This works! Thanks Steep! Now, I shape with CatchAll eanbled, limiting almost everything, but VoIP is perfect In and Out :) As it is, PfSense now respond to all my needs, and will impress my colleagues at the Christmas party :D I guess I should write a small tutorial on this. Thanks again!

you dont need a block rule. (see my sig and figure why better not ;) ) just create an allow-rule above your default allow rule with as destination port the port of your VoIP software and as default gateway your WAN you want the traffic to go out.

Your shaping difference per node can not be that different. 1. makes several aliases.. shape256256 = ip or net shape512256 = ip or net shape512512 = ip or net 2. makes several queues for said aliases.. 256-256queue-up 256-256queue-down 512-256queue-up 512-256queue-down 512-512queue-up 512-512queue-down 3. make and prioritize your shaping rules for shaped nodes/networks (put them at the top of all other shaping rules).  This leaves the node/client in charge of port/service queuing (when they saturate their allocated bandwidth it's their problem.) 4. assign static forwarded ports to each client (uPNP is a disaster IMHO) with the alias system as well. (You'll have to make the NAT rules too) ie: forward1 = 34750-34755 forward2 = 34756-34761 I don't think there is any need to put another box in the middle of things, but then again every network is just a little different - so your mileage may vary. just an idea, maybe it helps. This probably won't work if your looking to "Dedicate" bandwidth per node.

(This is from my knowledge of working with pfsense and traffic shaping rules and might not necessarily be accurate, so take it with a grain of salt.) Remember how general firewall/shaping rules work, from specific to less specific. So if the first shaper rules (the ones at the top) are PORT or SERVICE specific, net traffic will be caught in those first and never pass through the other rules. Be careful how you setup your shaping rules, as you will impose limitations if not thought out correctly. ie: If you choose to Shape just a Node (Host) or Network (and put the rule at the top), no other shaping rules will be matched for that connection with other rules your try to specify - It will be caught in the first rule it matches. With all that being said, try putting the Penalty IP shaping rule(s) above everything else, reset your states and test.

What you're likely experiencing is network jitter.  VOIP is realtime transmission so even when all traffic arrives you'll hear moments of silence (choppy sound) as codec is trying to compensate for data which is not there yet.  Some codecs handle jitter better than other so you might want to try a different codec.

Traffic from upnp is not sent to the shaper even when the ip address to which the upnp is pointing has a rule/queue associated with it.  I use pfsense miniupnpd.  I have one address on my network in the "penalty box" and when i enable upnp on utorrent for that address, it will go above my upperlimit.  When i turn off upnp on utorrent and use manual port forwarding the traffic is properly shaped. This may explain why i was having issues with traffic shaping, multiple Xbox 360s and upnp…  if the upnp traffic is not subject to the traffic shaper then all the rules and queues in the world won't prioritize my Xbox 360 gaming traffic over my other traffic!  This is good to know.

Agreed. 1.2RC3 has some issues - at least some of the versions. But since we are lacking a build no. it's hard to tell which one…

Hi all, could this be the problem? It seems it was fixed long ago, is this a regression of this problem? http://forum.pfsense.org/index.php/topic,1246.0.html Regards. Maurilio.

Traffic shaping for download (WAN->LAN) traffic for Internet connections is fairly pointless in most cases. Really, all you can control is which traffic exits your LAN interface first which, for home/SOHO use, is not typically bandwidth constrained. Since you must accept traffic from your ISP in whatever order your ISP chooses to send it to you (FIFO), there isn't much, if any, benefit to be had. A caveat for pfSense is that you must have at least one WAN->LAN rule or the traffic shaper generator script breaks. For upload (LAN->WAN) of course, traffic shaping is extremely useful. Also, instead of rebooting the entire firewall, just reset states. Diagnostics, States, then click the Reset states tab. This will interrupt all established traffic flows, and when you reconnect they should fall into the right queues. You need to do this because applying a new traffic shaper policy doesn't affect connections that have already been established, only new connections.

i use aliases in firewall,for bandwidth shaping and penalty rules, and asign dhcp static for MAC mm..  1 aliases : client1 ips: 192.168.100.50, 192.168.100.51         2 aliases: cxlient2  1p: 192.168.100.52 then  trafic shaping penaltyBox       adress:  client1                   uP 128kb/s                   Dw: 512kb/s and for each aliases create penaltydown and penaltyuP queues and configure upperlimit m2  ex 256kb/s this work fine for me sorry my english

In http://forum.pfsense.org/index.php/topic,412.msg2559.html#msg2559 billm said: ALTQ only shapes outbound on an interface, we create rules for BOTH interfaces and that's what the queues relate to.  An inbound (on the internal interface) and an outbound (on the external interface). So why is there a direction field in the shaper rules? Isn't this always going to be 'out' ?

i am searching now to see if its possible to link pf statically… the ordering needs to be PF before ipfw ? ipfw can be linked statically quite easily... edit: ok, dumb me :P pf can be linked statically... im downloading pfsense developers edition and i will give it a try... pf statically and ipfw as a module, lets see if this solves the problem... edit2: while searching for this bug i found that theres not a lot of people trying to fix this bug, at least thats what i saw on the pf-freebsd list...

per IP, up pfsense 1,2