The added NIC is a Intel  EXPI9301CTBLK.

let's put it this way. If you remove all the copyrights, you violate the license. If you build a binary and call it pfSense, you violate our trademark. Otherwise, yeah, perhaps you need an attorney.

The FiOS router currently handles NAT, but I am pretty unhappy with it's performance overall. It's prone to crashing and needed hard restarts, its throughput seems pretty poor, and the user interface is a pain. Hence my idea to essentially bridge it so that the pfSense box servers as the DHCP server and is the "first line of defense."

Well, that'd be because the latency between your demarc and gateway is above 20 ms. Not much more to it than that. Keep a ping going for a bit and watch the latency. If you're not seeing spikes in it, then it could be an RRD issue - but I highly doubt it.

errr shared folder watch?

possibly check your firewall rules as well.

Dude here is the thing - broadcasts do not pass segment boundaries. So either you got something setup as a bridge passing traffic, a dhcp relay example.  Or you have some cross over in your physical/virtual network that connects your networks to the same wire. It should be impossible for your 20.1 dhcp server to see broadcast packets from your 25.1 segment - so if 20.1 is seeing dhcp discover and sending offers then you got a issue with your physical network being connected. can you post up your esxi network setup?  Impossible to point out where your issue is without understanding your network - do you have vlans setup on your vswitches? In a normal setup it would be impossible for 20.1 to see broadcasts or dhcp discover from devices connected to your 25.1 segment - so you have something connected together that shouldn't be.

The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet. What you describe here in the first post is around the wrong way - if the rules were like that at first then they would not have worked. The way you describe doing it in the 2nd post is correct and works. That is why it works now and did not work at first.

Dude - just send me a pm and I will set it for you again.  I got busy and forgot sorry. If you want someone to walk you through via the forum, your going to have to give more detail then hep me ;) You are running a nested Virtual setup, you have a cellular connection where your behind a nat and can not change anything.  Did you get that changed? Your going to have to go in to great detail if you want someone to walk you though on a forum…  But we already tried that and it was hopeless, was just easier to do remote. So I am sorry I forgot about your request, but PM me and we can try and setup a time.

We're missing some details…  So, when you were on your tp-link router was your WAN set to DHCP?  Or are you paying for a static IP block? /2???  A mask of /2 would include almost every IPv4 address out there.... you wouldn't be using that.

As far as I know the MSCHAPv2 is for security between a computer and the authenticator (CP, switch, WLAN-AP, …). This can be done on CP GUI. For the encryption between CP and RADIUS you have to configure the shared secret. An improvement RADSEC is not implemented in CP - as far as I know - and not implemented in freeradius 2.x. For this you probably need freeradius 3.x or any other RADIUS which supports that.

You can replace the private IP with public IP if you are using the local authentication. Or using radius to assign an IP address to client, this would be better than the local authentication because you can also have usage report from radius. One think it cant do now is set a rate limit/speed limit by radius attribute on the PPPoE, tried a few option but all didn't work. You can achieve this by setting up a limiter on the shaper and apply a firewall rule using the limiter per client. You will be using the PPP radius attribute instead of the WISP. And dont forgot to turn off the outbound NAT for the PPPoE or it will still go via your PFsense WAN IP.

@jimp: It was a "double fault" which is unfortunately vague. In a few cases those can be software or driver related but usually that is hardware/memory. Well that's slightly inconvenient :)  I appreciate you looking at it

Installing the right version of php-mysql (which was needed) did the trick ;) pkg_add -rfiv http://ftp.uni-erlangen.de/mirrors/FreeBSD/ports/packages/databases/php53-mysql-5.3.27.tbz pkg_info -r http://ftp.uni-erlangen.de/mirrors/FreeBSD/ports/packages/databases/php53-mysql-5.3.27.tbz /etc/rc.php_ini_setup reboot

@johnpoz: Well for starters I have to assume if your behind dd-wrt that your natting there, and then again at pfsense?  Why?  its hard to forward protocols like ike through nat, you can use encapsulation so that IKE and ESP use udp port 4500. Double natting is not going to make it any easier.  Can you remove dd-wrt from the equation.  Why can not just use pfsense as your vpn endpoint? Well, everything behind pfsense is lab computer. I want to  be able to shut down the server, so I can sleep. :) And I prefer windows VPN. Nothing against OpenVPN. Maybe I can put it like this DMZ DD-WRT -> Pfense -> Win svr.

Got it…some sort of problem with client, other clients work fine. have a good day all!