Me too! My curiosity has been growing since. I will restore one of the PC images on a VM this weekend and report back. Thanks… I hope this helps someone with a similar issue - self inflicted or not LOL

Just upgrading the server software.  Servers came with Windows Server 2008 32 bit. We have been upgrading them to Windows Server 2008 R2.  Once all the software is back in the servers, the servers seem more responsive. We were waiting on upgrading the pfSense boxes from 2.0.3 to the newer version until later.  We upgraded the suspected pfSense box to 2.1 but it still did not fix the issue. At this point we planned additional down time for the boxes.  For some reason the box would not take a clean install off of the live cd for version 2.1.  So we did a clean install of 2.0.3 and then upgraded to 2.1 before anything was installed.  All the configuration was put back in slowly watching to make sure only the configuration that was needed got added back in.  This fixed the Internet provider private network for losing packets. We are still losing packets on the IPsec VPN tunnel but with the speed of the tunnel and the equipment having the ability to re-request the packets, the traffic is getting through at a reasonable rate.  So we are going to hold troubleshooting this part of the link until the upgrading of the servers is complete. pfSense boxes were re-tasked Dell PowerEdge 2950s( a little old-purchased in 2006-but still should be enough power for this) Dual CPUs - Intel Xeon Processor 5050     Intel(R) Xeon(TM) CPU 3.00GHz     8 CPUs: 2 package(s) x 2 core(s) x 2 HTT threads 2 gigs of ram on-board Broadcom NICs additonal 4 port StaTech PCI express gigabit Ethernet network adapter card

When you say 'downloaded the hvap package and loaded it on the usb drive' do you mean you installed the package via the webgui? Steve

If you must have IPs with a unique MAC address, use CARP type VIPs. You cannot manually specify the MAC address, but it will get its own unique MAC. You cannot have the same gateway on multiple interfaces, but some people have setup several interfaces to the same WAN when they were required to pull IPs from DHCP. It has some quirks but can work.

If you are connecting to the PPTP server on pfSense, you would not need any NAT. Make sure the PPTP firewall rules (Firewall > Rules, PPTP tab) allow you to pass the RDP traffic, and also make sure that there isn't something local on the RDP target blocking the traffic (e.g. Windows Firewall)

Managed to solve this already so just wanted to provide feedback in case someone else also needs this. Reference: http://forum.pfsense.org/index.php?topic=64414.0 Using the command line, create a file with additional hosts, like /etc/rr-hosts: 192.168.1.11 ltsp-server 192.168.1.12 ltsp-server Back in the web GUI in DNS forwarder options, under "Advanced" add: addn-hosts=/etc/rr-hosts After settings are applied, you can ping the hostname repeatedly and notice it alternate between the IPs each time. :)

Weird. I take it you've examined every config option and made sure they're identical. Take a config backup on a working LiveCD and restore it on Installed maybe?  Compare the relevant sections in the XML files of working and non-working configs to be sure they're identical?

In trying to make this reliable again, I re-installed squid3 as it had been before all these problems started. It seemed to be better in the 24 hours since I made that change, but has now become much worse. Instead of Chrome telling me the page cannot be reached, it is a squid error "The requested url could not be retrieved". This has been killing me on eBay and walmart.com this afternoon. Any tips what I need to do to find out what is causing this? Thanks, Jason

I think the problem may have been a dying speedtouch as the connection began dropping several times a day, swapped with another in same config and so far so good.

I'm about to try the tunX solution mentioned above. I was able to repeat the installation today. General steps below: 1. Retrieve a freebsd 8.3 64bit VM and deploy it 2. update and extract portsnap on the VM 3. cd /usr/ports/security/portsnap 4. make install     go through the normal steps 5. copy these files from the VM to pfsense in the same locations ./usr ./usr/local ./usr/local/sbin ./usr/local/sbin/vpnc-script-sshd ./usr/local/sbin/vpnc-script ./usr/local/sbin/vpnc-script-ptrtd ./usr/local/sbin/openconnect ./usr/local/libdata ./usr/local/libdata/pkgconfig ./usr/local/libdata/pkgconfig/openconnect.pc ./usr/local/include ./usr/local/include/openconnect.h ./usr/local/lib ./usr/local/lib/libopenconnect.so ./usr/local/lib/libopenconnect.la ./usr/local/lib/libopenconnect.a ./usr/local/lib/libopenconnect.so.2 6. good to go 7. I'm about to remove line 713 from /etc/inc/util.inc so I can control the vpn routes from the gui

The easy simple solution is to jut buy another nic – they are not expensive unless you going for some quad port server nic..  Any ole 20$ desktop nic would get you working.

One last thing which is very important and johnpoz mentioned it, you would need to put a default route (0.0.0.0/0) on your second pfsense box pointing back to the first pfsense box that is doing the Natting. In Cisco there is a way to distribute a default route using a dynamic routing protocol like rip or ospf, I have not looked into that much with pfsense. If there is not way to distribute the default route automatically then just add it statically and you should be good to go.

So to make sure it's nothing to do with my Arris cable modem, I put a unmanaged switch between my modem and wan pfSense port.  Same problem.  Less than 24 hours my WAN interface drops its IP and fails to renew.  Like previously stated, no issues until I upgraded to 2.1 Mike

I have a couple of Alix2D13 with Atheros WiFi cards at some sites that really need to minimise power use. The WiFi card is assigned to OPT2, pass rule/s added on OPT2 and it works/routes like any other local-LAN-style interface. I guess there will be a little "blip" to find somewhere in your setup…

Thanks for following up, many don't.  :) Good to hear you sorted it. Steve

If your main firewall has monitoring, filtering and user authentication features, it should (usually) have multiple interfaces and VPN server functions (possibly SSL VPN too). Any reason not to use the existing hardware to do this work?

The VPN tunnel will need to be attached to an interface so that you can add a gateway.  Assign the gateway to your LAN firewall rules once you've done that. You're going to have issues with both of those being on the same subnet though.