Just add the shaping to port 21 and it will apply the same to the data channels.

I need exactly the same thing. I am very interested to know. Last I had an issue with Traffic Shaper no one was able to help and seemed to me that TS is broken in version 1.2.3. I am hoping someone answer this. If not possible to traffic shape based on the NIC port then is it possible to traffic shape based on the destination IP? (*sorry don't mean to hijake the question and I am hoping someone answere something….) Thanks

In pftop, Queue View (#8) shows actual traffic amount in individual queues and Rule View (#6) shows traffic amount by individual rules so that they should tell you whether the shaping takes its effect and also how accurate it is.

Thanks for the replies.. very interesting.. I will definately give this a shot and see how it goes.. As a small WISP starting up, bandwidth here is so expensive that i must oversell to cover costs, so i need all the help i can get so that a few users dont take all the bandwidth.. Obviously in time and the more bandwidth i purchase gets cheaper, i can do this less and less, but for now i have to.

Sooo I guess that is my answer…. From what I have read inbound shaping doesn't work and can cause more congestion. The way to go would be restrict all net from HQ, upgrade Internet bandwidth or get anothe 1.5Mbps DSL and route all VPN down one of the pipes, dedicated. Am I right?

first of all l7 filtering isn't working with rc1, try rc3, and check this site for explanation of each filter: http://l7-filter.sourceforge.net/protocols your best bet to limit videos over http is to use squid transparently with delay pools for .swf, .flv .avi … etc

Did you ever use the shaper before? If you have never used the shaper, you have no shaper config, so it's safe to proceed. Also you should be on at least 1.2.3. 1.2.2 is quite old and no longer supported.

To elaborate, when limiting downloads you are effectively just dumping packets that are coming your way and hoping that the applications involved actually notice that there are issues and throttle back on the speed when negotiating with the host. So setting a 5Mb hard limit won't result in 5Mb heading your way on the WAN side.  It's actually higher than that because the applications involved will request a re-transmit of the data that is dumped until the speed throttles back to an acceptable level. In the worst case where the application or the host does not care, the result is actually a snowball effect where you get the transmitted packets and a duplicate of the packets that were dumped heading your way.  This ends up saturating your line even further.

It's a real time tool but it does have a lot of options. I'm not convinced speedtest.net is the best tool. It is able to combine feeds from several wans though if you are testing a loadbalancing setup. I don't know how many clients you have or how much profit you are hoping to make (if any) but it might be worth getting some assistance from bsdperimeter. It's all good learning experience!  :) Steve

@zephxiii: I'm still wondering on what tweaks that can be done to prioritize NNTP lower than other traffic when other traffic is happening (like Netflix) but yet still have NNTP max out the connect when it isn't in use. Was wondering if the priority level set has any affect on that etc. If you're using HSFC, put NNTP ino qOthersLow and HTTP in qOtherDefault should do it. Priority is almost irrelevant for HFSC. Try playing with bandwidth instead. The bandwidth setting depends on what traffics go there. Normally qOthersDefault should be reserved primarily for Web and qOthersLow for NNTP, mails and other bulk downloads. Then the suitable bandwidth for qOthersLow and qOthersDefault would be around 10% and 20% respectively.

You can do that with the squidGuard package on top of squid. It lets you setup ACLs to match groups of IPs, and lists of sites can be set to pass/block based on the members of those groups. There are several tutorials here on the forum and wiki for setting up squidGuard.

I see, my intention was to run everything on that box (a firewall, gateway and seedbox) and my idea was to catch all the traffic from the seedbox using an alias IP and then set it to go to the P2P traffic shaping queue but the filter can't catch the traffic going out the WAN on the box itself, wether its an alias IP or the real lan IP, just any upload or traffic going out the WAN iface initiated from the pfsense box itself is bypassing the traffic shaper according to my tests. It does works with incoming traffic, i can see the incoming packets to the alias IP being caught and queued into the P2P queue, but unfortunately it seems it doesn't work the other way for outgoing packets. So, i guess i'll have to think on doing this in some other way, perhaps deploying pfsense using vmware ESX or some other virtualization technology so i'd run pfsense + a separate OS on the same box to get the seedbox traffic shaped. Thanks again for clearing up this :)

It does not seem like your traffic shaper is even initialized properly. Have you tried re-running the shaper wizard? If all else fails, you can set the queues and rules manually.