I just need some clarification here:

On topic:
Should it be like this?

IN/OUT Limiters:
IN = Use "Source Address" if you're going to limit bandwidth per user.
OUT = Use "Destination Address" if you're going to limit bandwidth for the whole users.
Current I am using "Destination Address" Mask only for limiting bandwidth.

Question:
Do this method will work if I combined the two Mask? TIA!

Setting up Limiters or Queues is VERY tricky without perfect understanding of what every setting does. You've most likely configured it wrong.

manually create a queue via the web interface? or edit configuration files? which files so as not to spoil the configuration?

No, because none of this is necessary. Everything can already be done with the normal queue functionality. A user who doesn't understand how to create queues will screw it up anyway.

I am just now starting to need QoS for a cluster with 4 different security zones where I need to find a solution without bridging.  I am still experimenting with Limiters to see if I can get by using them but I am afraid they might have big performance issues (based on reading the forum not from experience) and I know they don't have all the features that I want to use with the normal queues.

I have been using 2.1 on a few non critical systems and I haven't dound anything that would make it better for this.  I think it might be a limitation of the QoS implementation on FreeBSD.

In order to shape download traffic you need rules on the LAN interface, no matter if the traffic is coming from WAN, OpenVPN or whatever. In this case, you need a rule on your LAN tab with source: LAN subnet and destination: your OpenVPN subnet (not the server public IP), and specify what queue you want that traffic in (you previously saw the traffic on qLink because it is was catched by the default rule that sends traffic to qLink)

That's why it is a good idea to have queues with the same names on both LAN and WAN ;)

Firewall rules are evaluated from top to bottom, so create another rule above the other ones that catches the traffic from that PC, and send it to the appropriate queue (one with more priority, or with more bandwith, or without limiters, depending on how you configured your shaper).

Regards!

@jimp:

FYI- the masking is incorrect on the example given by cheonne earlier in this thread.

For the upload limiter, you want a source mask
For the download limiter, you want a destination mask

The same pair of limiters would be used for both LAN and WAN rules (LAN - In=Upload, Out=Download, WAN - In=Download, Out=Upload)

thanks for the correction.. ;)
i mislook his thread ttle "…per ip"

What is described here is a known bug in pfsense, provide more detail here: https://redmine.pfsense.org/issues/3096

@falbertopl:

Using firewall rules an limiter. create an alias with facebook domain and apply a limiter to a firewall to contain that alias

facebook domain can be added through alias?
coz i did this but i got an error

As I have understood, each limiter acts as a channel with a bandwidth allocated, if within it are created queues, each queue share that bandwidth based on the percentage allocated to each queue or letting pfsense be responsible for rolling, i attached a sample image. if there is only one traffic queues, the entire bandwidth of the limiter is assigned to that queue, if there is traffic in another queue so that traffic is shared among those queues according percent of the queue or you can leave depending on the amount of traffic on queue pfsense decides , that is achieved by letting the percent white. If you think what I said is wrong, please correct me.

Symetric.jpg
Symetric.jpg_thumb

I had made a queue named 'qProxy' as your setting and then setting up firewall rules as you recommended. But why there are no activity in in queue status for 'qProxy'. I also had inserted your code in custom field for proxy server settings.

That's correct. Unmasked limiters are global for any traffic in the limiter. Masks define how to group them into per-group limits (on 2.1 you can mask by IP or by subnet)

@phil.davis:

In my cases in Nepal, on a quiet connection, the ping time to anywhere except the direct ISP device at the other end of the ADSL copper phone wire, is completely variable.

I assume that's why the Gargoyle solution defaults to pinging the gateway on your WAN connection, to which pfSense's RRD WAN quality graphs also refer.