would be the point of creating multiple interfaces on pfsense that your just going to bridge??  Makes zero sense!

Then how would you do it? I'm open to suggestions, so if you know a better way to do it, then please share it with me.

For some reason Windows's interface bridges refuse to work with virtual adapters, and they don't really want to work with physical interfaces either, (can't copy files from shared folders) so that's why I want to do it in pfSense.

I've the same situation on a pfSense, two /29 and one /28, non adjacent and not routed. Each subnet has its gateway.
Each unique utilizable address of the ranges is added as VIP to the WAN interface and there is only one upstream gateway set in pfSense and any response is routed to it.

Why want you route packets back to the proper subnet gateway while they are also accepted by the first GW?