@Bob-Dig

I don't know how and why, but it does. :(
I confirmed the unintended traffic shaping with simple iperf3 between local devices. With floating rules off there is shaping, with the floating rules off, I get gigabit speed again. The shaping is bidirectional.

Are you saying regardless of the traffics IPv6 adress being globally routable, they should be treated as local traffic since the interface is still LAN?

@br8bruno said in Traffic Shaper Limiters just won't work - FQ_CoDel:

@br8bruno

The suggested configuration did introduce a limit and as it seems, it does work consistently.
I have set the limiters to 900/450 on a 1000/500 connection.
However, the limit is resulting in speeds much lower than what is set. I get 525/260. This was not the case before, the results were much closer to what was set and I did not loose this much bandwidth.
If I go up on the setting, close to the connection capability I still loose a lot of bandwidht, and get bufferbloat although not close to the limit.

88fc5414-0755-4783-85b1-36dcab255ab7-image.png

There is a bug that exists in 2.7.2 (but should be patched on 2.8 beta and latest plus) that can halve the throughput on dummynet because its applying shaper twice. So your speeds are potentially affected by that, it can be overcome by setting double the limit so e.g. for 500mbit set 1000mbit. I am not convinced this is your issue though as your speeds are a bit above half, you might just be hitting process limits.

@rkbest said in pfsense error (s) loading the rules: /tmp/rules.debug:95: errors in queue definition - internet very choppy and unusable:

choppy internet beyond i can use with all my IOT offline and wifi not working

That's 3 different things.
Afaik : the common factor might be : power ?
If wifi (radio waves) don't work, check the AP, using 'scanning' to see if other APs are using the same channel (frequency), etc.
IOT offline : if these are connected over radio (wifi) and not cable, the see suggestion above.
If the IOT are wired : to access them, you don't need pfSense **.
Choppy Internet : the WAN interface is identical as the LAN, so you could swap tyheir position to isolate a potential bad interface. if the interface is ok, go check the device where the pfSense WAN is connected to. Example : my WAN can't go down as I power both (ISP router and pfSense) with a double UPS, so even if my ISP goes down (like what they tested in Spain two days ago) my WAN will stay up. No Internet of course - that's logic..

** but pfSense will needed to hand over an initial DHCP lease = correct IP /network info, as without this info nothing will work.

@rkbest said in pfsense error (s) loading the rules: /tmp/rules.debug:95: errors in queue definition - internet very choppy and unusable:

There were error(s) loading the rules: /tmp/rules.debug:95: errors in queue definition - The line in question reads [95]: queue qLink on igc1 priority 2 qlimit 500 priq ( ecn , default )
How do i fix this?

Start telling us how you've set up queues, limiters ?
This file /tmp/rules.debug (the firewall rules) : line 93,95 95 and 96, what does it contain ?

edit : no I think a bit more about this message, knowing that network queues is internal kernel stuff : if something goes bad, this will / might impact all interfaces ...

What pfSense version ?

Hey everyone, I similarly have a 1000/50 HFC connection. Were any changes made to the upload limiter scheduler parameters? Thanks!

@HLPPC

I appreciate the responses here but I am still kind of lost on finding a solution. Please allow me to rephrase the question and scenario.

My Switch is set to Trust DSCP, my clients properly tag DSCP values to packets like Zoom & Teams etc. On the PFSense side I have Codel Limiters in place to combat bufferbloat and those are working nicely see below.

What I would like to do achieve next is some kind of simple rule that simply tells PFSense to Trust DSCP, aka prioritize the packets accordingly if there is a DSCP value, i.e. DSCP Value 46 would get high priority. I would rather not have to create a rule for every single DSCP value, is there any way to plug an play this. Much like when one configures a CISCO switch and issue AUTO QOS and all the DSCP value and queues get populated for you. Keep in mind the solution has to also be compatible with the existing Codel lmiiter.

169af373-b621-4150-abed-cf649da37784-image.png

@georgeberz said in ISP oversold my bandwidth I need to shape VOIP:

@Mission-Ghost I live on an Island covered w trees I am surrounded by 80-100' trees no clear line of site. thank you though I have tried. :)

Frustrating. Maybe put up a tower? Given the difference in our lives between DSL and Starlink, I think it'd be TOTALLY worth it to put up a tower.

For added detail, I use PRIQ shaping. Works well.

@ViciousXUSMC

Thank you for your post.
Yes, please do share. I really look forward to reading it, if you do decide to post a new thread.

@Fry-kun said in Queues show NaN values, why?:

] || 0);

Thanks for this! Setting up HFSC is not quick and easy on 7 WAN connections.

Working fine!

@RN222 Okay, I know the SANS guide says to make these rules "quick" but as far as I know, they actually do not work when they're quick. I'm not sure if that was considered a bug, and/or if it still applies, but it was definitely true at one point. And My floating rules that assign traffic to limiter queues are just normal floating rules (i.e. not quick). Mine are also match rules, not pass, which I also believed was necessary at least at one point.

So I would advise that you first make all four of these rules "normal" (i.e. non-quick) floating rules. And if that still does not work, try making them all match rules as well.

Using just the conservative setting for the firewall and giving the ip phone static ports, has always worked for me. You should not have to change TCP/UDP settings specifcally. Just the firewall optimaztion. see the pic for the detales of the differances.

Screenshot from 2025-01-07 07-22-08.png

@Mission-Ghost never mind...I just found:

https://forum.netgate.com/topic/195386/after-update-4200-to-24-11-queues-status-page-no-longer-works/7

Apparently it's a bug that turned up in beta and has a redmine ticket. From the topic cited, there's a method to check that it's working. I'll do that.