It all really boils down to being able to match traffic with rules. In most cases you do one of three general things: Put all traffic in the default queue and put certain traffic in priority queues. Put all traffic in the default queue and put certain traffic in penalty queues. A combination of both. My advice: start simple, get familiar with how it works, then add targeted rules and queues to solve specific problems. In your example I would suggest the first option because your mail traffic should be pretty easy to identify with floating rules and put in a priority queue.  Everything else would yield to that traffic if present. With 65 users and 2.5Mbits total I would imagine your usage is pretty much maxed a lot of the time.  Shaping should help but the real answer is probably a bigger pipe.

@Cletus: Because it's been sent to that special IP it will go to the ff:ff:ff:ff:ff:ff and therefore it will be broadcasted to the correct subnet right? Correct. As for sending to x.x.x.255 rather than x.x.x.254.  That may or may not work.  Depends on if pfSense will route an IP broadcast between local subnets.  The reason I use x.x.x.254 is that it can be NAT port forwarded through the firewall from external internet sources.  Where as x.x.x.255 cannot.  At least not in in previous versions of pfSense.

It also depend on what you mean by 'guests'.  Personal friends in your house, or paying customers at the villa?

just restart Apnger changing IP would restart Apinger

2 interfaces on the same subnet has serious potential to be the culprit ;)

@jahonix: An install of this size needs a budget in the range of US $10k to $20k EASILY. Double or triple it for Ruckus/Aruba/Cisco.  Take the apartments.  350 units, say an AP for every three if they're really small.  That's 120 APs.  Figure $200 each.  That's $24K right there. I would probably lean toward Ruckus for the apartments and Ubiquiti for the outdoor stuff (Houses).  Ruckus really shines in high-density and pushing through walls.  But their outdoor stuff is for high-density.  Ubiquiti is pretty solid in the PTMP CPE realm.  And the radios are cheap. Do not think that you can put a few access points in cupboards somewhere and users will be happy.

Read this and ask again after: https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Blank spots are negative values being clipped off. More here: https://forum.pfsense.org/index.php?topic=76620.msg482370#msg482370

Ups! thanks doc! I see it now! I get the welcome screen again! sorry for the noob question!  :P Best regards and thank you! Francisco

Does acl random provide failover if one gateway is down?

Please, re-read the article linked and fix your internal DNS.

Ignore those guys…  Its dead.  Mail it to me.  I'll send address (-: Also, intel SSDs suck.  I'll dispose of that for you...

@kejianshi: Do you have a practical reason to be using /19s? And bridges?

Yeah - Mine is using 128.0.0.1 locally and the root servers in unbound, so maybe thats why I'm not getting the huge delay. At any rate, with such a big delay but without failure, I figured DNS must be involved.

Don't forget, PfSnese is a stateful firewall. Best practices would be to reset states after creating rules/nat mappings, so that states must be reestablished based on your restrictions or lack there of.