In trying to make this reliable again, I re-installed squid3 as it had been before all these problems started. It seemed to be better in the 24 hours since I made that change, but has now become much worse. Instead of Chrome telling me the page cannot be reached, it is a squid error "The requested url could not be retrieved". This has been killing me on eBay and walmart.com this afternoon. Any tips what I need to do to find out what is causing this? Thanks, Jason

I think the problem may have been a dying speedtouch as the connection began dropping several times a day, swapped with another in same config and so far so good.

I'm about to try the tunX solution mentioned above. I was able to repeat the installation today. General steps below: 1. Retrieve a freebsd 8.3 64bit VM and deploy it 2. update and extract portsnap on the VM 3. cd /usr/ports/security/portsnap 4. make install     go through the normal steps 5. copy these files from the VM to pfsense in the same locations ./usr ./usr/local ./usr/local/sbin ./usr/local/sbin/vpnc-script-sshd ./usr/local/sbin/vpnc-script ./usr/local/sbin/vpnc-script-ptrtd ./usr/local/sbin/openconnect ./usr/local/libdata ./usr/local/libdata/pkgconfig ./usr/local/libdata/pkgconfig/openconnect.pc ./usr/local/include ./usr/local/include/openconnect.h ./usr/local/lib ./usr/local/lib/libopenconnect.so ./usr/local/lib/libopenconnect.la ./usr/local/lib/libopenconnect.a ./usr/local/lib/libopenconnect.so.2 6. good to go 7. I'm about to remove line 713 from /etc/inc/util.inc so I can control the vpn routes from the gui

The easy simple solution is to jut buy another nic – they are not expensive unless you going for some quad port server nic..  Any ole 20$ desktop nic would get you working.

One last thing which is very important and johnpoz mentioned it, you would need to put a default route (0.0.0.0/0) on your second pfsense box pointing back to the first pfsense box that is doing the Natting. In Cisco there is a way to distribute a default route using a dynamic routing protocol like rip or ospf, I have not looked into that much with pfsense. If there is not way to distribute the default route automatically then just add it statically and you should be good to go.

So to make sure it's nothing to do with my Arris cable modem, I put a unmanaged switch between my modem and wan pfSense port.  Same problem.  Less than 24 hours my WAN interface drops its IP and fails to renew.  Like previously stated, no issues until I upgraded to 2.1 Mike

I have a couple of Alix2D13 with Atheros WiFi cards at some sites that really need to minimise power use. The WiFi card is assigned to OPT2, pass rule/s added on OPT2 and it works/routes like any other local-LAN-style interface. I guess there will be a little "blip" to find somewhere in your setup…

Thanks for following up, many don't.  :) Good to hear you sorted it. Steve

If your main firewall has monitoring, filtering and user authentication features, it should (usually) have multiple interfaces and VPN server functions (possibly SSL VPN too). Any reason not to use the existing hardware to do this work?

The VPN tunnel will need to be attached to an interface so that you can add a gateway.  Assign the gateway to your LAN firewall rules once you've done that. You're going to have issues with both of those being on the same subnet though.

Aaand another update: Looks like increasing Probe Interval to 30 and Down to 300 fixed the problem.

I would check your firewall logs shortly after trying to connect.  Likely the specific ports being used by Lync 2013 are being blocked on the firewall level. http://technet.microsoft.com/en-us/library/gg398798.aspx Looking though that, looks like it would be 43 or 5061, or possibly both.

Nothing wrong with that. You don't need managed switches I just like them because they let you have more control of your network. I would just make sure that you only send untagged traffic to your unmanaged switches. Although there are some unmanaged switches that can deal with tagged traffic. Typically unmanaged switches will not support LAGG and may not have spanning tree too so be careful when running extra links between switches for redundancy.

Just to confirm. The netgear modem was causing issues. Seems it doesnt really go into full bridge mode. Have replaced modem and all is well.

I couldn't try actual physical disconnection because I needed to be there in person to do that! Now I tried it, unplugged the main WAN and waited. The ordinary internet access using a gateway group failed over to WAN2 and the Dynamic DNS names that are tied to a gateway group changed. But none of the OpenVPN servers (site-to-site and 1 road warrior) switched to listen on WAN2 and the 1 OpenVPN site-to-site client going out to another office did not switch to going out WAN2. None /var/etc/openvpn*.conf got rewritten - which they should to in response to gateway group status change. I will have a look at that code, I guess it doesn't implement the same failover processing as when a gateway just stops responding to ping. Added: On a test system, it activates all the processing, but my test hardware only has 1 real WAN, and thus a gateway group with only 1 WAN in it. But it does rewrite the server.conf file. I will have to try a real WAN unplug again and investigate why it didn't seem to work for me early this morning.

I do most of what you're asking for using squid and squidguard. Squid appears under "Proxy server" in the menu system, I forget which top-level menu but about 4th from the left. Squidguard appears under "Proxy filter", just above squid's entry. I use access control lists in squidguard filtered by IPs. I set up static IPs for kids' devices in the DHCP server for the wifi interface. It's a steep learning curve, but powerful once configured.