@Derelict: I didn't see the post about the proxy. If you want to limit traffic to/from specific outside IP addresses I think your only choice is a floating match rule on WAN out to catch the connections being made to those addresses and setting the limiters. In/out will correspond to Upload/Download I think. I think I have had 3 or 4 distinct times where I thought I had a good grasp of limiters, but each time the level of confusion grows in a brand-new exciting way. Networking kryptonite or something.

Best to start your own thread, then we can help you better  :-)

New idea or temporary fix: If I map the whole WLAN traffic to a LAN interface, I could shape this LAN interface instead.

Can a single queue handle both In and Out traffic simultaneously? I think no. If you create "qArb" on both WAN and LAN, you only need to assign traffic once and the returning traffic will find the properly named queue automatically, iirc. I think the Wizard makes use of this method. As a general rule with pfSense, use precise, simple rules to ease later trouble-shooting. Broad rules with superfluous options can create an angry and frustrated admin.

Thanks for the detail - I'll give this a go after I have read it a few times…...! Appreciate your time in response.

I see, thanks for the reply.

@Derelict: The hard part is identifying the traffic.  Limiting identified traffic is pretty easy.  I think most people who go down this rabbit hole are overthinking things. (Facebook bad, google, ok, googlevideo bad, cnn ok).  Fuck it.  Just limit/shape them all and make the internet work. HAHAHA!  I like your attitude!  I am starting to really think in this direction as well!  I have set up limiters (1/2/3Mb/s).  It works, but after I implemented your solution, I am looking at making this more "smove" :) cyber7 And you, Derelict, my dear sir ARE A GENIUS!  Re-Wrote all my Limiters with your specs and WOW, soooo smove! cyber7-out

https://forum.pfsense.org/index.php?topic=96941.msg543955#msg543955 You would, of course, tweak the firewall rule to match any address on the specific ports. If you want a separate pool for each port you'll need to define a different set of limiters for each one. As far as I know if you set the same limiters on different rules they're all pooled together.

the ports I mentioned above are just examples, and yes, I have those ports already listed on the alias page. the ones that you also posted is for steam, dota 2 have these ports according to: http://dev.dota2.com/showthread.php?t=15261 What protocol and ports does Dota 2 use? Dota 2 uses the UDP protocol and communicates on ports 27015 through 28999 to our dedicated servers. By default, your client opens UDP port 27005 or your computer to connect to the game servers. and I have added them also and all is working great for dota 2…, just need some other games which does not post their port(s) on their websites :( but anyways, for my other games, I'll just add the port(s) accordingly and reboot pfsense if needed.

I don't think OP was talking LAG as in link aggregate group.  I think he was talking lag like my gaming session is lagging.

Nope. You want to forget about everything VoIP and OpenVPN and prioritize the tunnel endpoints and the VPN tunnel itself. You will have a firewall rule on the server passing inbound traffic to your OpenVPN server.  Prioritize that traffic using that rule. On the client, you will need a floating rule on WAN out UDP source WAN address dest Remote VPN Server address port OpenVPN port.  Prioritize that using a match rule.

Like any other devices, without any settings, PFSense will forward packets first come first serve at full line rate and let something else worry about congestion.

WFM… [image: 426417-vlcsnap_2011_02_27_21h02m07s131_super_zpsa82ce100.png]

Firewall > Traffic Shaper > Limiter Mask on source address for inbound and and destination address for outbound. There was a walkthrough posted on this very subject a couple days ago.  Look at the posts.

@casper001: yes my friend i configured squid + squidguard and when enable traffic shaper i cound not access anything at all. I am sorry it's may be my mistake but I have read on forum that they can't work on same machine. Same issue with mine…  As soon as shaper enabled, all connectivity is lost. Even from the localhost of the pfsense box. I am running 2.2.4 In-fact after completing the shaper wizard, I go to check the status-queues and nothing is listed.... But when I go to the firewall-traffic shaper they are all listed... Not sure whats going on or why this isnt working. So for now I troll the board and have my shaper disabled. Would love to get it going soon thou!

@KOM: Is there a particular reason you didn't address my last comment?  You're not going to make many friends here if that's the way you treat people who try to help you, and slamming ESF/pfSense because I couldn't come up with a fix for your squid problem is just unfair and unnecessary. @KOM Please see my reply on this matter in topic: https://forum.pfsense.org/index.php?topic=97108.0 … The topic in hand has nothing to do with squid cyber7-out ps - You will see that your last comment was addressed factually...

Oh it is the IP of a LAN client for testing purposes. Goal is to create an alias of several client IPs for this rule if successful.

If you want to limit wan traffic to a specific site, you can also have a look at my Definitive Guide to Limit Facebook traffic: https://aubreykloppers.wordpress.com/2015/07/22/pfsense-and-shaping-facebook-the-definitive-guide/ It really works and it works well! cyber7-out