The snort tagging would be only useful if snort is put inline. Furthermore the encryption of torrent will just make it impossible for snort as well to detect it.

Ideally you should use the traffic shaper, to ensure that business traffic gets priority over bulk downloads, instead of using a hard bandwidth cap via the CP limiters. It's also a decision between favoring best utilization of bandwidth vs consistency. Anyway, the biggest problem with P2P traffic is that it's quite difficult to identify (in order proceed to the next step of limiting it).

If CAP is captive portal you do not need subnets, just include your Mac on bypass list.

I should mention that I didn't create the video, that was somebody on DSLReports, but he did such a good job of it I had to share it here.

@clarknova: When you create a shaper rule on the floating interface without the quick option, the rule will apply to any matched packet and the packet will continue to be compared to your firewall rules for a match. Rules on the non-floating interface are implicitly quick, so if your packet matches a floating rule and some other firewall rule, both rules will normally apply. Thanks for your advice here. I keep trying to make the floating interface rules work, but it's just not showing up for me. I create limited with no mask so they will apply to all traffic rather than create one queue per address, then I create a floating rule with pass or queue policy (doesn't seem to matter), setting an interface (WAN or one of the LANs), a direction, and selecting limiters in in/out in the advanced section. I reset the states to wipe out any existing connections, and look in the limiter info page. I don't see buckets getting filled in as I do for the rules on a fixed interface with a source or dest mask in the limiter. Any ideas what I'm doing wrong? Thanks,     - Tim.

@KurianOfBorg: I found it too much of hassle to define outbound rules for games. Only inbound ports are properly documented. You might as well make a pass-all exception for your IP address/MAC address since if you're playing games on the workstation, it's already been "compromised" with stuff running with administrative access. You really only need to have one port opened by Origin to allow full connectivity for BF3. You shouldn't need to physically open all the ports they require. The ports I have listed above do seem to work for outgoing. I have allowed 3 additional port ranges for "incoming" now so all BF3 QoS traffic is prioritized (to my best guess). Remember this is QoS, not actually physically opening ports. EA uPnp Port: 3659 keep state udp xxx.xx.x.xx EA Tunnel Additional Incoming Ports: UDP * 25200 - 25300 * * * qGames TCP * 42127 * * * qACK/qGames TCP * 9988 * * * qACK/qGames

Run the traffic shaping wizard. About the third or forth page in you will have the option to set different protocols to different priorities - high, normal, and low. Change NNTP to low.

bump

well, ever since I enabled the flag, ECN tests work.  Without this set, even with ECN enabled in traffic shaper, ECN tests fail.  Perhaps it should be force set if enabled in traffic shaper.

Remember that only the traffic that comes from squid's cache will be marked. So you have to keep an eye at squid's log (tail -f /var/log/squid/access.log) to see if cache HIT are sent with appropriate tos (using tcpdump). It worked as expected when I tested it a few months ago.

@ermal: The skype pattern is not correct and needs to be fixed. I noted this quite late so you have to edit or create a custom pattern for it to work. Hi ermal, I do not use skype in layer 7. So is there another pattern which is not correct or is it another problem ? Is there any other way to find out which pattern makes the problem instead of just select and unselect one ? Thanks