The FreeBSD man page for ALTQ suggests that the tx driver hasn't been updated to work with ALTQ.

@alonelion: :( bad news….not working for more than 64 queues..any other way? or i just must find another distro? i realy like pfsense features except that no per user bandwidth ??? I think it's possible if you shape entire network segments, that will make "2 queues and 2 rules" for entire network. (I mean: 128up/128down for X.X.1.0 ; and 256up/256down for X.X.2.0 for example)

tried again it seems fine now

@basha: Can you please briefly describe how you plan to implement your solution? The specification for the traffic shaper project is written up rather well in the bounties section.  I recommend you read that thread and contribute.

Strange.  In my ezshaper section I have: <msnmessenger>L</msnmessenger>

Providing that there are no drops there either?

Do you have IAX or SIP trunks? Your best bet in starting off is just going through the traffic wizard. When it asks you for the IP address of the VoIP device, enter your Asterisk's IP address. If you have SIP trunks, you need to prioritize UDP ports 10000-20000 (or whatever your RTP stream is set to). You don't necessarily need to prioritize the UDP 5060 for SIP because that's just the signalling port. If you have IAX trunks, prioritize UDP port 4569. That should get you started. If you have any specific questions, post back and I'll try to help you.

Well, I'm running pfSense on a 10Mb connection with 512 MB of RAM and a 1.2 GHz CPU (Fabia FX5620) and despite having added traffic shaping and a good number of plugins (including Squid and IMspector) it's rarely more than 50% loaded (either CPU or RAM). Of course, I rarely max out that 10Mb link, if your usage profile is different then you'll have different results :)

I don't think ALTQ behave well on loopback since loopback is not treated as a real network interface. Though you might play with it but take in consideration playing with tbrsize(tbrconbfig) parameter to not have performance issues.

You're seeing a problem where one likely doesn't exist. First, your cable company probably didn't "shape" traffic. They may have, but from what you describe that doesn't seem to be the case. Your cable company was likely limiting traffic basically the same way your DSL is limited to 5000/800. On cable networks, the cable modem is where your throughput cap resides. When you're pegging your connection, queuing occurs in the modem, which causes latency to increase substantially.  500 ms with a pegged connection isn't bad at all. If I really hammer my cable modem (15/1.5 Mb) I can get gateway ping times in excess of a second. That's normal, especially if you're uploading heavily. DSL works basically the same way. The goal of traffic shaping is to move the queuing up to where it can be more controlled - your firewall. Once the traffic gets to your modem, if you reach your cap, it's too late. Things queue and they go out in FIFO (first in first out) fashion. Traffic shaping basically orders that traffic so the important traffic goes before the less important traffic. It's a lot more complex than that, but this post is long enough without a dissertation on traffic shaping.  :) Back to my point - your ping times from pfsense will suffer when your link is loaded to capacity, regardless of the type of connection (not just cable and DSL, T1's do it, fiber connections do it, wireless really does it, it's just how networks work). The only way to keep ping times from pfsense low would be to shape your traffic at a lower speed than your actual connection speed. Then you'll ensure at least relatively good response times. But what's the point? All you're doing is making your graphs pretty and keeping yourself from using your full Internet connection speed. I'm not familiar with the pfsense traffic shaper as I don't use it, so I won't offer any specific recommendations on configuration.

@sullrich: The wizard instructs you to enter the "phone ip".    That is the reason you reversed them. Oops, sorry, must have mis-read that. That makes sense now. Ben

Disable the userland FTP-Proxy application.

@The: Any more ideas on this one? Many commercial router vendors said that it's impossible to bandwidth limit encrypted P2P traffic. Only one router vendor claims that they can limit encrypted Bittorrent & Obfuscated eMule traffic (don't remember the company name). I've been using MikroTik RouterOS from the beginning, and since some P2P clients implemented encryption, it's now only possible to block the encrypted traffic. I asked the MikroTik vendor and they said that it's impossible to bandwidth limit encrypted P2P traffic. This problem forced me to add rules for all normal traffic, and one for the rest (unknown traffic).