Well, that'd be because the latency between your demarc and gateway is above 20 ms. Not much more to it than that.

Keep a ping going for a bit and watch the latency. If you're not seeing spikes in it, then it could be an RRD issue - but I highly doubt it.

errr shared folder watch?

possibly check your firewall rules as well.

Dude here is the thing - broadcasts do not pass segment boundaries.

So either you got something setup as a bridge passing traffic, a dhcp relay example.  Or you have some cross over in your physical/virtual network that connects your networks to the same wire.

It should be impossible for your 20.1 dhcp server to see broadcast packets from your 25.1 segment - so if 20.1 is seeing dhcp discover and sending offers then you got a issue with your physical network being connected.

can you post up your esxi network setup?  Impossible to point out where your issue is without understanding your network - do you have vlans setup on your vswitches?

In a normal setup it would be impossible for 20.1 to see broadcasts or dhcp discover from devices connected to your 25.1 segment - so you have something connected together that shouldn't be.

The rules between both OPT1 and LAN are to allow ALL between the two networks.  The LAN firewall allows all from OPT1 subnet, as long as the destination is in the LAN subnet. The OPT1 firewall allows all from LAN subnet, as long as the destination is in the OPT1 subnet.

What you describe here in the first post is around the wrong way - if the rules were like that at first then they would not have worked.
The way you describe doing it in the 2nd post is correct and works. That is why it works now and did not work at first.

Dude - just send me a pm and I will set it for you again.  I got busy and forgot sorry.

If you want someone to walk you through via the forum, your going to have to give more detail then hep me ;)

You are running a nested Virtual setup, you have a cellular connection where your behind a nat and can not change anything.  Did you get that changed?

Your going to have to go in to great detail if you want someone to walk you though on a forum…  But we already tried that and it was hopeless, was just easier to do remote.

So I am sorry I forgot about your request, but PM me and we can try and setup a time.

We're missing some details…  So, when you were on your tp-link router was your WAN set to DHCP?  Or are you paying for a static IP block?

/2???  A mask of /2 would include almost every IPv4 address out there.... you wouldn't be using that.

As far as I know the MSCHAPv2 is for security between a computer and the authenticator (CP, switch, WLAN-AP, …). This can be done on CP GUI.

For the encryption between CP and RADIUS you have to configure the shared secret. An improvement RADSEC is not implemented in CP - as far as I know - and not implemented in freeradius 2.x. For this you probably need freeradius 3.x or any other RADIUS which supports that.

You can replace the private IP with public IP if you are using the local authentication.

Or using radius to assign an IP address to client, this would be better than the local authentication because you can also have usage report from radius.

One think it cant do now is set a rate limit/speed limit by radius attribute on the PPPoE, tried a few option but all didn't work. You can achieve this by setting up a limiter on the shaper and apply a firewall rule using the limiter per client.

You will be using the PPP radius attribute instead of the WISP.

And dont forgot to turn off the outbound NAT for the PPPoE or it will still go via your PFsense WAN IP.

@jimp:

It was a "double fault" which is unfortunately vague. In a few cases those can be software or driver related but usually that is hardware/memory.

Well that's slightly inconvenient :)  I appreciate you looking at it

Installing the right version of php-mysql (which was needed) did the trick ;)

pkg_add -rfiv http://ftp.uni-erlangen.de/mirrors/FreeBSD/ports/packages/databases/php53-mysql-5.3.27.tbz pkg_info -r http://ftp.uni-erlangen.de/mirrors/FreeBSD/ports/packages/databases/php53-mysql-5.3.27.tbz /etc/rc.php_ini_setup reboot

@johnpoz:

Well for starters I have to assume if your behind dd-wrt that your natting there, and then again at pfsense?  Why?  its hard to forward protocols like ike through nat, you can use encapsulation so that IKE and ESP use udp port 4500.

Double natting is not going to make it any easier.  Can you remove dd-wrt from the equation.  Why can not just use pfsense as your vpn endpoint?

Well, everything behind pfsense is lab computer. I want to  be able to shut down the server, so I can sleep. :) And I prefer windows VPN. Nothing against OpenVPN. Maybe I can put it like this

DMZ
DD-WRT -> Pfense -> Win svr.

Got it…some sort of problem with client, other clients work fine.

have a good day all!

A customer have a 120 plugged into bigger draytek router which auto load balanced two adsl lines but found it sluggish as well.

I suspect one of the reasons why the 120 is sluggish is the MTU is not 1500 but just under I think 1496 from memory (its back in Jan I last worked on that system) and the UK (BT) adsl uses the full MTU of 1500 unlike elsewhere like the US which uses just under.

FWIW.

Bingo. Thank you, Jim.

You can just use rules on the pfsync interface to only allow from the pfsync subnet as a source.

pf is smart enough to not forward spoofed packets if they enter the "wrong" interface.

Just to bump this as I'm also getting this error since I plugged the wan into a new router with dhcp on the router.

AMD64 2.1 release with openvpn.

Nov 14 04:00:22 check_reload_status: Reloading filter
Nov 14 04:00:22 check_reload_status: Restarting OpenVPN tunnels/interfaces
Nov 14 04:00:22 check_reload_status: Restarting ipsec tunnels
Nov 14 04:00:22 check_reload_status: updating dyndns WAN_DHCP
Nov 14 04:00:03 php: rc.interfaces_wan_configure: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output 2> /tmp/msk0_error_output' returned exit code '1', the output was ''
Nov 14 04:00:03 php: rc.interfaces_wan_configure: The command '/sbin/ifconfig 'msk0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Nov 14 04:00:00 check_reload_status: Configuring interface wan
Nov 14 00:05:59 kernel: re0: promiscuous mode enabled

Edit:
Should add that going into the wan interface and clicking save then apply brings the nic back up again, so a sort of work around but not ideal for the hours its down until its checked and the above action carried out.

Gonna try it without openvpn servers installed and see if that makes a difference for now as openvpn isnt essential for the next few weeks.

Edit2
Dont know if this is relevent
https://groups.google.com/forum/#!msg/tunnelblick-discuss/NVJunGLxngE/EkjCRMgHfzYJ

"2013-06-20 08:16:17 /sbin/ifconfig tun2 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2013-06-20 08:16:17 NOTE: Tried to delete pre-existing tun/tap instance – No Problem if failure"

Can you make the value you want to change an alias? If so, it's fairly easy to change… You can change the value of a URL alias by doing three things.
1.) Change the file the URL points to
2.) Change the file that is used to load the pfctl rules
3.) Reload the pfctl rule

You need to do both 1 and 2 because pfSense occasionally does the update via a cron job (/usr/bin/nice -n20 /etc/rc.update_urltables). If you don't do both, it will overwrite your change.

The following shell code will do it.

tbl_name=your_alias_name new_alias_file=/some_directory/some_file www_alias_file=/usr/local/www/some_directory/some_file pfctl_alias_file=/var/db/aliastables/$tbl_name.txt # update the file used for the URL alias cp $new_alias_file $www_alias_file # update the file used for the pfctl rule cp $www_alias_file $pfctl_alias_file # force update of the alias /sbin/pfctl -t $tbl_name -T replace -f $pfctl_alias_file 2>&1

Now the more difficult option…

You could also start hacking away at the rule edit screen and create a screen that does what you need... but it would take a little work. The two php files to look at are firewall_rules.php and firewall_rules_edit.php. Passing the correct "id" to firewall_rules_edit .php will bring up the rule for edit - you'd just need to find the rule first. The custom page can be added to pfsense by modifying fbegin.inc (all of these files are in /usr/local/www).