@jimbrown-dm said in Doc VPN:

@jimbrown-dm
You can use free xnxubd vpn browser vpn app to browser internet freely.

https://www.tomsguide.com/computing/vpns/dont-download-xnxubd-vpn-browser-its-dangerous

Turns out the bufferbloat limiters do not limit ACKs. How can I make it also limit ACKs?

@Gertjan thank you for your help. Of course I will upgrade... But I have to wait for the end of the season as I cannot shutdown the system even for 10 minutes with 2500 customers on it.

Have a nice time :)

@vildsvin123 said in Traffic shaping limiters per port, upload limter doesent work:

local machine 192.168.1.123 witch runs the cloud and clients connecting from outside throu wan interface

Matching can be tricky, I suggest looking at the open state for the connection. For example "downloading a file from a web server in my office" matches the inbound connection to the web server, not an outbound response. The outbound follows back out the inbound state.

As noted floating rules are outside NAT. One can match a floating rule to a source only by tagging it on the way in as the packet arrives on LAN, then a rule saying "any packet with tag X" on the way out on WAN. I've used that for prioritizing voice (upload from a phone device IP) but I don't think for a limiter.

If you haven't already, for testing, set the limiter to something low enough to be obvious in both directions, and a different number for in and out.

I have since situated my limiters and have got them working properly now. Before upgrading to 2.7.2 (which was a task due to a bug) I installed an additional fail-over wan, which didn't have rules for the limiters. My rules were set per lan/vlan to use my gateway group and it's respective limiter. I had only made limiters for upload/download. My problem seemed to situate once I put my rules into the floating ruleset, made my limiters simple tail-drop with worst-case waieghted fair queueing, then made a queue for each limiter utilizing PIE with ecn checked. The rules used default gateway rather than gateway group (pfSense gateway is set to use the gateway group rather now) and the limiters were the actual queues I set up under the limiters. Hope it helps someone out there.

@_ToXIc_
I would revert the change regarding bloat. That doesn’t impact what’s going on here and typically it’s best left alone.
There are also debug logs for the agent

I came here for the same issue. "target" and "interval" is set to empty if you leave "Queue length" unset when creating the limiter.

@Aus_Karlos

You can also try to modify your existing WAN rule:
Go to Firewall > Rules > WAN.
Edit the rule that currently handles the traffic for port 443 to your server.
In the Advanced Options section, set the "In/Out pipe" for outgoing traffic to use the Global_Limit_Out limiter.

Update:
I deleted all the limiter and Wireguard profiles and set up both of them from scratch. Now they are working together happily. No additional firewall rules needed.

@N0m0fud I link to my post, basically it's a freebsd issue max 4gb/s
https://forum.netgate.com/topic/189679/codel-not-applying-after-4gb-s/2

@Poli Oh I founded that, so BSD still didn't fix it ? https://redmine.pfsense.org/issues/12661

I guess the fix was an upgrade from 2gb/s to 4gb/s why so low? https://reviews.freebsd.org/D31582

I have the same problem.