This is driving me mad ….

All the different traffic flows are being sent to the proper queues based on the related rules, that is a fact.

But beyond that, it seems that the queues respective priority is not taken in account  :(

-> I added the following rule in order to prioritize ICMP traffic

Proto    Source            Port Destination Port Gateway Queue
ICMP     high_priority_pc1 *    *           *    *       qVoIP

-> without any traffic on the line, ping requests to external IP is around 40ms.

-> with download traffic originating from low_priority_pc2, average ping requests response time is around 150ms , despite being passed to the highest priority (7) queue.

I'm lost ….

pfsense is mostly using ALTQ (check http://en.wikipedia.org/wiki/ALTQ http://www.freebsd.org/doc/handbook/firewalls-pf.html ) and to a lesser extent, dummynet.

It's not possible to do in any meaningful way.

Using a hostname is possible in an alias, but for most large web sites, the IPs returned by DNS change often or are randomized. So the firewall would be tracking one IP thinking it's that site, when really it's another one entirely.

It may be possible with squid, but I don't know for sure. Someone else may know better on that part.

dhatz,

Thank You much for the link you provided.
I am in a  big learning curve on the traffic shaping gig. I am trying to get my head around looking at the queues in the rrd graphs,trying to decypher what the meaning of this translates to.
OK, You made a good point. The ip phones are in fact on a seperate vlan aside from actual PC's so what you are suggesting sounds like a plan.
I am going to give my generic traffic shaper setup,,,for ONLY voip,and as I mentioned earlier the voip tab does in fact have an entry for the Panasonic TDA phones,which are what we have at both building,so fingers crossed this may work out.
In a weeks time if nothing has improved I will go to plan b with your 'by ip range' setup

Take Care,
Barry

The snort tagging would be only useful if snort is put inline.
Furthermore the encryption of torrent will just make it impossible for snort as well to detect it.

Ideally you should use the traffic shaper, to ensure that business traffic gets priority over bulk downloads, instead of using a hard bandwidth cap via the CP limiters. It's also a decision between favoring best utilization of bandwidth vs consistency.

Anyway, the biggest problem with P2P traffic is that it's quite difficult to identify (in order proceed to the next step of limiting it).

If CAP is captive portal you do not need subnets, just include your Mac on bypass list.

I should mention that I didn't create the video, that was somebody on DSLReports, but he did such a good job of it I had to share it here.

@clarknova:

When you create a shaper rule on the floating interface without the quick option, the rule will apply to any matched packet and the packet will continue to be compared to your firewall rules for a match. Rules on the non-floating interface are implicitly quick, so if your packet matches a floating rule and some other firewall rule, both rules will normally apply.

Thanks for your advice here. I keep trying to make the floating interface rules work, but it's just not showing up for me.

I create limited with no mask so they will apply to all traffic rather than create one queue per address, then I create a floating rule with pass or queue policy (doesn't seem to matter), setting an interface (WAN or one of the LANs), a direction, and selecting limiters in in/out in the advanced section. I reset the states to wipe out any existing connections, and look in the limiter info page. I don't see buckets getting filled in as I do for the rules on a fixed interface with a source or dest mask in the limiter.

Any ideas what I'm doing wrong?

Thanks,
    - Tim.

@KurianOfBorg:

I found it too much of hassle to define outbound rules for games. Only inbound ports are properly documented. You might as well make a pass-all exception for your IP address/MAC address since if you're playing games on the workstation, it's already been "compromised" with stuff running with administrative access.

You really only need to have one port opened by Origin to allow full connectivity for BF3. You shouldn't need to physically open all the ports they require. The ports I have listed above do seem to work for outgoing. I have allowed 3 additional port ranges for "incoming" now so all BF3 QoS traffic is prioritized (to my best guess). Remember this is QoS, not actually physically opening ports.
EA uPnp Port:
3659 keep state udp xxx.xx.x.xx EA Tunnel

Additional Incoming Ports:
UDP * 25200 - 25300 * * * qGames
TCP * 42127 * * * qACK/qGames
TCP * 9988 * * * qACK/qGames

Run the traffic shaping wizard. About the third or forth page in you will have the option to set different protocols to different priorities - high, normal, and low. Change NNTP to low.

bump

well, ever since I enabled the flag, ECN tests work.  Without this set, even with ECN enabled in traffic shaper, ECN tests fail.  Perhaps it should be force set if enabled in traffic shaper.