bump

well, ever since I enabled the flag, ECN tests work.  Without this set, even with ECN enabled in traffic shaper, ECN tests fail.  Perhaps it should be force set if enabled in traffic shaper.

Remember that only the traffic that comes from squid's cache will be marked. So you have to keep an eye at squid's log (tail -f /var/log/squid/access.log) to see if cache HIT are sent with appropriate tos (using tcpdump). It worked as expected when I tested it a few months ago.

@ermal: The skype pattern is not correct and needs to be fixed. I noted this quite late so you have to edit or create a custom pattern for it to work. Hi ermal, I do not use skype in layer 7. So is there another pattern which is not correct or is it another problem ? Is there any other way to find out which pattern makes the problem instead of just select and unselect one ? Thanks

@marcelloc: Edit the firewall rule you want to set connection limit. setting # in Maximum state entries per host would limit numberr of connections?

Try queueing with "In" on WAN with source w.x.y.z and dest. "Lan subnet" instead for the download matching. And use rules in the LAN tab instead to do outbount shaping.

Not that I'm aware of, I think it would end up the same, only applying to new connections.

Same  problem  reported here http://forum.pfsense.org/index.php/topic,37399.0.html pfctl -vsr scrub in on fxp0 all min-ttl 255 fragment reassemble  [ Evaluations: 3366630   Packets: 683193    Bytes: 240344701   States: 0     ]  [ Inserted: uid 0 pid 34968 ] scrub in on re0 all min-ttl 255 fragment reassemble  [ Evaluations: 1887278   Packets: 1035091   Bytes: 496825229   States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "relayd/*" all  [ Evaluations: 33964     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log all label "Default deny rule"  [ Evaluations: 33964     Packets: 17161     Bytes: 1107535     States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out log all label "Default deny rule"  [ Evaluations: 33964     Packets: 12        Bytes: 1416        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick inet6 all  [ Evaluations: 33964     Packets: 30        Bytes: 2160        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out quick inet6 all  [ Evaluations: 7376      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any port = 0 to any  [ Evaluations: 33934     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any to any port = 0  [ Evaluations: 18322     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any port = 0 to any  [ Evaluations: 33936     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any to any port = 0  [ Evaluations: 15590     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from <snort2c>to any label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from any to <snort2c>label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <sshlockout>to any port = 2299 label "sshlockout"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"  [ Evaluations: 11827     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick from <virusprot>to any label "virusprot overload table"  [ Evaluations: 26564     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 from <bogons>to any label "block bogon networks from WAN"  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! fxp0 inet from 87.120.xxx.0/24 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 87.120.xxx.yyy to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on fxp0 inet6 from fe80::4e00:10ff:fe54:4632 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"  [ Evaluations: 19933     Packets: 2766      Bytes: 237779      States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! re0 inet from 192.168.0.0/24 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 192.168.0.254 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on re0 inet6 from fe80::21c:c0ff:fec4:da44 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 6630      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 192.168.0.254 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 1         Packets: 2         Bytes: 717         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out quick on re0 inet proto udp from 192.168.0.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server"  [ Evaluations: 8218      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 31174     Packets: 4         Bytes: 536         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 31172     Packets: 266001    Bytes: 255650100   States: 79    ]  [ Inserted: uid 0 pid 34968 ] pass out route-to (fxp0 87.120.xxx.y) inet from 87.120.xxx.yyy to ! 87.120.xxx.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 7376      Packets: 332423    Bytes: 246309331   States: 44    ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = http flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 31174     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = https flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 6         Packets: 443       Bytes: 189501      States: 1     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = 2299 flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "userrules/*" all  [ Evaluations: 31171     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto icmp from any to 87.120.xxx.yyy keep state label "USER_RULE"  [ Evaluations: 31171     Packets: 19        Bytes: 1978        States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = https flags S/SA keep state label "USER_RULE"  [ Evaluations: 17154     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = 2299 flags S/SA keep state label "USER_RULE"  [ Evaluations: 5999      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" dnpipe(1, 2)  [ Evaluations: 24520     Packets: 323866    Bytes: 237555787   States: 54    ]  [ Inserted: uid 0 pid 34968 ] anchor "tftp-proxy/*" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "miniupnpd" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ]</bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> pfctl -vsn no nat proto carp all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natearly/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natrules/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 6838      Packets: 347150    Bytes: 259653965  States: 41    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] no rdr proto carp all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "relayd/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "tftp-proxy/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "miniupnpd" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] pfctl -a miniupnpd -vsn rdr pass quick on fxp0 inet proto tcp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.0.10 port 51413   [ Evaluations: 34050    Packets: 270701    Bytes: 255875228  States: 81    ]   [ Inserted: uid 0 pid 16714 ]

You are looking at limiters queues. You can actually create childs on limiters as well :)

I'm trying the same without success. None of the BF3 traffic goes in the qGames. I even added just the udp ports with no success.

Hello guys, I really need your help on setting up an PfSense server. I'm new on this (been using before ALLOT), I've managed to make partly the configuration of server, but yet i don't get the results i want to have. My LAN output of server connects to the "internet" and i have multiple WAN connections, which I want to limit per IP. The problem is that I want to have the WAN hosts grouped, for example : Group 1 has 20 hosts, I want to assign to this group 3 Mbps/3 Mbps and each of the hosts in the group 256 Kbps/128 Kbps. I want to configure the LAN and WAN interfaces in "bridge" mode and assign bandwdith limits to a group of hosts and to each host separately. I have managed to configure LAN and WAN in bridge mode, I have created limiters and such, but my only problem is how to assign hosts to the groups I want to and then limit their traffic as I need to. Since I mentioned I've been using before ALLOT and it was easy to create a group,assign bandwidth limits and place hosts under the group with desired bandwidth and protocol for each host. Please refer to scheme attached. As you may see , i want to group the hosts, assign bandwidth limits to the group and bandwdith limits to each host of group. I'm trying but I cant find any option to do this into PfSense GUI. Please help me on this. if you need further info, just ask :) Many thanks, Ges [image: scheme.jpg] [image: scheme.jpg_thumb]

@ermal: Not yet implemented. Any roadmap for this?

It,s  Edraw Max  http://www.edrawsoft.com/download.php

Nice  :) As you are moving from Clearos to pfsense, you may need to take a look on some tutorials to understand better differences between both. doc.pfsense.org has a lot of tutorials On portuguese forum there are some topics on top with a lot of information that will help you. http://forum.pfsense.org/index.php/board,12.0.html

You can use captive portal mac options to filter Or you can use ip based rules together with dhcp reservations.

you may be able to find some kind of proxy that can do so, I'm not aware of any though.