@markn62: I know servers don't typically initate which is true in this case. If it requires a floating rule on Wan out do you have a suggested rule example? First rule here: https://forum.pfsense.org/index.php?topic=88311.msg487589#msg487589 I know the Ack requirements for tcp/udp.  You earlier suggested a Wan out rule and here you say both directions.  Which is it? Yeah, that was a mistake. Maybe not in your example, but I have an OpenVpn nat rule matching every Lan nat rule so my client remote connection can connect to all forwarded Lan devices, not just connect to the Lan device GUI itself.  It's essential, to match Lan rules or I can't remote connect to anything but PfSense itself. To keep the discussion simple we can ignore this fact. Why are you natting?  Yes, you need firewall rules to pass traffic, but unless you're dealing with conflicting subnets there's usually no reason to NAT traffic across a VPN. What do you mean "create an assigned interface on the server"?  What interface on what server?  A virtual interface on the PfSense server? I mean create an interface in Interfaces > Assign and assign it to the OpenVPN instance. I wouldn't have hosts and the remote side of the tunnel, only clients. Hosts != Servers.  Hosts means a host on the network. I tried a rule on the OpenVpn virtual interface and it only shaped traffic from the OpenVpn interface to the Lan adapter. Does me no good.  I'm trying to read between the lines on what you are trying to convey.  Are you suggesting if I rule match to a Wan In and assign to a queue name that connection will retain the queue name thru the Wan, onto the Lan, onto OpenVpn, then migrate around to some of the assigned lan gateways, then return in the opposite direction and transverse these three adapters and out the Wan still retaining the same queue as the packet goes out the Wan back to the remote client?  Seems far fetched.  Currently I don't have any Lan queues, only Wan queues because I don't shape the Lan I only dynamic limit per ip on Lan out (downstream). I'm not clear what your suggesting here. @Derelict: Now you will have THREE layers of QoS WAN/LAN, The OpenVPN tunnel, and traffic within the tunnel.  It'll be quite a juggling act. I never said it was easy or perfect. It shouldn't be this complicated. But it is.  Sorry. What, exactly, do you want to shape?  The tunnel itself or traffic inside the tunnel? I was under the impression you wanted to shape the tunnel itself. To do this you need a floating rule on WAN out on the OpenVPN client as illustrated above.  That will allow you to put the traffic from the OpenVPN client to the OpenVPN server into a queue. You will also need to create a queue on the OpenVPN server.  You will apply this queue to the rule allowing connections to the OpenVPN server.  This will allow you to put the traffic from the OpenVPN server to the OpenVPN Client into a queue. When dealing with the tunnel, no interfaces except the two WANs see the traffic.  Ever.  It's a service hosted on pfSense itself.  There's nothing else you can do.

Glad it is working.  I am hoping that the developers will implement fg-codel.  That brings dynamic queue separation for the flows with codel working on each queue individually.

This is my understanding as well.  You do NOT want to let your ACKs sit in the default queue.  You want them most definitely in your highest queue.

No waste.  Interesting find.

I filled in the bandwidth for the wan interface. Not sure if it was that or the reset state but things are working better now. Thanks for your help.

Thanks for the info, I will have to try this out.

I did not, but I made the changes prior loading BitTorrent and I find that when I make make changes to the traffic shaping queues, like bandwidth limits, the changes are immediate. I can be in the middle of a single transfer, say a file download, and changing the upper limit happen the instant I click apply.

I got a bit of NTPD info [image: NTPD-RRD.png]

I just realized something, I forgot about pause frames. The modem can tell your WAN NIC to back off, which will give time for packets to buffer in your firewall. This will give some decent benefit, but it will not stop the buffer bloat issue. Personally, I disabled pause frames because of these issues they can cause, but they're fine for point-to-point interfaces, like your WAN into your modem. In my case, pause frames makes pretty much no difference because my ISP recently changed our ONTs to run at full 1Gb, then they traffic shape upstream. I used to get a hard stop at my max rate, but now it has a slight burst to it. Unless I attempt to transfer 1Gb/s, I won't get pause frames.

But I'm asking about PRIQ.  Hence the title of this thread.  :) Sorry about that, chief.  Between my real job and trying to help out in a dozen or more threads, sometimes a slip of the brain occurs.

Add me to the list that can't get this to work. Anyone have any ideas? If I use PRIQ, it appears to work, but I need a little more control.

I wonder if I should have asked this in the firewall forum. Bump?

Correct. I was just using the wizard's terminology. The wizard tries to be one size, fits all GUI, and that's why you see references to priority when creating an HFSC shaper.  HFSC doesn't deal in priority levels, only bandwidth allocation.

Thanks jahonix, just tried turning strict off via that link and no change. Might have to retreat back to 2.1.5 anyways, openvpn is proving too flacky with my devices. Edit: Due to time constraints I have gone back to 2.1.5, I have not given up on 2.2 but will tackle this and my openvpn issues at a later day. Thanks you developers for your awesome backup and restore utility this was fun adventure, so no complaints from me. Thanks again for all who read and tried to help me figure it out.

Thank you Harvy66, we will try this and let you know.

Working again…. Re-installed pfsense 2.1.5 and restored the backup. All fine now. I think the upgrade from 2.1.4 to 2.1.5 broke the limiter somehow.

Tell him you have figured out how to limit it to no more than 10,000,000 or some number you estimate you wont exceed. Lie - They do it all the time.

I've just went thru the wizard using CBQ and input my allworx servers public IP in the SIP ip box, and these are the shapes it created, however it seems I'm missing the IP address from the voip floating firewall rule. Any idea why? [image: blah.jpg] [image: blah.jpg_thumb] [image: Untitled-4.jpg] [image: Untitled-4.jpg_thumb]