I finally solved this problem - so thought I'd update this topic just in case it helps someone else !

The unstable WAN MTU problem persisted through a number of pfSense upgrades, and was still an issue on version 2.7.2-RELEASE.

The thing that fixed it was to install the Realtek drivers using -

pkg install -y realtek-re-kmod

which installed -

realtek-re-kmod-198.00_3 Kernel driver for Realtek PCIe Ethernet Controllers

and then setting the WAN MTU to 1508 (including +8 bytes for PPP overhead).

After a day of experimenting, the system seems stable, and the WAN interface MTU is 1500

It could just be the modem crapping out, yes.

Can you try a different port at the pfSense end?

Can you test putting a switch in between the pfSense WAN and the modem? That would prove which end is dropping the link.

@naiw the instructions from Vultr sound like targeted at Linux systems (ip a, /etc/sysconfig/ -> RedHat). You may ask them for FreeBSD instructions or better for pfSense.. But I don't think automatic config will work with pfSense at all.

They assign the second IP to your instance and you have to manually create an alias, as @stephenw10 mentioned.

More infos (although old, 2016): On this forum: Two totally separate IP's on WAN - how to configure on VULTR. The result was the same, create an alias.

Thank you both for the responses. This makes sense. I had not thought that ping might be disabled on the gateway. I took @JKnott suggestion to find the first upstream server using tracert. All is well again!

Any alerts/errors shown in the gui when you logged back in?

Anything in the system logs?

You don't need a leading dot for that.

@patient0
Hi,

Thanks for the your information.

Now we tested with intel NIC. Its working now.

@KenCapital said in Constant WAN Drop:

but was getting packet loss on my router

The very first low bud 25 $ (?) router (ok : give it a name : TP-Link or comparable) you can find in "wallmart" (example of a well know store in the US, others, with other names, exist elsewhere) will handle a gentle 1 Gbit/sec just fine.
Install pfSense on very mediocre hardware, and it won't do any better.

You have a "Starlink" as a possible and only uplink ? Don't stay ignorant, it's s easy to find out. Do a tracert to microsoft.com, note down all the IPs you've linked trough, and then discover who manages these routers. If Starlink used, you'll find them.
Your first mission : determine what can Starlink really offer.
Then : same question again and this time : go Youtube, and look at one or more of these many thousands of hands on honest comparisons video's to discover the hidden advantages and real day to day usage story.

Imho : A Starlink connection , if nothing else is possible, it will do just fine, even with package loss and all that.
It's after all : that - or nothing else.
But sharing a starlink over several (many) homes... serious ?

Yup the 8200 does not have eMMC.

Mmm, almost certainly a link negotiation issue then. On igc NICs the options there are limited because it can only link using auto-negotiation. You can set the available speeds it negotiates at which is what the speed setting in the gui does.

You may need to reboot twice to seen that set since it only gets; applied at boot.

However, yes, there is a bug on some systems where the default values are always used. It only happens on some filesystems where a race condition occurs. It's fixed in 25.03-Beta.

When using RAM Disks I usually start out at double the default values. 1G + 2G is very large. If you have hungry packages though you may need large drives, but not that big!

Yes, you can set it as a gateway. You don't have to route anything to it if there's no subnet behind that peer to route to,.

@Zeldar We believe one of our users is also experiencing the same behavior with their laptop reaching out to the FW and I just verified that the "Killer Performance Driver Suite UWD (3.1222.7103)" and "RivetNetworks.KillerControlCenter (3.1624.1026.0)" applications are installed. In your case, did you keep the driver and remove the intelligence center? or was there only the single app.

@Laxarus You show an IPv6 address on your WAN. You'd use that for the VPN. Also, it doesn't have to a OpenVPN. I assume Wireguard will work over IPv6. The question is whether VPN.AC supports it at the other end.

L2TP can only use Radius or local auth as far as I know. So you need to use NPS to interface it with AD (LDAP).

Unless you redeployed the VM it should not have changed. Simply changing the upstream device would not affect it.

Nice 👍