Add a static route to DHCP clients via option 121

OpenVPN and Multi-WAN

More complicated than it seems…

Incoming NAT

To allow traffic in from the Internet, a firewall rule must be added on the associated WAN interface allowing the desired traffic, using the destination IP and port of the internal private system.

Pfsense + VMWare + VLANs

Best route is to create as much virtual interfaces as needed in VMWare, set Networks with PVIDs and connect the virtual ETHs to the virtual Networks without playing with VLANs in PFSense itself.

Gateway failover

In System/Routing/Gateways, the Default Gateway must be set to the Gateway group created for the failover (or automatic).

If a specific default Gateway is already selected, failover won’t happen…

Auth with NPS (MS RADIUS)

On Pfsense: Groups must exist locally in System/User Manager/Groups (but with Scope = remote)

On NPS: in the network policy, settings / RADIUS Attributes / add standard attribute “Class” with the groups you want to be recognized (ex: “Domain Users;VPNUsers;pfsense-admins” )