I think that is what I am going to do.  I read this post and learned quite a bit more.  The rest of that thread is good too.

@fsSnowboard: Here is the google help page on how to find the current Google IPs.  Shaping this way though, as mentioned above, will probably cause issues, because these IPs also are for google.com, gmail.com, etc. Like i said,I suspect there is no absolute ip cidr for a specific service but you can furher distinguish a service (like mail.google.com) by defining an alias for it too and creating a new rule before the "google" rule. As for today gmail uses 173.194.0.0/16 if anyone interested in checking that in following weeks or months.

AS KOM said PRIQ is pretty easy to setup and understand.  Seems like a good fit for what you want to do.  The wizard is 1 size fits some, so be aware of that.  It will get you a basic setup from which to start however. My advice is to make aliases for the different server/service/ip's.  That way if anything changes you don't have to muck with the fw rules, you only need to change the alias entries.

@lordkitsuna: @Derelict: Set bandwidth and link share (m2) to the same value. Thanks so much i now have it working and everything behaves as expected. My torrents can take up the speed when nothing is going on but as soon as i start playing games they get dialed back enough that my games ping remains unaffected. Awesome.

Unless I have something configured somewhere that I'm not seeing that is causing this, it would seem to be bug.

Yep…sounds like a plan!  8)

+karma for a fast and thorough response - thanks! I want to limit the combined download to 20 mbps and upload to 5 mbps. I'm not sure what or how many devices will be active, so I currently have an alias set for all my devices called "famUp." With your guide, I think I've got what I need. I'll know for sure when they move in tomorrow! Thanks again.

@KOM: pfSense has supported that NIC since last year, so you should be fine I would think. Everything appears to be working correctly.  Had to up the mbuf settings but that seems to be the only issue so far.

Depends on the office.  Some could get by with only HTTP/HTTPS.  Others with VoIP phones may need a whole range if ports.  You have to think about things like external time servers using NTP.  Open up a few known ports and block everything else, then wait for someone to complain that something isn't working.  Figure out what's being blocked and write a rule for it to make the broken app work again.  Rinse, repeat.

Does anyone have any guidance on this question?

Any ideas, anyone?

Yes, if VoIP is all you care about at the moment then you are done.  Your PRIQ shaper will always give priority to qVoIP.  I've also been in the game for a long time and didn't have to worry about traffic shaping until recently.  The emergence of time-critical network VoIP traffic combined with client bandwidth hogs means you're going to have to at least get your feet wet.

Yeah, will do as soon users are not on it, it's a production system, so I'm using stable config for the moment.

@sideout: I think however you are going to want to have the default queue NOT be under qInternet and be another queue under the LAN. I have a floating rule that catch all traffic between interfaces, I don't want/need to shape traffic between interfaces. Thanks for your insight! Regards

I second KOM for voip traffic PRIQ is much easier to config and use.  There are a couple of threads here on how to configure it but it is pretty straight forward.  It works great in my setup where I value voip traffic over everything else. here is my setup https://forum.pfsense.org/index.php?topic=79149.msg432062#msg432062

@RobEmery: This is pretty much what we have currently; however we (I don't really understand why) have to put a different limiter (VPN_UP, VPN_DOWN) on the IPSec interface, otherwise it looks like it gets double-shaped and we seem to be only able to pull about 4MBit (when all the limits are set to 10MBit). Ideally I'd like to just sort of go bang 1 or 2 rules that applies a 10MBit limit to the WAN in both directions; including all IPSec traffic etc hopefully the queues can do this? Did you check if you're indeed double shaping though? i.e.  You're shaping both within the tunnel and the tunnel itself (WAN traffic) because your tunnel is caught in the WAN rules and the traffic in the tunnel itself is also caught in another set of rules.