I've read that, it looks like pretty cool stuff but it's not answering my questions.
I need the exact mechanisums how HFSC works so i can make my conklusions. Or some tips how to make shaper when i have different limits for different networks without knowing the exact limits.

when I update from 2.0.1 to 2.0.2，I can find the wizard rule in firewall:rules:floating
I think I get more understand.

now,when edit some rule,I can see "Ackqueue/queue"
why some rule Ackqueue chose "none"? why some rule chose "qack" or other

can someone tell me ?thanks

I vaguely remember reading somewhere that the L7 filter blocks traffic by checking only some packets in the beginning of the session and once state has been established it is beyond the reach of L7 filter. If that's the case then maybe the reason why blocking these SUBSCRIBE messages doesn't work is that they are considered as being "in the middle" of existing session and aren't seen by ipfw-classifyd. I sure can't see what else could be wrong in my setup…

Or will the following be good enough?

Floating rule on LAN interface with IN direction and Quick enabled. With limiter on in / out. The speed seems to be limited correctly when testing on speedtest.net. I'm not limiting other traffic than WAN with this rule?

@g.sara:

Hi,
Thank you for your answer!

Into  which tab I have to create the rule (Floating or Interface rules)?

Which rules are executed first? The floating or the Interface rules?

Regards,
George

Interface Rules have a higher weight as the floating ones.
That means, if there is an interface rule and an floating rule, the interface rule is executed.

I solved the problem of everything going into the P2P catch-all queue by not selecting to set up a catch-all queue in the first place during the wizard, as suggested by this guide:

http://skear.hubpages.com/hub/How-to-Configure-Deep-Packet-Inspection-Using-pfSense

Traffic shaping seems to be working well now, and all shaping rules are indeed in the Floating tab.

Todd

@sgatto:

It seems that HFSC queue acts only on the defined interface.

Defining a queue for interface X and then apply that queue on traffic egress from interface Y does not work.

Can you give me another solution ?

Use the floating rules and mark the direction as 'IN'.  Select the appropriate interfaces (148 Vlan interfaces?) then direct to the WAN interface queue.

You may want to re-create the queues with different names for the WAN and the other interfaces.  That will allow you to better differentiate between the queues.

doing this with freeradius, sqlcounter module and a sql database is possible as long you have a NAS which does the accounting properly.
You can define different groups and limit their speed.

But please don't ask me for a tutorial or something like this. I do not have one ;)
I just read this "here and there" in the net.

see video on youtube. try this link (phone) or search

http://m.youtube.com/#/watch?v=Usi195rK35I&desktop_uri=%2Fwatch%3Fv%3DUsi195rK35I

Alternatively, make use of Aliases and 'Not'.

Create an Alias with the subnets of LAN A, B & C.

Call this alias:  LocalSubnets

In your firewall rule(s) applying the limiter(s), just set the destination as "Not" (checkbox) Alias "LocalSubnets".

Depending on how many rules you have applying limiters and all, either of the methods would be simpler to apply.

That's an alternative. BT traffic is not a big issue for me, I just wanted to prioritize regular traffic over BT when needed more than setting a hard limit to it. I was mostly trying to figure what I did wrong with the traffic shaping because as far as I can tell I set it up correctly, but for some reason the rules are not being applied correctly and the bulk of BT traffic still goes to the default queues.

You can't easily apply it as a per-interface limit, but you can setup a pair of limiters and direct all traffic to/from the subnet on that interface into the limiter (basically edit any rule passing traffic from/to that subnet and use the limiters on it), and get that effect.

Deagle, that is a really awesome feature.  I doubt that pfSense can do this though since all the matching happens when a connection is first setup, and then applies to the state record, so that the system doesn't need to process any more of the packets.  But the layer7 stuff must be able to look at enough of the traffic to try and match the contents and then change the queue, so maybe there is a way.

If you look at pftop, it does track the bytes transferred for each state, so the info is there.  So it is probably possible for some sort of daemon to run every so often and to associate a state with a new shaper queue.

I would suggest you ask on the freebsd networking list to see if freebsd supports it, and then you could open a bug/feature request to have the ability added to pfsense.

I've noticed that youtube opens a new connection for each chunk of a movie though, so it would somewhat lessen the impact depending on how big the chunks are.
Josh

Sorry but this isn't currently possible, I wish it was.  The traffic shapers on different interfaces/vlans cannot communicate with each other, so there is no way to allow one interface to use bandwidth until another interface needs it.

You can easily setup each vlan to only allow a certain amount of download bandwidth with the wizards.  So you can setup each vlan to only allow 7Mbit/s

Dividing up the upload bandwidth is harder since that all has to happen on the wan interface queues.  You can only shape traffic that is being transmitted. You will need to manually create queues, and then create rules that assign traffic to those queues based on which vlan the traffic is coming from.

Josh

Good!

;)

Kostas