My recent post covers the basics of this: Works! Limiting multiple LAN users, thru single external proxy http://forum.pfsense.org/index.php/topic,60861.0.html In general, to create different speed groups, you need to do some coordination of your network addresses, and you can't just use automatic address assignment by DHCP for the entire building LAN. You'll probably want to inventory all the MAC addresses of the public machines so that they can be assigned addresses within the same common block, via DHCP MAC reservations . (You can also manually assign addresses directly to each machine without DHCP reservations, though this can be a maintenance hassle if the machines are wiped and reimaged occasionally.) The collective address range is then restricted by the limiter. Anything outside the range would be permitted full speed. A more thorough option is to group all the wired public machines into a single network switch or a VLAN, and then applying a subnet and automatic DHCP to that entire group through an optional interface on your pfSense router. This requires lots of fiddly crawling around under tables, locating of ports on walls and who is what port number, and then moving cables around in closets to put all the wires into a common group on a single switch or to make a VLAN range of ports. (You can also create a freeform VLAN for scattered ports across the switch without moving cables on the switches, but this is more management hassle later if there's a problem, IMO.) This would allow the computers to all be limited without needing to do DHCP reservations, and also allows for an open public wifi service for patron laptops and mobile devices to join the subnet and be limited also.

This can only be done properly on 2.1, where each limiter can have multiple bandwidth entries and you select the schedules there in the limiter config.

Here are the screenshots for you: [image: PFSenseConfig1_zps1fc7cd2f.jpg] [image: PFSenseconfig2_zpsc8161dd3.jpg] [image: PFSenseConfig3_zps283679de.jpg] [image: PFSenseConfig4_zps248be6d9.jpg] [image: PFSenseConfig5_zps6ee5b90c.jpg] [image: PFSenseconfig6_zps71609932.jpg] [image: PFSenseConfig7_zps40f4ba3c.jpg] [image: PFSenseConfig8_zps1d502d42.jpg] [image: PFSenseConfig9_zps70c4a6a7.jpg] [image: PFSenseConfigAlias_zps827add90.jpg] [image: PFSenseConfigLANFW_zpsf811e188.jpg] [image: PFSenseConfigFloatFWRules_zps3808c272.jpg] [image: PFSenseConfigGW_zpsedbe2bc0.jpg] [image: PFSenseConfigSitcky_zps87af146d.jpg] [image: PFSenseConfigDNS_zpse977e9b4.jpg] [image: PFSenseConfigNAT_zpsa48e73d9.jpg]

It should balance the load when full, since all traffic will have equal priority.

Boy that is weird. The ISP says we are 23 * 1000 * 1000 or 23,000,000. So apparently I gotta convert from 1000 to 1024 for the shaper wizard? 23,000,000 / 1024 = 22460.9375 I paste that in: [image: shaperkbitconfig.png] And the resulting config is different. [image: shaperkbitresult.png] What's going on here?

@ttblum: I see. What I put into the Wizard's 'Connection upload speed' shows up afterwards in the WAN 'Bandwidth' field. Is it possible I have upstream and downstream mixed up? Shaping happens outbound on an interface. Uploads go out WAN. So it's correct.

Hi. I will listen here as I would like to know to. I do not know what the bandwith is for. I would like to know to. Both with and with out limits in the service curve Regarding the link share I guess it is the quaranteed bandwith share if the connection is congested. If there is free capacity then more traffic can be given to the queue. To avoid a queue to use all your bandwith you can add an "upperlimit" along with your linkshare. Say 5% linkshare and 15% upperlimit. Then the queue will have minimum 5% when line is congested and a max of 15% even if there is a lot of free capacity. Why you do math I do not understand. 3x10% What are you trying to ask? I you have a queue with 50% and a subqueue with 50% the last will get 50% of 50% = 25% of the bandwith. But I guess that is not your question.

Thanks. That works for me too.

Yes, you have to define the traffic shaping like that. Regarding the rules, what I am currently doing is to specify on tab LAN (for download shaping) and on tab "Floating" (for upload shaping). But, I think I read somewhere that it may be sufficient to only specify them on the "Floating" tab (you then set "Direction" to "any"). I haven't tested that. Maybe someone else can confirm that.

OK. Thanks a lot for your reply.

It can be done in squid+squidGuard, I believe. It's been asked and answered many times on the forum. Search and you'll find better answers.

Have you tried limiters?

Hi, I haven't used limiters, but maybe you could do it as follows: 1. Create a firewall rule for the IP range to exclude as follows: Pass Source: $ALIAS_EXCLUDED_IPs Destination: any In/Out: None 2. Create a second firewall rule for the remaining IP range as follows: Pass Source: $ALIAS_OTHER_IPs Destination: any In/Out: UploadLimiter/DownloadLimiter I'm not 100% sure, but do tell me if this works.

Thanks, I will retry asap. EDIT: did a cross check while I was using another ALIX with ipfire on it … there the backup went through fine and much quicker. I don't have a clue what to look for in the iptables there ... Just as a reference. I will re-check things when I plugged in the pfsense-box again.

In theory this would be possible with freeradius2 package and captive portal. I say "in theory" because there is still some bug on accounting on CP. You should at least use pfsense 2.1. Search the forum for more information or take a look here: http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

Hi You should create two limiters and set one for mask destination (download to LAN) and one for mask source (upload from LAN). Then add a FW rule above your default rule on the LAN and add the limiters to this. IN = upload from LAN (with source mask) OUT = download to LAN (with destination mask) This way all clients will get there own sets of limiters You can read it in the link from ptt under "Dynamic queue creation"