I also posted a blog on creating a firewall rule to place traffic into a specific queue; not sure if this will help:

http://pfsensesetup.com/traffic-shaping-rules-in-pfsense-2-1/

Hi LiquidSmoke

Can the clients ping to the wan ?

We had a smiliar issue already. Check out this thread

http://forum.pfsense.org/index.php/topic,67012.0.html

regards

supermega

I have the same problem! :(

I am just starting to try to configure the traffic shaping properly.  This is a question I would be interested to find out more about as well.  Finding it more difficult than I expected to get things into the correct queue.

I'm mostly concerned with getting voip higher priority than other traffic, and making sure that torrents don't clobber anything else, this is just a home connection.

A quick update…

I've had this enabled for a few weeks now, with a couple of hundred users a day, over a dozen sites - no complaints received so far.

Final parameters used were 1Kbit/s source address, 50ms delay.

I'll stress again though - this will not prevent DNS tunnelling, it will only slow it, hopefully to the point where abusers will move on and find another target.

FYI, the above is correct, it's only that changes are applied to new connections, ie if you have an endless ping running you don't see the changes (in latency for example) in realtime.
Stop the ping, wait a few seconds and restart the ping  :-[

Floating rules are an area generally used to MATCH traffic.  The LAN, WAN and VPN tabs are where PASS or BLOCK rules are kept.  PASS rules are one way.  If you want your rule to pass traffic from LAN > WAN then put your PASS "allow all" rule in the LAN tab rather than the FLOATING tab.

Any traffic not matching a rule will automatically go to the default queue.  Change the default rule "checkbox" from qP2P to qDefault is step #1.  Can only have one default queue.  Step #2 is reviewing your rules that they are getting hits rather than going to the default queue.

@markn62:

I don't believe you can shape across a bridge.  You likely need to remove the bridge and re-run the shaping wizard.

You certainly can shape on a bridge. In fact, that's the only way I know to propely handle a multi-LAN scenario

EDIT: I mean, you can shape on a bridge composed by two LANs, towards a WAN. I don't know, but I don't think you can shape if you have LAN and WAN as a bridge

Multi-LAN does not really play well with the shaper, currently. The only way (as far as I know) to handle multi-LAN properly would be to create a bridge with all the interfaces and apply the shaper to it. If you do that, although all LANs will be on the same subnet, you can still somewhat filter traffic between them (by activating the proper system tunables).

Anyway, bridging sounds exactly like you want. And "guaranteeing bandwith" makes me think of HFSC  ;)

Thank you.

Thank you all supermega, shinzo and kejianshi for your kind suggestions, but I haven't solved the problem.

I looked at the tuning cards link but it didn't have the cards I'm using (re and msk cards).

I also tried shinzo's suggestions but it wasn't able to limit. It went wide open to 20Mbps/6Mbps. (I tried both net.link.bridge.pfil_bridge=1 and 0). I've tried different permutations of putting limiters on LAN/WAN/OPT1 or pairs of child queues on both LAN/WAN to no avail.

I also changed cables and added another brand new NIC card and tried different permutations of interface assignments to no avail.

If I disable all the rules (pfctl -d), the upload speed becomes normal (6Mbps), so I think it might a problem with my rules/settings/pfSense (probably not hardware).

I'm open to more suggestions, thank you all again, much appreciated!!

You should be able to do it with a HFSC scheduler

Great, that's what I hoped it meant from looking at the raw rules

Without shaping the entire traffic from everyone, you cannot shape a subset of the LAN. Shaping works by dropping / queueing packets. This can't work unless all traffic is classified. Once you have basic rules in place, you can create further rules for specific IP addresses.

Either way you need to completely understand HFSC and how the queues work or you'll fail to get it working.

@shawniverson:

Most definitely!  I am using both and it is working great.  No special/unusual configuration needed (in some cases)

Here's a sticky post that may help:

http://forum.pfsense.org/index.php/topic,14436.msg76415.html#msg76415

Do you know if that sticky is still relevant with pfSense 2.1 ?

–---------
The easy way Traffic Shaping with Squid Transparent Proxy
Add under Firewall Rules

Action = Pass
Interface= LAN
Source= LAN subnet
Protocol = TCP
Source = LAN
Destination = any
Destination port range = (Squid Proxy port) eg. 3128