Go to firewall –> rules --> edit a rule scroll down to the advanced options and click on "Advanced options". There you will find some options about connections and states. Not sure if there is also something which will help you.

@kyu: @redflag237: Sorry but is there noone who could geve me a hint? If your HFSC is working, you could fiddle with m1 and d perimeter. Say the queue responsible for downloading will get m1 = 20Mbit (bypass all other limit) for d=30seconds, and after that it's given a lower bandwidth m2=2Mbit. I believe this will automatically throttle any file bigger than 20Mbit x 30 / 8 = 75MByte. Works fine, thank you very much!

@kyu: @drwebster93: @podilarius: In the floating rules there is a source and a destination. Just specify the IP range of the phone as the source for outgoing connections and the destination for inbound queue. That would work for one phone, but how would I do this with five IP phones? Thanks! Create an Alias, and input the IPs of the phones inside the Alias. In the floating rule, specify the alias instead of IP. kyu, thanks for the tip on the Alias! So I made an alias, and put that in for the VOIP adapter in the traffic shaping wizard.  I have been monitoring my queues though, and it doesn't seem to be doing much.  If I monitor my queues on the pfsense box on the side with our phone system, I see around 50 kb/s per call in the qVoIP on WAN queue.  But at the same time, on the pfsense box on the side with the 5 IP phones, I am only seeing around 900 b/s per call.  The only difference in configuration is that I used the IP address of our phone system for the VOIP adapter in the wizard on the side with the phone system, and an alias with the IP addresses of the 5 IP phones on the side with the IP phones.  Any ideas? Thanks!

@sofakng: EDIT:  What concerns me is that I can only prioritize the packets I'm sending to my ISP.  I can't prioritize the incoming packets (i.e. if I'm downloading at full speed while trying to make a VOIP call, etc) The shaper does prioritize incoming packets too. It's true that particular packet has already used your Internet bandwidth at that point, but TCP's congestion control will kick in and quickly slow the download as needed by queuing once it gets to you.

I enclose the problem. This user like so many others, I can not limit the bandwidth they entered it in the output. It comes in at 3.5 Mb and upload inbound up to 7 Mb. I enclose also its configuration. If anybody has any idea thanks in advance. [image: 202.png] [image: 202.png_thumb] [image: Immag_161.jpg] [image: Immag_161.jpg_thumb]

@tupm: Hello! Very cute pfsense … Now, this was not something simple??? limited but simple? debian is easy for me, that I do not understand the truth .. anyway ... I have this problem: -2 Wan (dhcp) cable modem -1 Lan domestic stupid! -set group in routing ok -set firewall rule (grup gateway) for lan ok -set tier2 and tier2 for both wan (wan and opt1_gw) -set diferent DNS for each interface ok (opendns) ok but alll of load and balance (connection) disaster, what is wrong? Status is DISASTER (conextion not show multiple graph :(  ) anyway, the problem is that I see for 1 WAN generates 98% of the traffic, why? see down page log… Thank you very much, please help! THIS IS MY INTERFACE STATUS, SEE THE OUT PACKETS (sorry for my english ) Status up DHCP up    MAC address 00:08:54:46:4d:be - Netronix IP address 192.168.0.x   Subnet mask 255.255.255.0 Gateway 192.168.0.1 ISP DNS servers 127.0.0.1 208.67.222.222 208.67.220.220 Media 100baseTX <full-duplex>In/out packets 209901/209866 (226.79 MB/46.86 MB) In/out packets (pass) 209831/235947 (226.76 MB/46.85 MB) In/out packets (block) 70/35 (36 KB/2 KB) In/out errors 0/0 Collisions 0 LAN interface (nfe0) Status up MAC address 00:15:f2:ad:05:b1 - Asustek Computer IP address 192.168.1.1   Subnet mask 255.255.255.0 Media 1000baseT <full-duplex,flag0,flag1>In/out packets 312714/312333 (134.50 MB/246.18 MB) In/out packets (pass) 312320/279144 (134.41 MB/246.16 MB) In/out packets (block) 394/13 (91 KB/18 KB) In/out errors 0/0 Collisions 0 GW_OPT1 interface (re1) Status up DHCP up    MAC address 00:06:4f:4a:93:f1 - Pro-nets Technology IP address 190.113.134.x   Subnet mask 255.255.255.0 Gateway 190.113.134.x Media 100baseTX <full-duplex>In/out packets 88412/87800 (17.32 MB/90.63 MB) In/out packets (pass) 87800/125651 (17.28 MB/90.63 MB) In/out packets (block) 612/0 (42 KB/0 bytes) In/out errors 0/0 Collisions 0</full-duplex></full-duplex,flag0,flag1></full-duplex> HELP PLEASEEEEE

How about testing it out by transfering a large RAR file over to someone and see which Queue gets clogged up.

I use the wizard to setup my initial settings, then I manually adjust any fine tuning. The wizard has a place to limit P2P. I make sure to use that and then adjust it higher manually. I have not used limiters so I cannot help you there.

@leecallen: I then created a single Rule  for the WAN interface:     Action: Pass     Interface: WAN     Protocol: any (I have also tried TCP/UDP)     Source, Destination: defaults - "not", type any, no address     In/Out: in=WANin, out=WANout "Not" "Any" means the rule does not match any traffic.  It will not direct traffic through the queues defined. What you need is a rule that catches everything, meaning you uncheck "Not". Secondly, check the direction of the rule.  It matches traffic based on whether it is leaving the WAN or entering the WAN port.

I've read that, it looks like pretty cool stuff but it's not answering my questions. I need the exact mechanisums how HFSC works so i can make my conklusions. Or some tips how to make shaper when i have different limits for different networks without knowing the exact limits.

when I update from 2.0.1 to 2.0.2，I can find the wizard rule in firewall:rules:floating I think I get more understand. now,when edit some rule,I can see "Ackqueue/queue" why some rule Ackqueue chose "none"? why some rule chose "qack" or other can someone tell me ?thanks

I vaguely remember reading somewhere that the L7 filter blocks traffic by checking only some packets in the beginning of the session and once state has been established it is beyond the reach of L7 filter. If that's the case then maybe the reason why blocking these SUBSCRIBE messages doesn't work is that they are considered as being "in the middle" of existing session and aren't seen by ipfw-classifyd. I sure can't see what else could be wrong in my setup…

Or will the following be good enough? Floating rule on LAN interface with IN direction and Quick enabled. With limiter on in / out. The speed seems to be limited correctly when testing on speedtest.net. I'm not limiting other traffic than WAN with this rule?

@g.sara: Hi, Thank you for your answer! Into  which tab I have to create the rule (Floating or Interface rules)? Which rules are executed first? The floating or the Interface rules? Regards, George Interface Rules have a higher weight as the floating ones. That means, if there is an interface rule and an floating rule, the interface rule is executed.

I solved the problem of everything going into the P2P catch-all queue by not selecting to set up a catch-all queue in the first place during the wizard, as suggested by this guide: http://skear.hubpages.com/hub/How-to-Configure-Deep-Packet-Inspection-Using-pfSense Traffic shaping seems to be working well now, and all shaping rules are indeed in the Floating tab. Todd

@sgatto: It seems that HFSC queue acts only on the defined interface. Defining a queue for interface X and then apply that queue on traffic egress from interface Y does not work. Can you give me another solution ? Use the floating rules and mark the direction as 'IN'.  Select the appropriate interfaces (148 Vlan interfaces?) then direct to the WAN interface queue. You may want to re-create the queues with different names for the WAN and the other interfaces.  That will allow you to better differentiate between the queues.

doing this with freeradius, sqlcounter module and a sql database is possible as long you have a NAS which does the accounting properly. You can define different groups and limit their speed. But please don't ask me for a tutorial or something like this. I do not have one ;) I just read this "here and there" in the net.

see video on youtube. try this link (phone) or search http://m.youtube.com/#/watch?v=Usi195rK35I&desktop_uri=%2Fwatch%3Fv%3DUsi195rK35I