Well. Glad you found a solution. Even though not the preferred one.

I am playing with limiters at the moment. I need to limit users to max 50Mbitps. PF can do this dynamically. But when testing I can get no more than 16-18Mbitps through a limiter… I start with 1Mbit, 5Mbit, 10Mbit, 15Mbit and it works great. Then 20Mbit, 30Mbit, 40Mbit etc. all stay on same 15Mbit download 18Mbit upload ffor the user... If I remove the limiter then 60Mbit or more. Aparently there are small issues like this based on configuration, hardware etc. It is not easy.

@vlassic:

Why do I see traffic in the default queues that the wizard creates before I create any firewall rules to put traffic in them?

Traffic needs to go somewhere. Uncategorized traffic (traffic which is not directed somewhere else by a rule) falls within the default queue for that interface. There must be 1 default queue for each interface.

Which scheduler are your trying to configure? (PRIQ, CBQ, HFSC)

In your case, "Single Lan multi Wan" would be the right choice.

jimp,

Thanks for your time to explain all these fundamentals.

So, it seems to me that there are 4 cases here:
1. LAN user initiates an upload to an external server
2. LAN user initiates a download from an external server
3. WAN user initiates an upload to an internal server (download from the perspective of the firewall)
4. WAN user initiates a download from an internal server (upload from the perspective of the firewall)

For cases 1 & 2, the states created are IN on LAN & OUT on WAN.
For cases 3 & 4, the states created are IN on WAN & OUT on LAN.

So far, I think this is OK.

Now, the objective is to shape all uploads and all downloads, whatever the origin of the connection.

Let's take an example for each of the 4 cases:
1. local user at IP address 10.0.0.100 on LAN initiates an HTTP upload to external server 100.101.102.103
2. local user at IP address 10.0.0.100 on LAN initiates an HTTP download from external server 100.101.102.103
3. external user at IP address 200.210.220.230 on Internet initiates an HTTP upload to internal server 10.0.0.200 (download from the perspective of the firewall)
4. external user at IP address 200.210.220.230 on Internet initiates an HTTP download from internal server 10.0.0.200 (upload from the perspective of the firewall)

Firewall rules on pfSense (Cisco-style):
On LAN tab:
permit ip host 10.0.0.100 host 100.101.102.103 (this rules caters for cases 1 & 2)
On WAN tab:
permit ip host 200.210.220.230 host 10.0.0.200 (this rules caters for cases 3 & 4)

Return traffic is dealt with by stateful pf.

Do I need to create the queues as follows for each of the 4 cases above?
1. qLAN-Upload (applied on LAN interface)
2. qLAN-Download (applied on LAN interface)
3. qWAN-Download (applied on WAN interface)
4. qWAN-Upload (applied on WAN interface)

How should I apply these queues to the rules (LAN, WAN, floating)?

LAN tab:
A. permit ip host 10.0.0.100 host 100.101.102.103 => Queue: qLAN-Upload/qLAN-Download ???

WAN tab:
B. permit ip host 200.210.220.230 host 10.0.0.200 => Queue: qWAN-Upload/qWAN-Download ???

Floating tab:
src 10.0.0.100 => dst 100.101.102.103: Action: Queue, Direction: Out, Interface: WAN, Queue: qLAN-Upload

Please help clear the confusion…

Thanks

This is what I mean - I've currently got this setup so that anything to and from 38.0.0.0/8 gets put into the qCrashplan queue (i've now renamed my crashplanout queue to qCrashplan)

I've attached what I see, why is only the incoming Crashplan queue dealing with packets and not the outgoing?

Does anyone have any ideas? Could anyone share what they see in their queues?

Thanks


Floating rules can apply to traffic in both directions. It depends on what you have set for source and destination.
They are NOT quick rules. This means that last matching and not first matching rule wins.

Yes I did read the article.  Doesn't have much on CBQ though which I was looking at for an option.  Just need to know how it works with multiple LAN connections.

Thanks for the response.

in the operation system.
you can use "netstat -an" or "netstat -anb",to see which port is used.
if bt go the voip port, what you see is very correct.

in my env ,I use white list,
for example,put 80 port in other queue.
then set a low bandwidth and low priority in the default queue.
any undefine port and traffice will go default queue.

@spartan7:

anyone selling a premade 1U for 2 WAN/1LAN running pfsense?

or link to a build.

http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack.html

For some reason ports will NOT show in any rules I create. Not sure what to do to get them to work correctly.

It happened again this morning.

It looks like the problem was one of our lines - despite the modem saying it was connected at 3700 kb/s, throughput to the ISP's speed tester was more like 500kb/s. The ISP has done something, and it is better.

The situation is complicated by the fact that my access to the system is through a wireless network to where the router is, a mile or two away, and the router load balancing means the problem comes and goes, depending on which line a given connection gets.

However, to help diagnose, I put a temporary firewall rule to direct all traffic from my IP through a particular modem, and, by editing the rule, was able to pin down which modem it was. I have kept the rule (disabled) for future use if it happens again.

I am still mystified as to what I might be doing wrong with the traffic limiting wizard, that it would halve the bandwidth, so any suggestions gratefully received.