I am just starting to try to configure the traffic shaping properly.  This is a question I would be interested to find out more about as well.  Finding it more difficult than I expected to get things into the correct queue. I'm mostly concerned with getting voip higher priority than other traffic, and making sure that torrents don't clobber anything else, this is just a home connection.

A quick update… I've had this enabled for a few weeks now, with a couple of hundred users a day, over a dozen sites - no complaints received so far. Final parameters used were 1Kbit/s source address, 50ms delay. I'll stress again though - this will not prevent DNS tunnelling, it will only slow it, hopefully to the point where abusers will move on and find another target.

FYI, the above is correct, it's only that changes are applied to new connections, ie if you have an endless ping running you don't see the changes (in latency for example) in realtime. Stop the ping, wait a few seconds and restart the ping  :-[

Floating rules are an area generally used to MATCH traffic.  The LAN, WAN and VPN tabs are where PASS or BLOCK rules are kept.  PASS rules are one way.  If you want your rule to pass traffic from LAN > WAN then put your PASS "allow all" rule in the LAN tab rather than the FLOATING tab.

Any traffic not matching a rule will automatically go to the default queue.  Change the default rule "checkbox" from qP2P to qDefault is step #1.  Can only have one default queue.  Step #2 is reviewing your rules that they are getting hits rather than going to the default queue.

@markn62: I don't believe you can shape across a bridge.  You likely need to remove the bridge and re-run the shaping wizard. You certainly can shape on a bridge. In fact, that's the only way I know to propely handle a multi-LAN scenario EDIT: I mean, you can shape on a bridge composed by two LANs, towards a WAN. I don't know, but I don't think you can shape if you have LAN and WAN as a bridge

Multi-LAN does not really play well with the shaper, currently. The only way (as far as I know) to handle multi-LAN properly would be to create a bridge with all the interfaces and apply the shaper to it. If you do that, although all LANs will be on the same subnet, you can still somewhat filter traffic between them (by activating the proper system tunables). Anyway, bridging sounds exactly like you want. And "guaranteeing bandwith" makes me think of HFSC  ;)

Thank you.

Thank you all supermega, shinzo and kejianshi for your kind suggestions, but I haven't solved the problem. I looked at the tuning cards link but it didn't have the cards I'm using (re and msk cards). I also tried shinzo's suggestions but it wasn't able to limit. It went wide open to 20Mbps/6Mbps. (I tried both net.link.bridge.pfil_bridge=1 and 0). I've tried different permutations of putting limiters on LAN/WAN/OPT1 or pairs of child queues on both LAN/WAN to no avail. I also changed cables and added another brand new NIC card and tried different permutations of interface assignments to no avail. If I disable all the rules (pfctl -d), the upload speed becomes normal (6Mbps), so I think it might a problem with my rules/settings/pfSense (probably not hardware). I'm open to more suggestions, thank you all again, much appreciated!!

You should be able to do it with a HFSC scheduler

Great, that's what I hoped it meant from looking at the raw rules

Without shaping the entire traffic from everyone, you cannot shape a subset of the LAN. Shaping works by dropping / queueing packets. This can't work unless all traffic is classified. Once you have basic rules in place, you can create further rules for specific IP addresses. Either way you need to completely understand HFSC and how the queues work or you'll fail to get it working.

@shawniverson: Most definitely!  I am using both and it is working great.  No special/unusual configuration needed (in some cases) Here's a sticky post that may help: http://forum.pfsense.org/index.php/topic,14436.msg76415.html#msg76415 Do you know if that sticky is still relevant with pfSense 2.1 ? –--------- The easy way Traffic Shaping with Squid Transparent Proxy Add under Firewall Rules Action = Pass Interface= LAN Source= LAN subnet Protocol = TCP Source = LAN Destination = any Destination port range = (Squid Proxy port) eg. 3128

Just an update, go this working by moving the rule to the LAN tab used the ack queue for SSH interactive and used the main queue for SCP $ cat /tmp/rules.debug <snip>pass  in  quick  on $LAN  proto { tcp udp }  from any to any port 22  keep state  queue (qP2P,qOthersHigh)  dnpipe ( 4, 3)  label "USER_RULE: Prioritise SSH not SCP traffic"</snip>

Burst speed after being idle perhaps? In 2.1 theres an option to state normal speed and a burst speed when its been idle which might be what you are seeing, hence the above.

Yeah, ever since I have upgraded to 2.1-Rel my PRIQ queues just don't make sense. They show crazy numbers, sometimes in the Gb range, they take a minute or two to stabilize to real numbers. Like a VOIP queue should show roughly 50pps/64Kbits + 10% overhead or so per call. It used to show that pretty much instantly when a call was started in 2.0.X. Now it takes a minute for it to even crawl up to 64kbits.

Hi CSBS Please post a bug report. I have tried but could not back my findings up with fact so it was rejected. Sounds like you have good evidence. Else 2.1 final is out… you can try to upgrade if you dare upgrade your production router. Interesting to head if bug exist in 2.1 or if it is solved.