AS KOM said PRIQ is pretty easy to setup and understand.  Seems like a good fit for what you want to do.  The wizard is 1 size fits some, so be aware of that.  It will get you a basic setup from which to start however. My advice is to make aliases for the different server/service/ip's.  That way if anything changes you don't have to muck with the fw rules, you only need to change the alias entries.

@lordkitsuna: @Derelict: Set bandwidth and link share (m2) to the same value. Thanks so much i now have it working and everything behaves as expected. My torrents can take up the speed when nothing is going on but as soon as i start playing games they get dialed back enough that my games ping remains unaffected. Awesome.

Unless I have something configured somewhere that I'm not seeing that is causing this, it would seem to be bug.

Yep…sounds like a plan!  8)

+karma for a fast and thorough response - thanks! I want to limit the combined download to 20 mbps and upload to 5 mbps. I'm not sure what or how many devices will be active, so I currently have an alias set for all my devices called "famUp." With your guide, I think I've got what I need. I'll know for sure when they move in tomorrow! Thanks again.

@KOM: pfSense has supported that NIC since last year, so you should be fine I would think. Everything appears to be working correctly.  Had to up the mbuf settings but that seems to be the only issue so far.

Depends on the office.  Some could get by with only HTTP/HTTPS.  Others with VoIP phones may need a whole range if ports.  You have to think about things like external time servers using NTP.  Open up a few known ports and block everything else, then wait for someone to complain that something isn't working.  Figure out what's being blocked and write a rule for it to make the broken app work again.  Rinse, repeat.

Does anyone have any guidance on this question?

Any ideas, anyone?

Yes, if VoIP is all you care about at the moment then you are done.  Your PRIQ shaper will always give priority to qVoIP.  I've also been in the game for a long time and didn't have to worry about traffic shaping until recently.  The emergence of time-critical network VoIP traffic combined with client bandwidth hogs means you're going to have to at least get your feet wet.

Yeah, will do as soon users are not on it, it's a production system, so I'm using stable config for the moment.

@sideout: I think however you are going to want to have the default queue NOT be under qInternet and be another queue under the LAN. I have a floating rule that catch all traffic between interfaces, I don't want/need to shape traffic between interfaces. Thanks for your insight! Regards

I second KOM for voip traffic PRIQ is much easier to config and use.  There are a couple of threads here on how to configure it but it is pretty straight forward.  It works great in my setup where I value voip traffic over everything else. here is my setup https://forum.pfsense.org/index.php?topic=79149.msg432062#msg432062

@RobEmery: This is pretty much what we have currently; however we (I don't really understand why) have to put a different limiter (VPN_UP, VPN_DOWN) on the IPSec interface, otherwise it looks like it gets double-shaped and we seem to be only able to pull about 4MBit (when all the limits are set to 10MBit). Ideally I'd like to just sort of go bang 1 or 2 rules that applies a 10MBit limit to the WAN in both directions; including all IPSec traffic etc hopefully the queues can do this? Did you check if you're indeed double shaping though? i.e.  You're shaping both within the tunnel and the tunnel itself (WAN traffic) because your tunnel is caught in the WAN rules and the traffic in the tunnel itself is also caught in another set of rules.

I have nothing set under advanced, thought I would start with the basic. Transferring at 200Mbps the CPU is at 36% so that should not be a problem.  Others with the same box report it doing much faster speeds than that.  I actually want the limit on as I don't want spikes to 1000Mpbs, limiting my spikes to 200Mpbs is good for my use. I actually have no complaint about the performance of the box when the limiter is on.  I just am baffled why it performs so badly when there is no limiter in place. I plan to leave the limiter enabled and send it off to the datacenter.  Odds are good that the problem is something in my lab setup and the box is fine.

did you get this to work this is what i am trying to figure out and want to do it by mac address so that things like the ps3 can sign on easily but not go over 5 gigs a day