Thanks, it seems to be working :-)

Same issues here. L7 torrent doesnt work for non encrypted torrent traffic but we can stop http with the L7 containers

Okay, I know you manage the router at each end but what about all the routers in between? I'm assuming this VPN is over the public Internet. Do a trace route between the public IPs of both routers that you control and you'll see how many other routers the VPN traffic is flowing across. These routers will not shape traffic according to your QoS tags even if they could see them. They can't even see them because your traffic is encrypted by OpenVPN. All you are controlling with traffic shaping on your pfSense boxes is which packets have priority leaving your pfSense box. Once they leave it you have no control over what packets get dropped first. If you have an MPLS circuit or a dedicated T1 between your office and the customer site then you could get the ISP to use the QoS you put on the packets but I don't think that's they type of link you have. Here is a link that may explain it a little better (even though they are trying to sell their product at the end) http://netequalizernews.com/2010/08/29/qos-over-the-internet-is-it-possible-five-must-know-facts/

Thanks - I will try this :-)

The limit is in BIT per second. Make sure that you enter the correct value. For limiting with freeradius2 as backend you have to restart CP when changing the limits and the user needs to reconnect. So in both cases try to reconnect the user on CP so that the limits can take effect.

You are correct sir.  thank you very much!

Is there some "best practices guide" in choosing between the various traffic shaping algorithms offered in ALTQ? I understand that HFSC is supposed to be the most flexible, yet also more complex to configure correctly.

I'm currently using priq i just want to limit the bandwidth going to a single ip so that it doesn't slow down the entire office when someone is uploading a video to our company server.

Delete your "Floating" rule, and create on LAN Action: pass Source: your "particular LAN IP" Dest: any and in advanced features –> In/Out  choose your limiters Put this rule "on top" of any other "pass" rule.

@cmb: Alternatively if you have a proxy server or can set one up, you can set TOS based on URL and then shape on TOS. Talking about setting TOS in Squid, there is an interesting feature called ZPH (Zero Penalty Hit) included in recent Squid versions, which can be used to set TOS of already cached content (cache "HIT") so it can be delivered to local users at full speed, i.e. only shape un-cached traffic. Is anyone using such a setup with pfsense? I just started to configure it (added zph_local to squid.conf, checked with tcpdump that squid cache HIT entries sent out packets with correct TOS set etc) and will probably complete the setup tomorrow.

Sorry for being a newbie, but can you give me step-by-step examples to your #1 and #2 answers please. It will be greatly appreciated! Thanks!