@sideout: 1.)  The config files you provided.  Shaper config appears to be the shaper queues, filter config appears to be the supporting firewall rules, but what is aliases? Seriously you don't know what aliases are after reading the tab in PFSense? 2.)  When setting up HFSC you need to tell it how much bandwidth you have up and down to make sure that prioritization occurrs locally, rather than remotely.  I can't seem to find where this setting is in your PRIQ example.  Is it not required for PRIQ?  Only one of your queues has a "Queue limit" of 500, and it is qLink, which doesn't appear to be assigned to anything in rules. Multiple forums post on this - HFSC does not use the priority setting but the wizard puts it in there.  Also if you look at all the check marks on qLink you would see it is the default queue on the LAN interface so you would know that typically if there is not a rule allowing or disallowing something then it goes to the default rule. 3.) I'm gathering from your rules that traffic rules should be floating rules?  What is a floating rule? Again - you dont know what a floating rule is after reading the tab in PFSense?  Plus if you went here https://doc.pfsense.org/index.php/Category:Firewall_Rules then you will see the very same question you asked answered already. 4.) Some of your queue's are assigned to WAN and some to LAN.  Does this correspond to incoming and outgoing traffic?  Which is which?  If I had to wager a guess upstream would be on the LAN side and downstream on the WAN side.  Is this correct? All the queues on the floating rules tab should be assigned to the WAN interface only.  There are specific rules that get assigned to the LAN for things like the limiter. 5.) Clicking through all of your queues, I can't seem to find where I tell the queue if it is HFSC or PRIQ?  How do I define this? Again you can only have HFSC or PRIQ not both.  That is defined on the interface so if you go under Traffic Shaping and read what the drop down box says , you know what you have set. 6.) Do you recommend starting with the wizard and modifying the queues as needed from there, or creating them manually? I recommend creating them manually unless you dont know what you are doing then start with the wizard and choose a very basic simple setup and modify it from there. 7.) I can see how I can assign hosts to each queue using rules.  How do I tell the system to send all other clients that have not been manually assigned to a "Default client" queue?  Is it just like other firewall rules, where I create an ALL rule at the bottom, that assigns everything that hasn't been otherwise specified to my "default" queue? https://doc.pfsense.org/index.php/Firewall_Rule_Basics 8.) In your example, you have specified UDP or TCP for all of your rules.  Is there any reason I can't just tell it to apply to all protocols for the specific host? In my experience I have found that using a combo rule for TCP/UDP with HFSC shaping does not work that well in high packet situations.  I prefer to separate them as when using floating rules with TCP you need to define qACK but with UDP you do not need qACK. 9.) It would seem all of your rules are associated with the WAN interface.  Some specify the source and some the destination.  I'd imagine that this is to create rules for upstream and downstream for each.  Is that accurate?  I would have expected based on the observation in #4 above, that downstream would need to be assigned to WAN, and upstream to LAN.  Is this not the case? https://doc.pfsense.org/index.php/Firewall_Rule_Basics Thank you.  I do appreciate you taking the time, and having a little patience with me. I think part of my problem is a terminology gap.  Been doing a lot of googling and browsing around the pfsense documentation, but obviously not for the right terms! This - hopefully - should point me to the right reading to understand all of this. Thanks!

Final Graphs. [image: nexuwanrddfinal.jpg_thumb] [image: nexuwanrddfinal.jpg] [image: nexuslanwanrddfinal.jpg_thumb] [image: nexuslanwanrddfinal.jpg] [image: nexuslanrddfinal.jpg_thumb] [image: nexuslanrddfinal.jpg] [image: NexulanPrtgfinal.jpg_thumb] [image: NexulanPrtgfinal.jpg]

The greatest difficulty lies in properly identifying p2p traffic, by which I assume you mean bittorrent. It will just move to any allowed port. The fact you have it on only one PC does make shaping/prioritizing possible though. The two ways you can go about it are use the Traffic Shaper Wizard and create a PRIQ shaper, then make a floating rule to place all traffic for that p2p PC's IP in the p2p or low priority queue. If it is the only PC using the internet it would be using all your bandwidth. As other PC's started surfing etc. their traffic would get priority over the p2p PC. Alternatively setting up a limiter to evenly share the bandwidth among each PC actively using the internet. Only one PC on? It gets all of it. Two? Each gets 1/2 etc. Follow this thread to set it up: https://forum.pfsense.org/index.php?topic=63531.msg364520#msg364520 You can also combine both methods as well which would grant even more control and likely a better experience for those surfing when a p2p download was occurring.

Your rule is on WAN – NAT happens before firewall rules, including outbound NAT. The private IP you referenced is not visible in outbound WAN rules since it has been translated by the time the rule is processed. To match that you would need to do so inbound on the LAN interface and not outbound on WAN.

Anyone?

Hello all. I want to ask you something. I have this scenario. I want to put a pfsense only for QoS purposing with 2 NICs WAN & LAN but this 2 are bridged in br0 so WAN & LAN don't have ip only br0. I'm trying to limit my hosts download & upload speed by Queues & every host has a different speed limit. I make first queue on br0 with my isp speed limit and then 1 child download and other 1 upload, and into these 2 I make children for every host down and up. but rules where do i have to create them in br0 or where?. Sorry for my English. Thanks

When you leave the bandwidth empty on the interface, the shaper gets the bandwidth from the link speed (10/100/1000Mbit). If you were to take a gig-e interface and, say, define qLink as 20% and qInternet as 850Mbit, you would have a total of 1050Mbit which is greater than 1000Mbit and would generate the error. As qInternet approaches link speed, the wizard is going to start making mistakes. At least that's how I understand it.

Ok. I've removed the bridge. same issue. :( According to the docs it should only ratelimit if the queue is congested/contested right? Like it says I should have 60M for my "high" priority/bandwidth queue.  Yet, it seems to be limited around 170M.  :(

Strangely I tried this on another piece of hardware at my office it SEEMS to work as expected (15 meg there = 15 meg). Currently tested my home setup again and set it to 300/20.  Speedtest reports 128 down and 17 up.  Remove the traffic shaper and get 300 down. I'm using a bridged lan interface. Could this have something to do with it? I'm setting all of my rules on the bridge.

You seem to have multiple different questions. To answer the one in your title, traffic shaping basically kills the benefit of squid caching, as it likes to shape the cache hits, which is exactly NOT the desired behavior (at my site, anyway) for items in cache. I've tried shaping and had that happen, so I turned it back off.  :- I've tried a byzantine and poorly documented procedure to try and make cache hits appear to be ACK packets and then give the incoming ACK queue loads of bandwidth (on the assumption that most actual ACK packets are going the other way, so you can get away with that) which sounds nice in theory, but in practice either from being byzantine, or poorly documented, or "darned if I know" it simply blew up and killed all traffic until I rolled the configuration back to a previous save point (be sure to make one before messing with the shaper - you may need it.) It seems like a common enough combination (we cache to improve performance, we also want to Shape/QoS to improve performance) that there ought to be a more functional way to get there - but I haven't found it yet.

is it possible to shape traffic of different mac adresses in the lan? i find it quite disturbing using IPs as i like to keep dhcp working

Sorry for the error.  Glad it's working.

The rule that assigns the queue needs to be placed somewhere where it catches state generation. To shape connections started by LAN clients out to WAN, the best place is probably a floating match rule on WAN out. To shape connections inbound to servers, the best place is usually in the pass rule on WAN that allows the traffic in the first place.