In the actual firewall rule, in the "Advanced features" section, just above the place where you select your Layer 7 container, is the place to select your "ACK queue" and "regular traffic queue".

Your welcome!!  yes using Alias's make it easier when setting up rules and things using IP's and ports.  just dont forget to back them up to your local machine so you have a copy of them and your whole PFSense config as well.

No. There isn't any long-term usage tracking that would work in that way. Not with a normal network anyhow. If it were Captive Portal-controlled and with access authenticated by RADIUS, with RADIUS set to track usage and deny access, that might work. I believe there are examples of this elsewhere here on the forum if you search a bit for terms like "captive portal radius bandwidth" you might turn up some relevant hits.

Maybe I shouldn't say this on these forums but have you had a look at Gargoyle (based on OpenWRT)?

It seems to be very good at the sort of quotas you're describing.

http://www.gargoyle-router.com/index.php

Gargoyle is Linux-based but, for future reference, pfSense is FreeBSD-based.  ;)

LAN Rule

LANRules.jpg
LANRules.jpg_thumb

"Non-floating" rules are just specialized "floating" rules in which the interface is pre-set and "quick" is used for all of the rules (this is done by pfSense for quick and easy every day per-interface rule creation). When pfSense is applying the rules, the rules from the floating table will be put before the non-floating rules.

@senser:

Outgoing traffic that was put into queue X of the WAN interface will result in related incoming traffic being put into queue X of the LAN interface (if it exists) and vice versa. Thats why I told you to give queues the same name on both interfaces.

Ah, learned something new. Wish this was in the guides. I watched a YouTube video about setting things up for optimum bandwidth usage, and the guy split all the queues by suffixing them with U or D depending on interface. I see now that this isn't the best way to do it. I'll go ahead and fix all my other queues accordingly… lol

Thanks again for everything.

Is there something funky with the queue bandwidth limitations? (Ie, set the bandwidth for an interface to 50 Mb) ?

I've been playing with downstream's queue options (my lan interface's queue options)  If I set it to 50Mb/s it hits around 37 Mbs. if I set it to 56 it gets around 47mbs. If I set it for 58 and 59 respectively ,It caps out further without killing my connection (latency etc) (best result so far is 51mbs)

If I set to 60.. it somehow spikes to 56+ mbs and i begin to have latency due to filling my pipe.  It's a bit curious how small increments prior to 60mbs settings didn't change it much, but setting it to 60 and the entire thing blows up. haha.

Just being a PASS rule doesn't explain why Diablo saw all traffic honor the L7.  This says that all packets matched the L7. Doubtful.

I have the same problem trying to use the L7's.  I add the FTP L7 to my floating FTP Wan out dst port 21 rule and all web traffic comes to a screeching halt.  What an FTP rule has to do with HTTP traffic is beyond me.  I have yet to find one explaination of how to use L7 Pass to Match.  I set a tag (match) word on the pass rule and followed this rule with a "match to" and queue but doesn't work.  With or without the dst port 21 in the second rule, same result.

While I'm just as lost as most when it comes to pfSense and HFSC, something I read seemed to indicate that, on a realtime service curve, d is the maximum time elapsed before it gets its m1 or m2 rate fulfilled.  For example, if you had a game that required 500Kb bandwidth with a good ping of 30ms or lower, you would specify m1 = 500Kb, d = 30ms, m2 = 500Kb.  I don't even know if you need to specify m1 in the rt case where burst is not a requirement.

Please bear in kind that I don't know what I'm talking about, and the above could be complete nonsense.

Anybody help me?…

Any hint on how to go about the "transparent bridge" to be able to shape?

I put my 3 LAN connections all in VLANs now, so that they all connect to the pfSense box on one physical NIC.

                                            /====VLAN2 = Internal LAN pfSense-NIC=== VLAN2+3+4 =Managed Switch  ====VLAN3 = Client LAN                                             \====VLAN4 = WiFi LAN

So now I would need to bridge that NIC to another interface and then shape on that interface?
What do I have to do to get that Bridge working?

Need to create match rule on floating tab and not on lan tab.

This thread solved my problems
http://forum.pfsense.org/index.php?topic=61315.0

Please explain in more detail. Is the pfsense the LAN router and gateway for the other two computers? If LAN-LAN is allowed through your switches (no source port filter, no vlan) then I cannot see how a third router or server on LAN should be able to influence on that.