Any help on this would be greatly appreciated.

Thanks.

Hey georgeman, I get what you're saying, trust me I'd love to do one floating rule, but I found this during my testing and research of the settings.

https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Setup_Limiters

“pfSense currently only allows setting the source address or the destination address as the mask, meaning that you can give each host behind your firewall its own set of pipes so that each node is restricted to using a certain amount of bandwidth. To do this you would give your In pipe a Source Address mask, so that each host sending packets gets it’s own dynamic pipe for uploading. You would give your Out pipe a destination address mask, so that each host receiving packets gets it’s own dynamic pipe for downloading.”

Also on the mask config in the pfSense GUI it reads:
If ‘source’ or ‘destination’ is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host.

My understanding of these documented statements is that the limiter can limit upload for each LAN –> WAN session (source), or download can be limited for each WAN –> LAN session (destination).
When I tried using the mask source configuration, I saw my steam client download from multiple remote sites which, broke the whole concept of limiting download bandwidth for a single LAN IP, as I need to limit the sum of all download connection sessions. It worked for single streams of traffic to single IP addresses, such as with speedtest, but not for downloads from multiple remote sites. Either that or I configured it wrong. I tested with the new limiter config using the mask for source, made new rules, and one machine still topped out the qHTTPandSteam queue. Let me know if you find testing to be different in your environment.

Interesting.  I happened to remember my pbx is set up to set diffserv/tos bits on RTP and SIP packets, so I deleted the shaper and created a new one with 'generic(lowdelay)', and the 2 floating rules were replaced by 1.  I just tried making another call, and lo and behold queueing.  This is probably one of the most frustrating things about using pfsense.  I really love the thing, but there are some aspects that are black juju, and it is more than a little frustrating.  You google for stuff like this and find literally a score of different articles, many with incomplete, wrong or contradictory advice.  Sigh…

Try and uncheck this for each queue in your traffic shaper:
Explicit Congestion Notification

Then test again.

You will probably see that you now get close to your max speed.

Aparently the "Explicit Congestion Notification" need all network equipemnt to be configured just right to work as intended. If just one piece of equipment drops packets at a lower treshold your will see significantly lower speeds.

Please try and post your findings

Turns out, I was still getting a few ACK drops on my WAN connection with bandwidth set to 30%.  I've slowly inched it up to 38% bandwidth and I no longer appear to be getting ACK drops when both my upload and download bandwidth are saturated.

Hello
I do have a similar issu
update: My setup is all IPv4. But still similar to your issue. The issue may not be specific to IPv6 at all….

First issue
First of all, there seem to be trouble with the limiters. I set a limiter for 50Mbit down and 100Mbit up.
Later changed to 55Mbit down and 50Mbit up.

In limiter info it says:
limiter 1: 55Mbit (from after I changed the speed)
limitre 2: 100Mbit (from before I changed the speed)

Now how is that possible?

Second issue
When doing a speedtest I get aprox. 50Mbit throughput in download (thats is fine with a 55Mbit limiter)
But I get an initial 40-45Mbit upload fast dropping to somewhere between 10 and 17Mbit during the test.

limiterissue.png
limiterissue.png_thumb

I have just finished configuring this option.

http://people.pharmacy.purdue.edu/~tarrh/Transparent%20Firewall-Filtering%20Bridge%20-%20pfSense%202.0.2%20By%20William%20Tarrh.pdf

Turn pfsense into bridge mode with firewall filtering turned on, this then allows all public IP's to be on the LAN side of the bridge and the limiter rules specified in the LAN firewall rules also still work.

Fantastic!

@georgeman:

Bear in mind that L7 filtering puts a heavy load on you CPU… What hardware are you running on? You might be short on CPU power

Hi, thanks for your reply.
I'm running a Quad Core Xeon. Pretty sure the CPU usage never peaks really.

Is it really that hard to do it ?
I might only need a guide I could read… Please help

Thanks

Sorry, I didn't clarify. I did mean for you to shape the VPN itself and not the traffic going into the tunnel.

Thank you for your answer.
But actually, as i have set high priority for IPSec protocol itself, everything i pass through the tunnel is automagically high priority.

Did you enable priority on both IPSec protocol itself and the ports / protocols that goes through the tunnel ? Or did you only apply queues on the inside of the tunnel ?

Thanks.

ISA server had that on every rule you specified. Loved that possibility!

Thanks very munch for the reply

I solved my own problem. I'm telling what i did and what i use for a reference for other people.

I had an ADSL connection with 830 kbit upload limit and 8 Mbit download limit (i tested with speedtest.net). I had to set traffic shapers upload limit to 450-500 kbit to prevent high packet loss. Besides of that from LAN to WAN upload bandwidth was almost getting doubled. Setting upload limit to 500 kbit was reducing my upload capability. It should be around 800-850 kbit.

Solution:
I had set pfsense's BOTH lan and wan's MTU to 1454 and MSS to 1414. I also set my Nas4Free (which is on 24/7) rig's and my main computer's MTU to same values.
These steps solved the problem, i raised my upload limit to 800 kbit, packet loss is between 0% and 4% under heavy upload and download. According to my research these values are normal.

Still problem:
From LAN to WAN upload graph is still getting doubled, for example under heavy upload i see a graph revolves around 800-900 kbit under LAN, and 1.40-1.60 Mbit graph under WAN. It doesn't affect the internet or network though but  it still remains a mystery to me

@jpalacio:

Hi all:

I am using the latest amd64 version 2.1 and I am trying to configure some limiters . I found that there is a limit of 30 limiters, when trying to add the 31st , it comes with an error  " you need at least one bw specification".

I've checked the shaper.inc code and certainly its limited to 30 limiters :

Line 3045  of shaper.inc

for ($i = 0; $i < 30; $i++) {                         if (!empty($data["bwsched{$i}"])) {                                 if ($data["bwsched{$i}"] != "none")                                         $schedule++;                                 else                                         $schedulenone++;

https://github.com/pfsense/pfsense/blob/dda9c67f7f8fdc3401a0d3c7b885630d128e2fbb/etc/inc/shaper.inc#L3045

Is this right?? Any advice on how to manage the situation when you want to use more than 30 limiters??

Thanks

No one???  :'( :'(

As far as I know, vmxnet3 via the official vmware tools doesn't support altq.

I think vmxnet2 using the open-vm-tools package might, but I can't confirm or deny it either way 100%

I wouldn't count on it being supported though.