I don't know a definitive answer to this since I've never tried it but I could suggest some things. First though please define the problem further. You wish to limit the available bandwidth to users connecting from a remote location via pptp or pppoe. Bandwidth on a per user basis or all pppoe users? Have you tried anything already? Steve

Yes. I now got a 150MBit line, even this is now possible. Unfortunately, creating VLANs is still not possible.

Same problem here, with pfsense 2.1, squid3 and dansguardian…

@bsd3000: Probably I need to upgrade my hardware (I read all document about tunning) So, instead of my hp DL360 server with embedded 2xBroadcom, what hardware do you recommend? Integrated Intel or PCI-E addonn card? What the best Nic? (model/chipset) AMD 16x core Proc or Intel Quad Core Xeon? You can throw some more hardware at the problem in the hope it might make a difference but you really need to get more information on what was going on in order to correctly determine the solution. For example, if you have a rogue system (or systems) issuing floods of DNS requests it is unlikely that adding more cores or "server quality" NICs or more RAM will allow you to give "good" DNS response to other systems.

Both those errors are 'normal' though they look scary.  :) The RRD tool error happens when the interface first comes up, it's not a problem. I believe it has been fixed in 2.1. The lighttpd error shows that someone tried to connect to the webgui on an http connection when it's configured for only https. That error has also always been present but lighttpd errors have only recently been added to the main logging system so you wouldn't have seen it in previous pfSense versions. It's nothing to worry about, the box redirects you to https anyway. Steve

Check the pfSense VM to make sure it sees all the connections as full duplex: Status: Interfaces: Normally the NIC negotiates with the switch and that can, very rarely, cause problems. With both those things not really existing I'm unsure how that works.  ::) Steve

Using the IGMP proxy may allow the software to 'find' the printer. I have seen that work with media servers/clients that work in a similar way. Though I've never used a VIP in that manner I can see how it might work, try it. Steve

Well, I have made a copy of the /etc/rc.backup_dhcpleases.sh and modified it to update/save my file via cron. Done.

You are doing this the wrong way around to fit into your diagram. The WAN should msk0 and LAN ath0. However that will be a problem since you will be unable to connect to the LAN until you've configured the wifi parameters. So to work around this first setup pfSense with only the WAN interface and set it to msk0. Just return past the LAN setup. With only one interface configured pfSense will allow you to connect via the WAN. You will have to do that from a PC connected to the 2wire router. You can then set a firewall rule that to allow access to the webgui from WAN side permanently. Now add the ath0 NIC as LAN. You will now be able to configure the wifi parameters from the WAN side connection and then hopefully connect via wifi. Once that is in place you can disable or remove the rule that allowed access from the WAN side. Steve

What he said ^. Short answer: No. Your secondary router is almost certainly NATing between 192.168.1.* and 10.0.0* so all connections from your downlstream clients will appear to come from the downstream router. To be able to see cleints you would need to disable NAT and have it act only as a router. Why do you have two routers in line like this? Steve

So if I have a physical port on my pfsense box and it has the IP address of 10.10.2.254/24, can I also make it talk on the network as say 10.10.100.1/24 at the same time by adding that address as a VIP on that interface ?

So whatever that modem is I would check it to see if it has a setting to allow it to respond to pings. Can you ping it from anywhere else? Alternatively you could change the monitor IP used on that connection. There is little point using the modems IP since that only monitors the connection between pfSense and the modem, not the internet connection. In the webgui go to System: Routing: Gateways: and edit the WAN gateway. Enter an alternative monitor IP that is some where on the internet. You can use 8.8.8.8, Google's DNS service, for example. Steve

It solved thank you so much.

Well - we have not reached a final conclusion yet - but…. We realized that using virtual firewalls, how ever flexible, it still would be a single point of failure, and thus effectively making CARP on main firewall pointless. Yes we would have HW failure protection, but there would still be ONE VM that could fail, and  thus essentially creation a "System Down" event. So - currently we are leaning towards option 2 - in regards to the DMZ. On the matter of using Snort or Proxy ... - welll - we are still in the dark and looking into options. Not sure that helped much...  ::) /Jannik

You are posting / asking at the wrong forum section ;) About your questin, check this:  http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter

Sorry, should have added that my pfsense boxes are version 2.1-BETA0 (amd64) built on Thu Nov 8 06:41:07 EST 2012

Using the first usable for the router allows you to subdived the IP block later if required without having to change the router IP. As an example, say you had. 192.168.1.0/27 Network  =  192.168.1.0 Broadcast =  192.168.1.31 Usable = 192.168.1.1 to 192.168.1.30 (30 Hosts). If you make 192.168.1.1 the router and allocate hosts from that IP upwards, you can always decide later to split that IP allocation between two /28s. (assuming you've not gone past 14 hosts) 192.168.1.0/28 & 192.168.1.16/28 If you'd placed the router at 192.168.1.30 and then wanted to split the subnets, you'd have to re-ip the router and all the host config that used it  This may not be so much of an issue for a /27 but scale that up to a /24 or /23 and it soon becomes a right royal pain in the …. It is for this reason that I would always set the router/Firewall/HSRP etc IPs at the start of the subnet block rather than then end.

Thats funny…    :P I guess "working" is an improvement.