I've found one solution to this would be to vlan each of the buildings and trunk ports to the LAN side of the FW.  Set the priority for each building's vlan to keep the gateway local.  Anyone else have any other ideas?

4000 VLANs?! That's more than enough for me :D Yes, this would be deployed under 2.0 anyway. Given the current good stability of 2.0, I think the extra features added (that we need) outweigh the risk. Nonetheless we have a box in testing set up yesterday. Hasn't skipped a beat yet! And provided that the ports on the switch (or bridge ports in my case as this is a Xen setup) that connect to the servers are not VLAN aware and have a PVID of the respective VLAN they are supposed to be on, does that provide a secure solution? I've read a lot of nasty things regarding VLANs, however they seem to be used everywhere. For exmaple, most colocation providers use VLANs for their customers. Thanks

You must have a gateway configured on the interface for it to be a WAN, and to show up there. Set it to whatever IP info your ISP assigned.

One issue I can see is one I've had myself, which is with trackers.  Some will not record information from two IPs as the same user for ratio information.  Also, as a thought, it might be best to limit BT to one WAN, so you won't have issues with both connections being throttled by BT traffic.

Another thought, not sure if this would help but I saw that you said that the ISP manages the pirelli box.  You could just tell them to open ALL ports and forward them, and have pfSense manage it from there.  That would essentially be akin to putting the pirelli in bridge mode, aside from really being in bridge mode. It would be similar to some routers' "DMZ" mode.

I'm not a guru by far, but I think you may need to set a static route in pfSense, and possibly sonicwall as well.  Not sure exactly how to go about that, but maybe one of the people that know what they're doing can give further input?

Many ISPs would block outgoing traffic if the IP is spoofed in that way. There is no way to really tell an "upload" from a "download" if the traffic is all HTTP, FTP, SCP, etc in both directions, but if your uploads vary by protocol, you could just craft some policy-based routing rules to direct out certain WANs based on the port number.

Just to keep you updated: In my case, disabling the scrubbing function did the trick.

Great! I reconnected my router and I got a new IP and Gateway with 255.255.255.255 subnet mask. Thank you very much jimp for taking the time for me and my question. No I can enjoy my vacation ;-)

@lsoltero: I have uploaded a version of the patch apinger for pfSense 1.2.3 to here… THANK YOU!!!

"Block private networks" Is only available to be selected and is turned on, on the WAN interface. "Automatic outbound NAT rule generation (IPsec passthrough)" is selected. The only other firewall rules are for the port forwards  from the WAN to specific PCs

Do both OpenVPN servers know how to route to the remote network, and are they both configured as the default gateway for their networks?

I am sorry for confusion. This case is resolved. The problem is with crappy IE whatever version. In FF and Chrome all messahes on PFSENCE are OK. Just did a cron job according http://forum.pfsense.org/index.php/topic,25732.45.html and all is done well. Thank You Pfsence forum for a great job. This is one of the best forum site with OPEN source ever used. Thank You guys. Regards, MST

I don't see anything in your original post that would suggest that you want to bridge interfaces. Unbridge them and make firewall rules as follows: LAN interface TCP  LAN net  *  Server  80  *  * *      LAN net  *  !OPT1 net * *  * OPT1 interface TCP  OPT1 net  *  Printer  9100 * * *      OPT1 net  *  !LAN net  *  *  * The above rules assume that your server is listening on port 80 and the printer on port 9100; you'll have to adapt them to your situation. Use automatic outbound NAT.

Your hosts don't need any vlan configuration. If you have hosts plugged into ports 11-15 on the switch and you want them to be on vlan 15, you simply set 'switchport access vlan 15' on fa0/11 – fa0/15 in the 3500.