Thanks dhatz.  Here are my HFSC rules as a starting point.  I have only one WAN (em3) and one LAN (em2) interface.  My down/upstream are 28/4 Mbit from my ISP.  I backed each down to ~97% to start.  Now I wasn't quite sure how to setup my SSH rules so that SFTP traffic goes into the ssh_bulk queue and ssh interactive shell goes into the ssh_login queue.  Appreciate all your guidance. Lastly, I still notice drops. but my ack is currently set to 30% on both interfaces.  I've read some places that say to set it as high as 60% but I wasn't sure whether that was accurate? altq on  em3 hfsc bandwidth 3.88Mb queue {  ack,  dns,  ssh,  bulk,  usenet,  backup,  bittor  } queue ack on em3 bandwidth 30% qlimit 500 hfsc (  realtime 20% )  queue dns on em3 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue ssh on em3 bandwidth 20% qlimit 500 hfsc (  realtime 20% )  {  ssh_login,  ssh_bulk  } queue ssh_login on em3 bandwidth 50% qlimit 500 queue ssh_bulk on em3 bandwidth 50% qlimit 500 queue bulk on em3 bandwidth 20% qlimit 500 hfsc (  ecn  , default  ,  realtime 20% )  queue usenet on em3 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue backup on em3 bandwidth 5% qlimit 500 hfsc (  upperlimit 95%  )  queue bittor on em3 bandwidth 1% qlimit 500 hfsc (  upperlimit 95%  ) altq on  em2 hfsc bandwidth 28Mb queue {  ack,  dns,  ssh,  bulk,  usenet,  backup,  bittor  } queue ack on em2 bandwidth 30% qlimit 500 hfsc (  realtime 20% )  queue dns on em2 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue ssh on em2 bandwidth 20% qlimit 500 hfsc (  realtime 20% )  {  ssh_login,  ssh_bulk  } queue ssh_login on em2 bandwidth 50% qlimit 500 queue ssh_bulk on em2 bandwidth 50% qlimit 500 queue bulk on em2 bandwidth 20% qlimit 500 hfsc (  ecn  , default  ,  realtime 20% )  queue usenet on em2 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue backup on em2 bandwidth 5% qlimit 500 hfsc (  upperlimit 95%  )  queue bittor on em2 bandwidth 1% qlimit 500 hfsc (  upperlimit 95%  )

I have yet to get PRIQ shaping to work even after following the Hammerweb guide  I really wish there was a solid how-to available.

PRES, I would reconsider userbased Up-down q's! Departements will do fine. And then again, it's the traffic type you gonna shape, not the user q! Departements then again should be or VLAN'd and/or Subnetted (higher security) so you can wel…. if you have a network that large most of these things are in place!

@podilarius: go to Firewall -> Rules -> Floating. In there create a rule that passes port 22 either as a source or destination ( you might have to create 2 rules if you want it bidirectional). Ah.  This is what I was looking for.  I found the queues, but had no idea where the matching of traffic to queues was happening.  I duplicated another high priority queue rule and just set it to port 22. One thing I don't know how to do is to differentiate interactive vs. bulk ssh traffic.  For example, I want my terminal sessions to take priority over an scp or sftp bulk transfer.  The ssh client deals with this (see more here: http://kerneltrap.org/node/505) by setting the ToS field differently for interactive and bulk ssh traffic. It would be kind of nice to have ssh in the wizard, there's a ton of fairly obscure stuff in there already, I was quite surprised to not see ssh in the list of protocols.

@ermal: Put a feature request for it in redmine.pfsense.org. Sure, I'll be doing it ASAP. Just that in pfSense its not so easy to monitor through ping since the icmp packets themselves are subject to throttling as well! Yes, but they can still give an idea of the situation. Actually, it's more or less the same in Gargoyle, but the result is excellent. While it can be given a thought in general just record it in redmine to have it always there when i find time to play with this option. Ok! I'll be doing it. Thank you for your kind attention!

@turiyain: The information is given below: Version 2.0-RC3 (i386) built on Tue Jun 21 16:50:25 EDT 2011 Ask if you need any other detail. Regards, VJ@@@// @kalu: oh that's great. could you please let us know your pfsene, squid and squidguard version information ? oh yes. please tell me your squid and squidguard version. Thanks

Here is a link that was quite informative to me about Layer 7 and protocols: http://l7-filter.sourceforge.net/protocols Of course, a reading about regular expressions is a must.  Thanks Google!

@argyx - This doesn't work, all HTTP traffic is still getting dumped into qlandef, which by default receives 1% bandwidth from the wizard.

As I anticipated might happen, I figured it out through trial-and-error. I have limited understanding of linux/unix/freebsd & with the limited info I found (the definitive pfsense guide & http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter) I couldn't figure it out. Sure enough its THIS simple: setup two limiters (as suggested), apply to firewall rule (I did it to LAN). I knew that, however there are a few catches a newbie like me didn't catch: 1)you cannot set the Destination to WAN address (I believe because it will them pump it through WAN, bypassing the virtual dummynet limiters) 2)you HAVE to put the rule ABOVE the 'Default allow LAN to any rule'. Either that or simply modify that existing rule to add the in/out limiters I was pulling my hair out. Sure enough it IS working in 3rd way I described above, where two or more people cannot reach past the set limiter. Right now I am testing the schedule-based aspect of this, crossing my fingers. I am sure some more knowledgeable people are giggling at me. If anyone wants to chime-in the best way to setup some kind of content filter (without changing our existing DNS system) through pfSense my ears are open wide! Also note to admin's again: Broken link: http://files.pfsense.org/tutorials/squidguard/squidGuardQuick.htm on the main tutorial page: http://doc.pfsense.org/index.php/Tutorials Side note to people use the schedules: you can't use a space in the name, it took me like 5min to figure out why it didn't like mine

You can run the traffic shaper wizard and select Priq as the algorithm, punch in your upload and download speeds (actual; not rated) accordingly. Run through everything (no need to check anything). You should have a simple priq parent queue for WAN and for LAN. Go to Firewall -> Traffic Shaper. Click 'LAN'. Click 'Add New Queue' Set priority to say 7. Name it as qAck. Add queue again. Set Priority as 5.  Set as Default Queue. Name it qDefault. Add another queue. Set Priority as 1. Name it qLow. Repeat for WAN tab. Now go to Firewall -> Rules. Click Lan tab. Click the 'e' button beside the 'Default allow LAN to any rule'. Scroll down till you find 'Ackqueue/Queue'. Set to:  qAck/ qDefault Click Save. Now click the '+' sign beside the rule. Go to 'Source'.  Change from 'LAN subnet' to 'Single Host or Alias'.  In the box below, fill in the IP address of the computer to throttle. Scroll down to 'Ackqueue/Queue'. Set to: none/qLow. Rename the Description to 'Throttle Download'. Click save. In the LAN tab, you will now see both rules.  Check the box to the right of 'Throttle Download' then click the Arrow button beside 'Default allow LAN' rule to move the throttle rule above it. Click Save.  This settles the upload throttling. Now for download throttling.  This gets slightly trickier. Click on 'Floating Rules' Tab. Click Add new rule (+ button). Check 'Apply the action immediately on match' box. Under interface, choose WAN only. Set direction to 'In'. Set Protocol to Any. Set Source to Any. Set Destination to Single host with IP of the download machine. Go down and set the queues to none/ qLow. Set Description to 'Download throttle'. Save the rule. Under floating rules, duplicate this rule. Change Destination to 'Lan subnet'. Go down and set the queues to qAck/ qDefault. Set Description to 'Default CatchAll'. Save the rule. No re-ordering is necessary.  Just click the save at the top of the page. That should do the trick.