As far as i know, in PFsense u can only set speed limits with either captive portal or limiters. However if u need quota management, pfsense can't do it therefore u shall get something like daloradius and map it to pfsense to handle user and quota management. (server farm in ur house) :D

update 1 to be sure it is not related to squid . i used uTorrent to download some files which off-course will not go thoruth the squid  and yet the limiter didnot work. by the way the rule created in firewall is for any for source/dest/ports/TCP-UDP

This is driving me mad …. All the different traffic flows are being sent to the proper queues based on the related rules, that is a fact. But beyond that, it seems that the queues respective priority is not taken in account  :( -> I added the following rule in order to prioritize ICMP traffic Proto    Source            Port Destination Port Gateway Queue ICMP     high_priority_pc1 *    *           *    *       qVoIP -> without any traffic on the line, ping requests to external IP is around 40ms. -> with download traffic originating from low_priority_pc2, average ping requests response time is around 150ms , despite being passed to the highest priority (7) queue. I'm lost ….

pfsense is mostly using ALTQ (check http://en.wikipedia.org/wiki/ALTQ http://www.freebsd.org/doc/handbook/firewalls-pf.html ) and to a lesser extent, dummynet.

It's not possible to do in any meaningful way. Using a hostname is possible in an alias, but for most large web sites, the IPs returned by DNS change often or are randomized. So the firewall would be tracking one IP thinking it's that site, when really it's another one entirely. It may be possible with squid, but I don't know for sure. Someone else may know better on that part.

dhatz, Thank You much for the link you provided. I am in a  big learning curve on the traffic shaping gig. I am trying to get my head around looking at the queues in the rrd graphs,trying to decypher what the meaning of this translates to. OK, You made a good point. The ip phones are in fact on a seperate vlan aside from actual PC's so what you are suggesting sounds like a plan. I am going to give my generic traffic shaper setup,,,for ONLY voip,and as I mentioned earlier the voip tab does in fact have an entry for the Panasonic TDA phones,which are what we have at both building,so fingers crossed this may work out. In a weeks time if nothing has improved I will go to plan b with your 'by ip range' setup Take Care, Barry

The snort tagging would be only useful if snort is put inline. Furthermore the encryption of torrent will just make it impossible for snort as well to detect it.

Ideally you should use the traffic shaper, to ensure that business traffic gets priority over bulk downloads, instead of using a hard bandwidth cap via the CP limiters. It's also a decision between favoring best utilization of bandwidth vs consistency. Anyway, the biggest problem with P2P traffic is that it's quite difficult to identify (in order proceed to the next step of limiting it).

If CAP is captive portal you do not need subnets, just include your Mac on bypass list.

I should mention that I didn't create the video, that was somebody on DSLReports, but he did such a good job of it I had to share it here.