/24 worked like a charm. :)

I have had challenges of my own trying to queue bittorrent with L7 rules, but my understanding is that you create your L7 rule with a block action. Then you create a firewall pass rule with the L7 filter as target. Even though you are "passing" your torrent traffic, you're just passing it to the L7 rule which should block it. That's my understanding. Like I said, it's untested at this point. [image: L7.PNG] [image: L7.PNG_thumb]

I got same error in my screen .I got the the reason for this problem . that I was made a rule for an ip to block in internet . IP address were from the dhcp server . On that client system user was a computer savvy he give ip address manually.when I remove that rule from firewall problem solved for me  this cause the problem . let you check in your side with the example

OK.  I will try to expand on this. We currently have 8 clients.  Each client is assigned their own vlan 172.30.4.0/27, 172.30.4.32/27 etc. All 8 vlans run over a trunked interface on the firewall. I have created an inbound and an outbound limiter for each of the 8 interfaces. I have then assigned the inbound and outbound limiter to each of the rules for each of the interfaces. So each of them have 8 rules (they are all the same) and I have applied both the inbound and outbound limiter to each rule. Is there a better way to do this.  I am sure I read that if I apply the limiter (set to 8MB)  to two rules say.  Then each rule gets 8MB not 8MB for the interface. I am trying to figure out when creating the rule, in the mask section it indicates a source and mask.  If I understand this correctly.  I can select "source addresses" from the source list and then enter 27 for the mask and this would provide the desired bandwidth limiting. I am in the process of rebuilding one of our firewalls and would like to streamline the configuration if possible. Thanks

@georgeman: I would have predicted the opposite, I thought that two simultaneous Speedtests were going to also exceed the limit, when combined. What about two simultaneous downloads, from two different sites? Does that exceed the limit? I found a proper alternative to this, the Captive Portal limiter. It seems to work in a different manner than the FW-rules applied one. I'm guessing it acts as a proxy to a particular MAC-address, and those even torrent won't bother with fiddling with.

Forget about m1 and d for now. Take m2 as the value you want to set. HFSC works with the same structure as CBQ, so you can use the same values and structure you posted, on linkshare m2. The benefit here will be the possibility of setting realtime values as well (which is a minimum guaranteed bandwidth for the queue)

Kind of agree, I guess. HFSC is not developed by the pfSense project, but the pfSense code could be tweaked to assign the linkshare m2 value to the HFSC bandwidth in all cases (and also make linkshare m2 a mandatory field)

Best way is with floating rules, action match, direction out, and filtering by destination port. Then use the rules to assign queues

Try this? https://forum.pfsense.org/index.php/topic,62188.msg335842.html#msg335842 Edit, add: As it happens, I finally gave this a try (albeit on a 2.1 system) last night, as my users had managed to offend me sufficiently (MPAA sharing violations - not only do they indicate that users have violated our policies and mean I need to find harsher controls to curb bad behavior, they also irritate the heck out of me…) and while I had some limited effect, I could not get any traffic into the proxy queue nor the http queue. It's all twisty little passages, all alike, in the dark and filled with Grues from a documentation standpoint. After no apparent effect from the linked method, I eventually tried using the layer 7 stuff to identify cache hits and misses and place them in queues, at (roughly) which point everything stopped working and I gave up and reverted to a saved configuration from before I started messing with the poorly documented Shaper. There has got to be a better way to do this, or better documentation of how to do this (that actually works).

The firewall is not connection-aware, it just filters packets. Squid works for HTTP traffic only, but it is connection-aware. I vaguely remember that Squid has some limiting/throttling options, but I have no idea if that would useful for you.

I currently have no idea what's going on the "64 bit front". An easy way to spot if my changes are included is to check if the DSCP list (in the WebGUI, Firewall - Rules - add new rule via teh plus sign - DiffServ Code Point - Advanced) contains the VA code point.

Not necessarily.  It still should be checked that ICMP's are hitting the appropriate shape bucket.

Squid is setup as a transparent proxy which I run HVAP (anti-virus).  I will need to point QoS to manage at the proxy instead.

New release should happen soon. See https://github.com/pfsense/pfsense/commit/93a79543999602a3b71e8376a6aa6ed46e79af4d

In the actual firewall rule, in the "Advanced features" section, just above the place where you select your Layer 7 container, is the place to select your "ACK queue" and "regular traffic queue".

Your welcome!!  yes using Alias's make it easier when setting up rules and things using IP's and ports.  just dont forget to back them up to your local machine so you have a copy of them and your whole PFSense config as well.

No. There isn't any long-term usage tracking that would work in that way. Not with a normal network anyhow. If it were Captive Portal-controlled and with access authenticated by RADIUS, with RADIUS set to track usage and deny access, that might work. I believe there are examples of this elsewhere here on the forum if you search a bit for terms like "captive portal radius bandwidth" you might turn up some relevant hits.

Maybe I shouldn't say this on these forums but have you had a look at Gargoyle (based on OpenWRT)? It seems to be very good at the sort of quotas you're describing. http://www.gargoyle-router.com/index.php Gargoyle is Linux-based but, for future reference, pfSense is FreeBSD-based.  ;)