I want to Limit all my servers behind the DMZ .

So i have server A server B and server C . what is the best Way to limit the inbound and outbound traffic to a max of 50MB per server.

First step would be to post this in the Packages forum where it belongs.

Start here: https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy

Come back if you have questions or problems.

Not that I'm aware of, but if you went into more detail about your requirements and how you configured it, perhaps people can help.

I've seen this too, where the bandwidth totals seem really off.

A traffic shaper will try to provide service for your queues.  It will only throttle a connection if it needs bandwidth for higher-priority connections.  If you want to put a hard cap in place, you need a limiter.

Sounds like to me you already have a fix , make the NIC E1000.  I dont know what a virtio nic is but it seems similar to VMXNET3 so I am guessing it is a driver issue of some kind. And if it is running as a VM - you might check the other forum for some answers.

Thank you for the answer. I found one scenario.. its shape well the traffic but found  that the P2P traffic is shaped whit other lower limits. The limits are 5 MB download, 2 MB Upload. When  start a torrent its take 460 kb/s for download and upload is only 0,5 kb/s. I tray several torrents and i am sure that they have lot of pears.

Way's that whit P2P traffic? :( No other limits added .

Here is a link to my posts on what I do for LAN Parties with PFSense:

https://forum.pfsense.org/index.php?topic=77388.0

Feel free to use any of the configs and tweak them as needed.

hi abbj, i have the same problems!

Do you have resolved?

regards

Well, I enabled RTP debugging on siproxd and telnet'ed to the debug port. I tried an extension routed through siproxd. it was not routed to the qVOIP. But on the RTP debug, I noticed that the UDP port my Polycom 650 was originating with 2224. It hit me that the Polycom default UDP port for RDP was 2222 (from past experience). So, for grins, I rolled it up to 7070 (the starting port for siproxd on my end) and tried the call again. still nothing. But in further examination, I noticed that the destination UDP port that siproxd was using for my remote Asterisk server was 12478 (outside the siproxd specified range of 7070-7099). The originating port siproxd used was 7076 (within the range). Now, i have static ports set for outbound NAT. But, siproxd is side-stepping NAT, so I guess it negotiates with the remote, and the Asterisk server's range is 10000-20000. So, on a hunch, I expanded the floating qVOIP outbound rule to cover UDP 7070-20000. Damned if that didn't do the trick! Now, my SIP and RTP routed through through siproxd is being routed into qVOIP. I am going to keeping investigating it further, but this must be why it was not matching the qVOIP rule. FYI!

Sorry for my dyslexia. it is HFSC. :) 
I will look at PRIQ. The other methods are a little complicated, but I don't really have a problem with them.

Very strange.  Glad to hear you have it working with PRIQ.

@KOM:

If anyone is really hammering your link, it can affect ACK and DNS requests in a big way.

You could do it with the traffic shaper several different ways.  In general, create a traffic shaper and then put the IP address of the offending VPS in a low priority queue, or create a limiter and then set that IP address to use the limiter.

Thanks a lot! I will try this solution and return back.  ;)

I am open for other inputs as well.

Hi sideout, thank you so much for your elaborate suggestions.

We're experimenting with different approaches and will report back here which scheme gave best results.

Let me state our needs in a more simplified way:

We have 2 WANs: WAN1 (1 mbps up/down) and WAN2 (2 mbps up/down). And we have mainly 3 requirements:

A. Traffic will use policy-based routing: gateways will be either load-balancing or failover

B. Regardless of which load-balancing/failover gateway group the gateway is member of, bandwidth of each WAN will be shared evenly between the client machines those are active in the LAN at any time. This part is easily achieved by creating source/destination mask-based child queues on the main limiters as mentioned in the post.

C. The bandwidth that gets evenly shared by the LAN clients will be determined by which actual WAN the traffic is passing out through so that the LAN clients can utilize the maximum possible bandwidths made available by either the load-balance or failover gateway group. Otherwise, if we set limiter with 1 mbps limit, clients will not get the full utility of the 2 mbps WAN and if we set 2 mbps as the limit, then if traffic is indeed going through 1 mbps, the bandwidth distribution to clients will not be even/fair. For example, if there are 2 active clients and traffic is going through 1 mbps WAN1, limiter will let the both users use 1 mbps therefore causing congestion and the first user will end up enjoying the 1 mbps of the WAN1.

So, quite simply, the question is where to put the rule that'll assign the limiters and how to correlate or correspond the limiter with the specific gateway (WAN1 or WAN2) the traffic is eventually going through when policy-based routing gateway group is set as the gateway?

Eagerly hoping for some answers/hints…

Is this due to packet ttl ?

Okay so I did some lab on this and here is what I found:

1. Layer7 rule set defined on Traffic Shaper with Skypeout and SkypetoSkpye with option of queue and queue called qSkype.
a, Set qSkype to have 10% and real time 10% bandwith on LAN and WAN.
b. Placed Floating rule at top of rule set for TCP / Layer7 chosen.  Used WAN and LAN interfaces.
c. Killed all session states from test PC.
d. Tested and I can see qSkype fills up as does qHTTPSteam.  Placed Skype test call and it worked.  Ran speedtest and it worked once but then failed 2nd time and browsing was slow.

2. Replicated above but removed Floating rule and placed on LAN rule interface.
  a. Left wildcard of any host in.
  b. Same test results as above.

3. Replicated above but made changes on LAN rule for specific IP of machine I was using.
  a. Tested with same results as in #1.

So it would seem that the Layer7 part of this is not working very well or is fully implemented as I would expect it to use DPI to see the packet was a skype packet and apply the rule rather than applying all the rules to it.

Since you can define the incoming connection for Skype you would be able to shape calls coming in for it but since Skype uses any port above 1024 TCP , kind of hard to shape it unless you can get PFSense to see the program calling it and recognize it via the Layer7.

Like I said , never used Layer7 before as at LAN's not really needed.  This is just what I have found in some early testing.

If anyone else has any other ideas on how to shape Skype , I would be interested in hearing them.

Hi there,

For your WAN to LAN floating rule, did you set WAN as the interface and direction as "in"?

Thanks!
msu

They work fine together. I have previously documented that the limiter and QoS work fine together. I have shown screenshots of an LoL game going while downloading from Steam.

LoL uses UDP not TCP for the game client once the game is started.  It uses port 80 during the setup of the game.

Again if you can post screenshots of your setup so we can see it instead of blindly posting that it is not working then maybe we can help.

Otherwise it appears you just want to troll.