Same  problem  reported here http://forum.pfsense.org/index.php/topic,37399.0.html pfctl -vsr scrub in on fxp0 all min-ttl 255 fragment reassemble  [ Evaluations: 3366630   Packets: 683193    Bytes: 240344701   States: 0     ]  [ Inserted: uid 0 pid 34968 ] scrub in on re0 all min-ttl 255 fragment reassemble  [ Evaluations: 1887278   Packets: 1035091   Bytes: 496825229   States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "relayd/*" all  [ Evaluations: 33964     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log all label "Default deny rule"  [ Evaluations: 33964     Packets: 17161     Bytes: 1107535     States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out log all label "Default deny rule"  [ Evaluations: 33964     Packets: 12        Bytes: 1416        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick inet6 all  [ Evaluations: 33964     Packets: 30        Bytes: 2160        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out quick inet6 all  [ Evaluations: 7376      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any port = 0 to any  [ Evaluations: 33934     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any to any port = 0  [ Evaluations: 18322     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any port = 0 to any  [ Evaluations: 33936     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any to any port = 0  [ Evaluations: 15590     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from <snort2c>to any label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from any to <snort2c>label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <sshlockout>to any port = 2299 label "sshlockout"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"  [ Evaluations: 11827     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick from <virusprot>to any label "virusprot overload table"  [ Evaluations: 26564     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 from <bogons>to any label "block bogon networks from WAN"  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! fxp0 inet from 87.120.xxx.0/24 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 87.120.xxx.yyy to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on fxp0 inet6 from fe80::4e00:10ff:fe54:4632 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"  [ Evaluations: 19933     Packets: 2766      Bytes: 237779      States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! re0 inet from 192.168.0.0/24 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 192.168.0.254 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on re0 inet6 from fe80::21c:c0ff:fec4:da44 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 6630      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 192.168.0.254 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 1         Packets: 2         Bytes: 717         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out quick on re0 inet proto udp from 192.168.0.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server"  [ Evaluations: 8218      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 31174     Packets: 4         Bytes: 536         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 31172     Packets: 266001    Bytes: 255650100   States: 79    ]  [ Inserted: uid 0 pid 34968 ] pass out route-to (fxp0 87.120.xxx.y) inet from 87.120.xxx.yyy to ! 87.120.xxx.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 7376      Packets: 332423    Bytes: 246309331   States: 44    ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = http flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 31174     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = https flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 6         Packets: 443       Bytes: 189501      States: 1     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = 2299 flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "userrules/*" all  [ Evaluations: 31171     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto icmp from any to 87.120.xxx.yyy keep state label "USER_RULE"  [ Evaluations: 31171     Packets: 19        Bytes: 1978        States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = https flags S/SA keep state label "USER_RULE"  [ Evaluations: 17154     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = 2299 flags S/SA keep state label "USER_RULE"  [ Evaluations: 5999      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" dnpipe(1, 2)  [ Evaluations: 24520     Packets: 323866    Bytes: 237555787   States: 54    ]  [ Inserted: uid 0 pid 34968 ] anchor "tftp-proxy/*" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "miniupnpd" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ]</bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> pfctl -vsn no nat proto carp all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natearly/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natrules/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 6838      Packets: 347150    Bytes: 259653965  States: 41    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] no rdr proto carp all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "relayd/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "tftp-proxy/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "miniupnpd" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] pfctl -a miniupnpd -vsn rdr pass quick on fxp0 inet proto tcp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.0.10 port 51413   [ Evaluations: 34050    Packets: 270701    Bytes: 255875228  States: 81    ]   [ Inserted: uid 0 pid 16714 ]

You are looking at limiters queues. You can actually create childs on limiters as well :)

I'm trying the same without success. None of the BF3 traffic goes in the qGames. I even added just the udp ports with no success.

Hello guys, I really need your help on setting up an PfSense server. I'm new on this (been using before ALLOT), I've managed to make partly the configuration of server, but yet i don't get the results i want to have. My LAN output of server connects to the "internet" and i have multiple WAN connections, which I want to limit per IP. The problem is that I want to have the WAN hosts grouped, for example : Group 1 has 20 hosts, I want to assign to this group 3 Mbps/3 Mbps and each of the hosts in the group 256 Kbps/128 Kbps. I want to configure the LAN and WAN interfaces in "bridge" mode and assign bandwdith limits to a group of hosts and to each host separately. I have managed to configure LAN and WAN in bridge mode, I have created limiters and such, but my only problem is how to assign hosts to the groups I want to and then limit their traffic as I need to. Since I mentioned I've been using before ALLOT and it was easy to create a group,assign bandwidth limits and place hosts under the group with desired bandwidth and protocol for each host. Please refer to scheme attached. As you may see , i want to group the hosts, assign bandwidth limits to the group and bandwdith limits to each host of group. I'm trying but I cant find any option to do this into PfSense GUI. Please help me on this. if you need further info, just ask :) Many thanks, Ges [image: scheme.jpg] [image: scheme.jpg_thumb]

@ermal: Not yet implemented. Any roadmap for this?

It,s  Edraw Max  http://www.edrawsoft.com/download.php

Nice  :) As you are moving from Clearos to pfsense, you may need to take a look on some tutorials to understand better differences between both. doc.pfsense.org has a lot of tutorials On portuguese forum there are some topics on top with a lot of information that will help you. http://forum.pfsense.org/index.php/board,12.0.html

You can use captive portal mac options to filter Or you can use ip based rules together with dhcp reservations.

you may be able to find some kind of proxy that can do so, I'm not aware of any though.

I have click [delete this queue], but nothing happen. Limiter still exists.

Sorry i don't use squid, i can't help you with this.

Its a matter of implementation. Real time its about it real time. By definition the quantum of real time curve is the same as interface curve that cannot be less and cannot be more. For link share the concept of splitting bandwidth of the parent exists because it makes sense while real time is about real time and no queuing or anything.

Hi So what is recommended to use, to work queues and priority? PRIQ / CBQ / FairQ. ?

I'm not sure if it's dumb luck, a successful configuration or something else entirely, but I've been able to get the HFSC shaper to work the way I want it the two times I've used it.  The second time was in an environment with three LAN interfaces, and from what I can tell, the shaper is actively prioritizing traffic among the internal interfaces in the way I anticipated.  Granted neither pfSense deployment is earth-shattering (both are home environments), but from skimming the forums posts on this subject, I thought documenting success using the shaper with multiple LAN interfaces might be of interest. The configuration consisted of a single WAN interface and three LAN interfaces: Verizon, Work & LAN.  The firewall is actually a friend's & we both teamed to sort out the necessary shaper configuration.  The goals were simple: Verizon traffic takes precedence (he has FiOS & on-demand videos can use a portion of his "Internet" bandwidth), Work traffic trumps LAN bandwidth but not Verizon (employer-provided VoIP phone & other equipment when he works from home is connected to the Work interface; LAN is for generic home internet), any interface should be able to utilize all available idle bandwidth (but release it for high priority traffic) and no interface should be starved of bandwidth regardless of priority (the "fair service" in HFSC takes care of this). We first ran through the multi-LAN wizard, but didn't specify any ports or protocols to prioritize, rather used the wizard to stipulate upload & download bandwidth and build the various queues on the interfaces.  Once that was completed, we built a VZWeb queue on the Verizon interface, a WRKWeb queue on the Work interface and a LANWeb queue on the LAN interface as children under the Internet queue on the each of the interfaces.  These three queues were duplicated on the WAN interface and placed directly under the root queue. Priority was described via a percentage in the m2 column of the Link Share row as I've read somewhere HFSC doesn't adhere to the numerical priority label.  I believe Link Share overrides Bandwidth but the percentage was duplicated in Bandwidth field for the sake of completeness.  VZWeb was given 30%, WRKWeb 15% and LANWeb 5%.  The Link Share m2 metrics on the ACK queue were left unchanged, but we did plug in 5% for the Realtime m2 value as a safety net. The rules were a little trickier, couldn't get the floating rules to properly direct traffic into the queues, but specifying queues on existing rules in the interface tabs did the trick (e.g. allow LAN to any rule where LAN net is the source).  We ran multiple non-interference (start with traffic on higher priority Verizon, then Work & then LAN) and non-blocking tests (going the other way with LAN first, then Work, then Verizon) and all interfaces used the appropriate amount of traffic.  LAN was the only one that dropped packets, which occurred when this interface surrendered bandwidth to the other two.