Nope! :D

Thanks, Jim!

thank you georgeman.

i've attached the images to an imgur album (http://imgur.com/a/RzHJO)

i'm pretty sure it's working now … the main thing i did was to change rules' settings to make them apply to both wan and lan, that seemed to do the trick... or perhaps it just needed a while to take (i left it overnight, when i woke up it was working)

the only thing i notice is that previously usenet hit about 1800KB/s, now it tops out at about 1600KB/s (having nothing else going on the network).

should i be able to hit 1800KB/s or this is due to the 95% rule of bandwidth ?

You will need to provide more details about your setup… It would be great if you posted screen caps of the relevant sections (with sensitive info obfuscated)

/24 worked like a charm. :)

I have had challenges of my own trying to queue bittorrent with L7 rules, but my understanding is that you create your L7 rule with a block action. Then you create a firewall pass rule with the L7 filter as target. Even though you are "passing" your torrent traffic, you're just passing it to the L7 rule which should block it.

That's my understanding. Like I said, it's untested at this point.

L7.PNG
L7.PNG_thumb

I got same error in my screen .I got the the reason for this problem . that I was made a rule for an ip to block in internet . IP address were from the dhcp server . On that client system user was a computer savvy he give ip address manually.when I remove that rule from firewall problem solved for me  this cause the problem . let you check in your side with the example

OK.  I will try to expand on this.

We currently have 8 clients.  Each client is assigned their own vlan 172.30.4.0/27, 172.30.4.32/27 etc.
All 8 vlans run over a trunked interface on the firewall.
I have created an inbound and an outbound limiter for each of the 8 interfaces.
I have then assigned the inbound and outbound limiter to each of the rules for each of the interfaces.
So each of them have 8 rules (they are all the same) and I have applied both the inbound and outbound limiter to each rule.

Is there a better way to do this.  I am sure I read that if I apply the limiter (set to 8MB)  to two rules say.  Then each rule gets 8MB not 8MB for the interface.

I am trying to figure out when creating the rule, in the mask section it indicates a source and mask.  If I understand this correctly.  I can select "source addresses" from the source list and then enter 27 for the mask and this would provide the desired bandwidth limiting.

I am in the process of rebuilding one of our firewalls and would like to streamline the configuration if possible.

Thanks

@georgeman:

I would have predicted the opposite, I thought that two simultaneous Speedtests were going to also exceed the limit, when combined.

What about two simultaneous downloads, from two different sites? Does that exceed the limit?

I found a proper alternative to this, the Captive Portal limiter. It seems to work in a different manner than the FW-rules applied one. I'm guessing it acts as a proxy to a particular MAC-address, and those even torrent won't bother with fiddling with.

Forget about m1 and d for now. Take m2 as the value you want to set. HFSC works with the same structure as CBQ, so you can use the same values and structure you posted, on linkshare m2. The benefit here will be the possibility of setting realtime values as well (which is a minimum guaranteed bandwidth for the queue)

Kind of agree, I guess.

HFSC is not developed by the pfSense project, but the pfSense code could be tweaked to assign the linkshare m2 value to the HFSC bandwidth in all cases (and also make linkshare m2 a mandatory field)

Best way is with floating rules, action match, direction out, and filtering by destination port. Then use the rules to assign queues

Try this?

https://forum.pfsense.org/index.php/topic,62188.msg335842.html#msg335842

Edit, add:

As it happens, I finally gave this a try (albeit on a 2.1 system) last night, as my users had managed to offend me sufficiently (MPAA sharing violations - not only do they indicate that users have violated our policies and mean I need to find harsher controls to curb bad behavior, they also irritate the heck out of me…) and while I had some limited effect, I could not get any traffic into the proxy queue nor the http queue. It's all twisty little passages, all alike, in the dark and filled with Grues from a documentation standpoint. After no apparent effect from the linked method, I eventually tried using the layer 7 stuff to identify cache hits and misses and place them in queues, at (roughly) which point everything stopped working and I gave up and reverted to a saved configuration from before I started messing with the poorly documented Shaper. There has got to be a better way to do this, or better documentation of how to do this (that actually works).

The firewall is not connection-aware, it just filters packets.

Squid works for HTTP traffic only, but it is connection-aware. I vaguely remember that Squid has some limiting/throttling options, but I have no idea if that would useful for you.

I currently have no idea what's going on the "64 bit front".

An easy way to spot if my changes are included is to check if the DSCP list (in the WebGUI, Firewall - Rules - add new rule via teh plus sign - DiffServ Code Point - Advanced) contains the VA code point.

Not necessarily.  It still should be checked that ICMP's are hitting the appropriate shape bucket.

Squid is setup as a transparent proxy which I run HVAP (anti-virus).  I will need to point QoS to manage at the proxy instead.

New release should happen soon. See https://github.com/pfsense/pfsense/commit/93a79543999602a3b71e8376a6aa6ed46e79af4d