Just the port forwards.  The other issues you will likely encounter are asymmetric routes, etc.  All that will have to be handled on the internal router/sophos. Even the list of port forwards is a Sophos issue.  Forward what they say you need to forward. According to your diagram the VPN clients will be issued addresses on the same subnet as the pfSense interface so you won't have to route any additional subnets over to Sophos and won't have to pass any source addresses other than your typical LAN Net.

@hatimux: Hello, I'm adding a static route to the OpenBGPD process. The route is distributed correctly. When I delete the route, OpenBGPD still distribute it, even it is no longer in the routing table (netstat -rn4), I have to restart the OpenBGPD process to delete the route. Is there any way to force OpenBGPD to delete the routes without restart? Thanks! http://www.openbgp.org/manual.html You can trigger a realod of config in CLI: [2.2.4-RELEASE][root@pfSense.test]/root: bgpctl reload reload request sent. request processed

not totally clear. (i'm just not very smart) so, you bridged fiber+lan (or you basically bridged datacenter-lan & local-lan) datacenter-lan subnet = local-lan subnet  | right ? then why use a gateway at all ? you are in the same broadcast domain and packets would flow to and from the datecenter without any >=layer3 involvement ?

Lower "down", leave the remainder alone. Though take care with what you're doing there. Often making it more sensitive just results in unnecessary and unwanted failover. Getting failover in less than 10 seconds is almost certainly too touchy.

Okay I think I lost you guys. Tim says I can't assign separate gateway IPs for each ISP, which based on my goal of replicating my current setup will then mean I can't proceed unless I go the route of similar multi-wan setups using PFSense. Which isn't something I'm prepared to do. Yes, I'm a little stubborn. :) However, if what Frank is saying is true, then how do I proceed with that? I think if I can get that started, I can start applying what I have read so far along with the help Tim has earlier provided. Backup scenario I'm thinking of for my setup is running a VM Server with 3 DDWRT appliances. Yes, it's dirty. That's why I'm trying to get with the times and learn PFSense. I'm hopeful it could be done.

tier1 –> tier 2 https://doc.pfsense.org/index.php/Multi-WAN#Tiers

Simply stated, no. Your torrent program can open multiple connections and sessions, which as individual connections and sessions can be opened on two separate WAN connections. Therefore it can use all available bandwidth. However, a download is a single connection or session and can only use one WAN interface at a time. Binding WAN interfaces must be done at the ISP's site and cannot be done through pfSense.

The rules will go on the interface your guest users are connected to. https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting In general: Pass connections to specific local resources your users need (DNS) Reject connections to less-specific local resources (LAN, This firewall) Pass everything else (The Internet)

Multiple PPPoE WANs using VLANs has been widely used for quite some time. Have you tried it recently? If not, it's worth a shot, and report back with your PPP logs if you run into any issues.

Awesome thanks so much for your reply, Derelict. I will definitely look into purchasing the switch you have listed and will look into VLANs. Thanks again!

No. Maybe look around the forum to see what information is necessary.  Look at the diagram in my sig for the information necessary. Interface addresses, netmasks, and gateways, firewall rules, etc. A diagram is always best.

LAN address is only the specific ip address you choose for your LAN interface. Example: 192.168.0.1 LAN net is the whole ip subnetwork in which your LAN address reside. Example: 192.168.0.1;192.168.0.2;192.168.0.3; and up to ;192.168.0.254 (assuming the same LAN address as above and a /24 ip subnet = mask 255.255.255.0) It's very hard to explain better when you don't tell us with exactly what parts of ip networking you do understand and what you don't. Do you know what a ip subnet is? Are you familiar with the convention of describing subnets as /16 and /24 and do you understand the difference between them? If you do, please tell us what ip address and subnet you use on your LAN interface.

@jackall: In load balancing, all internet connections are Tier_1 (Trigger level, High Latency) In Fail Over the fastest connection is Tier_1, the second fastest is Tier_2 and so on (Trigger Level is Member Down) Than I created an ALIAS (called no_load_balancing) with all the sites hating the connection jumps Finally in Firewall rules just before your lan to any rule, insert a new rule as follows :- Action = Pass Interface = Lan Destination : Type Single host or alias, and add No_Load_Balancing (or whatever you called your alias) In advanced features, choose the Failover group as your gateway. I do not know if  this is the best way to do it, or if there is a simpler way, but it works for us J can you send screenshots of this settings please

@tim.mcmanus: Why not do the whole thing with one pfSense box and VLANs?  Or a pfSense box with 5 NICs?  Or one pfSense VM? seems to be one good way, never thought of this, I'll try to formulate if this will work with my setup, thanks sir!