Yep…sounds like a plan!  8)

+karma for a fast and thorough response - thanks! I want to limit the combined download to 20 mbps and upload to 5 mbps. I'm not sure what or how many devices will be active, so I currently have an alias set for all my devices called "famUp." With your guide, I think I've got what I need. I'll know for sure when they move in tomorrow! Thanks again.

@KOM: pfSense has supported that NIC since last year, so you should be fine I would think. Everything appears to be working correctly.  Had to up the mbuf settings but that seems to be the only issue so far.

Depends on the office.  Some could get by with only HTTP/HTTPS.  Others with VoIP phones may need a whole range if ports.  You have to think about things like external time servers using NTP.  Open up a few known ports and block everything else, then wait for someone to complain that something isn't working.  Figure out what's being blocked and write a rule for it to make the broken app work again.  Rinse, repeat.

Does anyone have any guidance on this question?

Any ideas, anyone?

Yes, if VoIP is all you care about at the moment then you are done.  Your PRIQ shaper will always give priority to qVoIP.  I've also been in the game for a long time and didn't have to worry about traffic shaping until recently.  The emergence of time-critical network VoIP traffic combined with client bandwidth hogs means you're going to have to at least get your feet wet.

Yeah, will do as soon users are not on it, it's a production system, so I'm using stable config for the moment.

@sideout: I think however you are going to want to have the default queue NOT be under qInternet and be another queue under the LAN. I have a floating rule that catch all traffic between interfaces, I don't want/need to shape traffic between interfaces. Thanks for your insight! Regards

I second KOM for voip traffic PRIQ is much easier to config and use.  There are a couple of threads here on how to configure it but it is pretty straight forward.  It works great in my setup where I value voip traffic over everything else. here is my setup https://forum.pfsense.org/index.php?topic=79149.msg432062#msg432062

@RobEmery: This is pretty much what we have currently; however we (I don't really understand why) have to put a different limiter (VPN_UP, VPN_DOWN) on the IPSec interface, otherwise it looks like it gets double-shaped and we seem to be only able to pull about 4MBit (when all the limits are set to 10MBit). Ideally I'd like to just sort of go bang 1 or 2 rules that applies a 10MBit limit to the WAN in both directions; including all IPSec traffic etc hopefully the queues can do this? Did you check if you're indeed double shaping though? i.e.  You're shaping both within the tunnel and the tunnel itself (WAN traffic) because your tunnel is caught in the WAN rules and the traffic in the tunnel itself is also caught in another set of rules.

I have nothing set under advanced, thought I would start with the basic. Transferring at 200Mbps the CPU is at 36% so that should not be a problem.  Others with the same box report it doing much faster speeds than that.  I actually want the limit on as I don't want spikes to 1000Mpbs, limiting my spikes to 200Mpbs is good for my use. I actually have no complaint about the performance of the box when the limiter is on.  I just am baffled why it performs so badly when there is no limiter in place. I plan to leave the limiter enabled and send it off to the datacenter.  Odds are good that the problem is something in my lab setup and the box is fine.

did you get this to work this is what i am trying to figure out and want to do it by mac address so that things like the ps3 can sign on easily but not go over 5 gigs a day

–- LONGER VERSION --- I thought it would not be that hard and tried to implement it using limiters, but that did not work. Right now I have a server on my LAN side listening on a specific port. I have a NAT port-forward rule to redirect traffic with that specific port from the WAN interface, to the server on the LAN interface. Everything works perfectly fine except that I have a home internet package which the upload speed is a lot lower compared to the download speed, and just a few clients connecting to the server could easily fill up the upload bandwidth. Ideally I want to limit connections to 500 kbps (both download and upload) PER CLIENT connecting to the server. I went ahead with using limiters because I am also using limiters to control bandwidth for LAN to internet traffics, and they work without any problem. For the LAN to internet bandwidth control, I have an UploadPipe (mask the source address), and a DownloadPipe (mask the destination address). The firewall rule that allows traffic from LAN to the internet has advanced features set for the In/Out queue with UploadPipe/DownloadPipe. This allows each device on the LAN network to have its own bandwidth control. I thought the same effect where each client connecting from the internet to the local server having their own bandwidth control could be achieved easily using the same idea, but applying it on the WAN interface. I set up 2 pipes – ServerInbound (mask source address), and ServerOutbound (mask destination address). And on the auto-generated NAT port-forward rule, I set the In/Out queue to ServerInbound/ServerOutbound. It did not work. I tried to connect to the server from outside and there was no response. I set the In/Out back to none/none, and I was able to connect to the server successfully like before. Setting the In/Out to ServerInbound/none also worked, but this only limited the server’s download speed (client’s upload), which would not solve my initial problem. I set the In/Out back to ServerInboud/ServerOutbound and did packet dumping on the server. When I tried to connect to the server from my computer on the internet, SYN packets from the computer appeared in the dump, and SYN ACK packets from the server to the computer also appeared. I checked the firewall log, the traffic was passed to the server, but the packets going back out was dropped. What I don’t understand is that for the incoming traffic, the source and destination is shown as: Source Destination [Internet-Device-IP]:[Random-Port] [Server-LAN-Address]:[Server-Port] However, the dropped traffic shows Source Destination [pfSense-WAN-Address]:[Server-Port] [Internet-Device-IP]:[Random-Port] I don’t know if this is normal or has anything to do with it being dropped, but I was expecting the source to be [Server-LAN-Address]:[Server-Port] so I thought that was strange and could be something to consider. Also, according to pfSense, the rule that triggered the drop were: @4 scrub on pppoe0 all fragment reassemble @4 block drop out log inet all label “Default deny rule IPv4” If I understand how pfSense firewall works correctly, the second line means that the traffic did not match any rule so it got denied by the default policy – but this did not happen without the limiters set, so why would having limiters changed how rules are applied? I checked the state table and there were 2 states with status CLOSED:SYN_SENT and ESTABLISHED:SYN_SENT for the internet device to the server with that port, so there could not have been a problem with states either. Does it have anything to do with the nature of the limiters – a limit of the limiter maybe? Or am I doing anything wrong? Basically I couldn’t connect to the server because the request was sent but the reply got dropped by the pfSense. What is going on? If anyone knows an answer to this and could clear up my understanding of how this whole thing works I would appreciate it very much. If my initial problem of limiting clients’ connections to the server could be implement in any other ways (a more correct way perhaps?) please tell me! The –- LONGER VERSION --- section is just me being curious why my method did not work and trying to understand how pfSense works. Thank you in advance!

Usually you open it up to allow initial synchronization, and then throttle it back for incrementals.  He needs to determine the size of the dataset he's sending per day and then break it down to see how much bandwidth he has to play with, how much he can dedicate to the backup job, and how long it will take at that rate.  Then he can craft a limiter that gives it just enough bandwidth to complete the daily job in the allotted time.

@vindenesen: @georgeman: … shaping multi-LAN does not work as you expect. For reasons and an explanation on how the shaper works, check this post I have just written. Regards! Sorry if this is considered hijacking a thread, but just one small question: Does this apply to all shaping disciplines? I'm considering using the PRIQ shaper in a LAN party (which will have multiple subnets/VLANs) to prioritize gaming and other important traffic to/from the Internet. The Internet connection speed will be 1Gbps, if that makes any difference. Yes, it is the same for any scheduler since this is originated from the fact that you cannot have the same queue applying to multiple interfaces simoultaneously. Since download is "shaped" (and I put it in between quotes because you cannot really shape download, but do some TCP based tricks) on the LAN side, you are actually having multiple download pipes not communicating with each other