The added NIC is a Intel  EXPI9301CTBLK.

let's put it this way. If you remove all the copyrights, you violate the license. If you build a binary and call it pfSense, you violate our trademark. Otherwise, yeah, perhaps you need an attorney.

The FiOS router currently handles NAT, but I am pretty unhappy with it's performance overall. It's prone to crashing and needed hard restarts, its throughput seems pretty poor, and the user interface is a pain. Hence my idea to essentially bridge it so that the pfSense box servers as the DHCP server and is the "first line of defense."

Well, that'd be because the latency between your demarc and gateway is above 20 ms. Not much more to it than that. Keep a ping going for a bit and watch the latency. If you're not seeing spikes in it, then it could be an RRD issue - but I highly doubt it.

errr shared folder watch?

possibly check your firewall rules as well.

Dude here is the thing - broadcasts do not pass segment boundaries. So either you got something setup as a bridge passing traffic, a dhcp relay example.  Or you have some cross over in your physical/virtual network that connects your networks to the same wire. It should be impossible for your 20.1 dhcp server to see broadcast packets from your 25.1 segment - so if 20.1 is seeing dhcp discover and sending offers then you got a issue with your physical network being connected. can you post up your esxi network setup?  Impossible to point out where your issue is without understanding your network - do you have vlans setup on your vswitches? In a normal setup it would be impossible for 20.1 to see broadcasts or dhcp discover from devices connected to your 25.1 segment - so you have something connected together that shouldn't be.

The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet. What you describe here in the first post is around the wrong way - if the rules were like that at first then they would not have worked. The way you describe doing it in the 2nd post is correct and works. That is why it works now and did not work at first.

Dude - just send me a pm and I will set it for you again.  I got busy and forgot sorry. If you want someone to walk you through via the forum, your going to have to give more detail then hep me ;) You are running a nested Virtual setup, you have a cellular connection where your behind a nat and can not change anything.  Did you get that changed? Your going to have to go in to great detail if you want someone to walk you though on a forum…  But we already tried that and it was hopeless, was just easier to do remote. So I am sorry I forgot about your request, but PM me and we can try and setup a time.

We're missing some details…  So, when you were on your tp-link router was your WAN set to DHCP?  Or are you paying for a static IP block? /2???  A mask of /2 would include almost every IPv4 address out there.... you wouldn't be using that.

As far as I know the MSCHAPv2 is for security between a computer and the authenticator (CP, switch, WLAN-AP, …). This can be done on CP GUI. For the encryption between CP and RADIUS you have to configure the shared secret. An improvement RADSEC is not implemented in CP - as far as I know - and not implemented in freeradius 2.x. For this you probably need freeradius 3.x or any other RADIUS which supports that.