Thanks for your comments! It turned out to be my mistake because I tried to install the nanoBSD on a hdd and use a second partition for squid cache. I'm going to save the config and reinstall from scratch.

@jlepthien: Well all I can say is that no one should be doing it the way you did…I as an admin ALWAYS test such scenarios before I'd do a remote update on a production environment... Me too. But living where I live and dealing with what I have to deal with I didn't have an option this time :)

Just to let you know, i solved it. I'm no expert, but since trying to setup a VPN connection I have learnt a few things about routing tables, so it just struck me that the VPN connection pushed a new default route, so when i disabled the Open VPN client, I can ping and traceroute again.

I cannot get the loadbalance to work so I go to policy routing with squid in transparent. Although I am disappointed with my setup since I cannot fully utilize all my ISPs but I have to be contented with it. I manually balance the load to the 3 different ISPs. GroupA(high priority) - ISP1 GroupB(medium priority) - ISP2 GroupC(low priority) - ISP3 I just add the following in my custom options of squid to make it work (IPs are just for example): acl GroupA src 192.168.100.1/24; acl GroupB src 192.168.101.0/24; acl GroupC src 192.168.102.0/24; tcp_outgoing_address 10.10.10.1 GroupA; tcp_outgoing_address 10.10.10.2 GroupB; tcp_outgoing_address 10.10.10.3 GroupC;

I presume you have added a firewall rule(s) on OPT1 to allow OPT1 to access the internet. Do you need to add a rule to allow OPT1 to access the PPTP server on the LAN? Do the VPN clients access the server by IP address or hostname?  If you are using DNS forwarder on pfSense it might help to add an "override" entry for the server host name so that internally (on your local network) the server name maps to a different IP address than it does externally (on the internet).

Thanks Ermal.  I will test it as soon as I can. Patiently waiting on the official release. ;D

They're: Mars 1U Server Celeron-M pfSense Appliance CPU Speed: 1Ghz Celeron-M Ethernet: 4xIntel Gigabit LAN Memory: 1GB DDR RAM Storage: 4GB CF Mini-PCI: None The packages are the default, nothing extra has been installed - it's showing AutoConfigBackup and siproxd. It should be vanilla 1.2.3 as far as I can tell. 1.2.3-RELEASE built on Mon Jan 4 10:56:15 PST 2010

I have version 2.0 RC3 (built on Sun Sep 11 21:36:53 EDT 2011), but it is also not working. The patch does not work either. Patches manually. Is it possible in a short time to wait for a bug fix?

Viscosity works nicely and has the config export. It doesn't pre-package it into a dmg but it's easy to get the dmg + export to the user.

ok looks like I found out what was going on, seems it was a rule left over from captive portal that I was playing with, and then uncheck to enable, so setting were still there but not enabled. Seems this portion of filter.inc was creating the rules. /* if captive portal is enabled, ensure that access to this port         * is allowed on a locked down interface         */         if(is_array($config['captiveportal'])) {                 foreach ($config['captiveportal'] as $cpcfg) {                         $cpinterfaces = explode(",", $cpcfg['interface']);                         $cpiflist = array();                         $cpiplist = array();                         foreach ($cpinterfaces as $cpifgrp) {                                 if(!isset($FilterIflist[$cpifgrp]))                                         continue;                                 $tmpif = get_real_interface($cpifgrp);                                 if(!empty($tmpif)) {                                         $cpiflist[] = "{$tmpif}";                                         $cpipm = get_interface_ip($cpifgrp);                                         if(is_ipaddr($cpipm)) {                                                 $carpif = link_ip_to_carp_interface($cpipm);                                                 if (!empty($carpif)) {                                                         $cpiflist[] = $carpif;                                                         $carpsif = explode(" ", $carpif);                                                         foreach ($carpsif as $cpcarp) {                                                                 $carpip = find_interface_ip($cpcarp);                                                                 if (is_ipaddr($carpip))                                                                 $cpiplist[] = $carpip;                                                         }                                                 }                                                 $cpiplist[] = $cpipm;                                         }                                 }                         }                         if (count($cpiplist) > 0 && count($cpiflist) > 0) {                                 $cpinterface = implode(" ", $cpiflist);                                 $cpaddresses = implode(" ", $cpiplist);                                 $portalias = $cpcfg['zoneid'] + 1;                                 $portalias .= " {$cpcfg['zoneid']}";                                 $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { {$portalias} } keep state(sloppy)\n";                                 $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n";                         }                 }         } this was the rule that was setup $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n"; But I did not have captive portal enabled – I had create it in the passed and then unchecked it from being enabled..  But seems the rules were not deleted? I removed it, and then rebooted and how that rule is no longer there and not logging that traffic ;) I can try and duplicate it to see if can regenerate the issue.

Nice tip for the split DNS feature. Darkk

Thanks for your answer. Finally after updating pfSense to the latest release, the failover gateway group seems to be stable. One odd remains: If I configure the gateways to use a monitor ip, both gateways are switched to offline again. If I try to ping from within my LAN, the ping goes through, but gets cut-off after a while (The gateway responds that the ping is blocked (never seen this ICMP error before)). With the monitor ip disabled, everything works out fine, except for the transparent proxy. But this might be the odd, that we're a onlinegaming company with ~150 active users and only those two PPPoE lines… ;-) We'll try to install a transparent squid on another box and re-route the webtraffic to this box. Regards, Tim

Thank you Ermal for taking the time to answer me questions :-)

Just wanted to note that there is built in support for running commands at boot time.  You have to download the config, then edit it, then reload the modified config.  http://doc.pfsense.org/index.php/Executing_commands_at_boot_time But it looks like from the following post, that it won't work for this function. http://forum.pfsense.org/index.php?topic=27359.0;prev_next=next Just thought I would post in case anyone else has the same thought. Josh

If this turns out to "solve" the problem, you probably want to fire your ISP.  There's no way apinger will saturate a 100mbit connection.

No one could help me? I must add rule to firewall for connect to pptp?