I'm not sure about the hardware, I think the're full blown PCs. The'll be provided by the client. Would be nice to have a demo config of this kind of setup in the book  ;D I still didn't try to route connection from site1 to site3 as i'm still having some connectivity issues with one direction of one of the tunnels… Ref: http://forum.pfsense.org/index.php/topic,23854.0.html

Look at the available packages. I think bandwidthd should help you.

The Nexgate guys chimed in and helped me figure this out. There's a backup running at 1pm, and that generates a tremendous amount of traffic between the LAN/DMZ interfaces. It's all 100BaseT equipment, so it must be 100Mbs into one interface, and 100Mbs out of the other. The biggest problem is DNS – pfSense is running the network's DNS server, and of course when the box is totally loaded, it stops responding. I changed the backup schedule (to late at night) and enabled network polling on the "advanced" tab... despite the admonitions. DNS is a pretty critical service!

Set the netmask to /30.

Excellent - thanks for the tip! The "false alarm" could be prevented by recording the first successful confirmed boot so that the process is not triggered again until "armed". Again - thinking out loud - not coding yet. My issue is that users on sites are not nessecarily capable or trusted with access to the routers. And a 60 minute drive is a high price to pay for a 2 minute change. A pipe dream at the moment, but I'll think on it - thanks again!

Works fine. I would use OpenVPN rather than IPsec, it handles flaky network connections a bit better.

You can get the config off the CF just fine with another BSD box. This doc wiki article has some info about mounting the device. http://doc.pfsense.org/index.php/Modifying_Embedded

Sounds like something very wrong is going on, possibly a corrupt install. Have you tried an upgrade to 1.2.3?

Depending on your location there might be other things to consider as well (I can't tell from your profile). If you're offering internet access publicly in Germany, you must log traffic and store it for 6 months together with the username. Offering it for free is not an option then. Apart from this, wireless internet throughout a hotel complex might be challenging as well. Client security might be another concern. May users see each other's computers or do you have to block this? At least you have to talk to your client about this!

@skysurf76: Just wanted to update you wallaby. Thanks for the update. Regarding the wireless issue: Maybe you have some interference on some channels. There are some pieces of software (e.g. kismet at http://www.kismetwireless.net and wavemon at http://eden-feed.erg.abdn.ac.uk/wavemon) that can give you much more information about our wireless environment and these might help identify why you are seeing what your are seeing. For example, perhaps there is significant interference on one or more channels.

ssh log messages just go into the main system log, in /var/log/system.log - but that is a binary circular log, not a plain text log, so you need to use the 'clog' program at a shell prompt to access it, like so: clog /var/log/system.log | grep sshd http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29

Some options for getting more NICs on a system with small number of PCI slots: You can probably pick up a couple of reasonable quality 10/100 multi-port NICs on eBay. (These would have two or more ports per PCI slot). If you are looking for something "new", some possibilities include NICS described on http://www.soekris.com/lan16x1.htm and various Intel multiport NICs. You can use a VLAN capable switch to multiplex many switch ports onto a single LAN connection to a pfSense box. FreeBSD supports  some USB NICs.

Perry, Thanks for the hints. It was the traffic shaper causing the issues. I disabled it and immediately I got much more reasonable speeds.  :) I guess I need to re-run the shaper wizard to get it to work properly. Thanks again for the super-quick response.

Look in the BIOS - check all CPU power saving modes are disabled.  How you do that depends on your BIOS but the manual should help you.

That's normal for the ALIX boards (and WRAP too, I believe)