pfSense
https://docs.netgate.com/pfsense/en/latest/index.html
Add a static route to DHCP clients via option 121
https://forum.netgate.com/topic/67684/explained-example-dhcp-option-121-249
https://tools.ietf.org/html/rfc3442
OpenVPN and Multi-WAN
More complicated than it seems…
https://docs.netgate.com/pfsense/en/latest/book/openvpn/openvpn-and-multi-wan.html
Incoming NAT
To allow traffic in from the Internet, a firewall rule must be added on the associated WAN interface allowing the desired traffic, using the destination IP and port of the internal private system.
Pfsense + VMWare + VLANs
Best route is to create as much virtual interfaces as needed in VMWare, set Networks with PVIDs and connect the virtual ETHs to the virtual Networks without playing with VLANs in PFSense itself.
Gateway failover
In System/Routing/Gateways, the Default Gateway must be set to the Gateway group created for the failover (or automatic).
If a specific default Gateway is already selected, failover won’t happen…
Auth with NPS (MS RADIUS)
On Pfsense: Groups must exist locally in System/User Manager/Groups (but with Scope = remote)
On NPS: in the network policy, settings / RADIUS Attributes / add standard attribute “Class” with the groups you want to be recognized (ex: “Domain Users;VPNUsers;pfsense-admins” )