This is in 2.1 snapshots.

Just don't match them in the rule.

Either:

pass from !(those users in an alias) to * with a limit
pass from (that subnet) to * without a limit

or

pass from (those users) without a limit
pass from (the whole subnet) with a limit

@markluhde
thanks for the reply ,,, btw can you give an example on how to use it, it is my first time to use limiters with schedule. thanks again.  ;)

@abdurrahman:

For example, I created a limiter as below
Name : download_limit
Mask : Source
Bandwitdh: 512K

I created a schedule as below
after-work: 17:30-23:59

I want this limiter to be scheduled at after-work.. this limiter will be active only between 17:30-23:59…is it possible?
if it is possible, I will apply it to a firewall rule...

Just as noted by @mark, downlink limiter will go with DESTINATION MASK while uplink limiter will go with SOURCE MASK.

Then on schedule, apply the schedule on the firewall rule you will create to push traffic to the limiters. I'v done this and is working perfectly.

I haven't made any progress on this one.

I can say that Spotify traffic does NOT drop into the standard/bulk p2p queue.

Sigh.

1.  No, unless your default rule is to pass traffic.  Match rules have no effect on whether traffic is passed or blocked.

2.  Yes.  Remember, a match rule is not a filter rule.

3.  Since the pass rule does not specify a queue, it does not get overridden.  The packet and future stateful traffic for this packet will be placed in Q1.

Another function of the traffic shaper is the delaying of ACK packets when traffic reaches 100%.  This moderates the flow of traffic through your firewall and attempts to keep it from backlogging.

Under normal conditions, backlogging should occur during severe spikes in network traffic, in which case your queuing will kick in.  This can literally happen in millisecond time frames and be difficult to observe.

Your traffic shaper is most likely performing as it should.

Fix is now committed and will be available on next snapshots. You will need to run wizard again to fix the rule.

You can enable logging temporarily on your queue match rules to see what is happening, and then turn your attention to the firewall logs for more information.

Nice write up.
i've already created "reversed" torrent shaper.. So I do allow torrent to be used, but if you can use it with ~10kbps connection  ;D

@iservices:

you're giving very little information.

It should work if the config is like this:

client –>squid -->pfsense-->Internet

if you've got a config

client -->pfsense-->squid-->internet it'll never work,

as the pfsense can't distinguish if the traffic is cached by the proxy!

For better help give better information!

Hi there! Pardon me for the incomplete info. I am installing Lusca Squid package on my PfSense. Squid and Pfsense are in one machine.

So are you saying that it will work if squid is on a separate machine?

Thanks.

Sorry. First see your answer now.

Thanks a lot. I will experience with a LAN/WAN rule and see if I can get same result.

BR. Anders

@fil23:

The problem starts when in the settings of the SQUID transparent mode switch on the server. The Internet very slow loading web.

The core of Freebsd 8.1
More than 200 users

You haven't given much helpful info, but my guess would be that you've either configured Squid with too little memory, you're using disks that are too slow for your cache, or your Internet connection is very fast.

In my case I use Squid to only cache large files because small ones can usually be fetched from remote servers faster than they can be grabbed from cache, even with it backed by SLC flash.

Thanks for the clarification.

Given that I don't do NAT on my pfSense, so the rule should match on a private source IP.

:) Thanks Podilarius… in doc.pfsense.orf there is a paper how to do it, but the version of pfsense they use is 1.0 BREBETA2-BUGVALIDATION-EDITION5 and the newest one doesn't have the pages they show. even the webconfigurator of newest version of pfsense, doesn't have anythinhg about bridge mode. That's why I entered the foroum and made this request. But I'f i get the information I'll post it here for all the people in the foroum...

Thanks for your time...

thanks! I think most of us are waiting with joy!

Yes could potentially use PFSense to throttle his speed.  I know for a fact that WoW has parental controls that you can enable.  I dont think the other games do.

You would have to throttle the connection to the point that is super super slow.  I would hazard that you try other methods to limit his gaming time though and perhaps if you would game with him or show an interest , even if faked on your part , in his activity , you might have better luck at limiting his time?

You would have several options in PFSense to do this from using a schedule to traffic shaping to actually using the limiter.

Also how technically inclined is he as well?  If he is pretty tech savvy then it will make the job that much harder.  Most Xbox's and PS3's have WiFi so if your in a densely populated residential area , there would potentially an unprotected WiFi he could jump on and avoid your throttling altogether.

As a father myself , I find that by gaming with the kids and showing interest in their hobbies , it makes it easier and they are willing to live with limits on game time and have reached the point that for the most part they do it themselves without me having to tell them.

Good luck to you.

My recent post covers the basics of this:
Works! Limiting multiple LAN users, thru single external proxy
http://forum.pfsense.org/index.php/topic,60861.0.html

In general, to create different speed groups, you need to do some coordination of your network addresses, and you can't just use automatic address assignment by DHCP for the entire building LAN.

You'll probably want to inventory all the MAC addresses of the public machines so that they can be assigned addresses within the same common block, via DHCP MAC reservations . (You can also manually assign addresses directly to each machine without DHCP reservations, though this can be a maintenance hassle if the machines are wiped and reimaged occasionally.)

The collective address range is then restricted by the limiter. Anything outside the range would be permitted full speed.

A more thorough option is to group all the wired public machines into a single network switch or a VLAN, and then applying a subnet and automatic DHCP to that entire group through an optional interface on your pfSense router.

This requires lots of fiddly crawling around under tables, locating of ports on walls and who is what port number, and then moving cables around in closets to put all the wires into a common group on a single switch or to make a VLAN range of ports.

(You can also create a freeform VLAN for scattered ports across the switch without moving cables on the switches, but this is more management hassle later if there's a problem, IMO.)

This would allow the computers to all be limited without needing to do DHCP reservations, and also allows for an open public wifi service for patron laptops and mobile devices to join the subnet and be limited also.