Hello guys,

I really need your help on setting up an PfSense server. I'm new on this (been using before ALLOT), I've managed to make partly the configuration of server, but yet i don't get the results i want to have.
My LAN output of server connects to the "internet" and i have multiple WAN connections, which I want to limit per IP. The problem is that I want to have the WAN hosts grouped, for example :
Group 1 has 20 hosts, I want to assign to this group 3 Mbps/3 Mbps and each of the hosts in the group 256 Kbps/128 Kbps. I want to configure the LAN and WAN interfaces in "bridge" mode and assign bandwdith limits to a group of hosts and to each host separately.
I have managed to configure LAN and WAN in bridge mode, I have created limiters and such, but my only problem is how to assign hosts to the groups I want to and then limit their traffic as I need to.
Since I mentioned I've been using before ALLOT and it was easy to create a group,assign bandwidth limits and place hosts under the group with desired bandwidth and protocol for each host.
Please refer to scheme attached. As you may see , i want to group the hosts, assign bandwidth limits to the group and bandwdith limits to each host of group. I'm trying but I cant find any option to do this into PfSense GUI.
Please help me on this. if you need further info, just ask :)
Many thanks,

Ges

scheme.jpg
scheme.jpg_thumb

@ermal:

Not yet implemented.

Any roadmap for this?

It,s  Edraw Max  http://www.edrawsoft.com/download.php

Nice  :)

As you are moving from Clearos to pfsense, you may need to take a look on some tutorials to understand better differences between both.

doc.pfsense.org has a lot of tutorials

On portuguese forum there are some topics on top with a lot of information that will help you.

http://forum.pfsense.org/index.php/board,12.0.html

You can use captive portal mac options to filter

Or you can use ip based rules together with dhcp reservations.

you may be able to find some kind of proxy that can do so, I'm not aware of any though.

I have click [delete this queue], but nothing happen. Limiter still exists.

Sorry i don't use squid, i can't help you with this.

Its a matter of implementation.
Real time its about it real time. By definition the quantum of real time curve is the same as interface curve that cannot be less and cannot be more.

For link share the concept of splitting bandwidth of the parent exists because it makes sense while real time is about real time and no queuing or anything.

Hi

So what is recommended to use, to work queues and priority? PRIQ / CBQ / FairQ. ?

I'm not sure if it's dumb luck, a successful configuration or something else entirely, but I've been able to get the HFSC shaper to work the way I want it the two times I've used it.  The second time was in an environment with three LAN interfaces, and from what I can tell, the shaper is actively prioritizing traffic among the internal interfaces in the way I anticipated.  Granted neither pfSense deployment is earth-shattering (both are home environments), but from skimming the forums posts on this subject, I thought documenting success using the shaper with multiple LAN interfaces might be of interest.

The configuration consisted of a single WAN interface and three LAN interfaces: Verizon, Work & LAN.  The firewall is actually a friend's & we both teamed to sort out the necessary shaper configuration.  The goals were simple: Verizon traffic takes precedence (he has FiOS & on-demand videos can use a portion of his "Internet" bandwidth), Work traffic trumps LAN bandwidth but not Verizon (employer-provided VoIP phone & other equipment when he works from home is connected to the Work interface; LAN is for generic home internet), any interface should be able to utilize all available idle bandwidth (but release it for high priority traffic) and no interface should be starved of bandwidth regardless of priority (the "fair service" in HFSC takes care of this).

We first ran through the multi-LAN wizard, but didn't specify any ports or protocols to prioritize, rather used the wizard to stipulate upload & download bandwidth and build the various queues on the interfaces.  Once that was completed, we built a VZWeb queue on the Verizon interface, a WRKWeb queue on the Work interface and a LANWeb queue on the LAN interface as children under the Internet queue on the each of the interfaces.  These three queues were duplicated on the WAN interface and placed directly under the root queue.

Priority was described via a percentage in the m2 column of the Link Share row as I've read somewhere HFSC doesn't adhere to the numerical priority label.  I believe Link Share overrides Bandwidth but the percentage was duplicated in Bandwidth field for the sake of completeness.  VZWeb was given 30%, WRKWeb 15% and LANWeb 5%.  The Link Share m2 metrics on the ACK queue were left unchanged, but we did plug in 5% for the Realtime m2 value as a safety net.

The rules were a little trickier, couldn't get the floating rules to properly direct traffic into the queues, but specifying queues on existing rules in the interface tabs did the trick (e.g. allow LAN to any rule where LAN net is the source).  We ran multiple non-interference (start with traffic on higher priority Verizon, then Work & then LAN) and non-blocking tests (going the other way with LAN first, then Work, then Verizon) and all interfaces used the appropriate amount of traffic.  LAN was the only one that dropped packets, which occurred when this interface surrendered bandwidth to the other two.

Thanks, it seems to be working :-)

Same issues here. L7 torrent doesnt work for non encrypted torrent traffic but we can stop http with the L7 containers

Okay, I know you manage the router at each end but what about all the routers in between? I'm assuming this VPN is over the public Internet. Do a trace route between the public IPs of both routers that you control and you'll see how many other routers the VPN traffic is flowing across. These routers will not shape traffic according to your QoS tags even if they could see them. They can't even see them because your traffic is encrypted by OpenVPN.

All you are controlling with traffic shaping on your pfSense boxes is which packets have priority leaving your pfSense box. Once they leave it you have no control over what packets get dropped first. If you have an MPLS circuit or a dedicated T1 between your office and the customer site then you could get the ISP to use the QoS you put on the packets but I don't think that's they type of link you have.

Here is a link that may explain it a little better (even though they are trying to sell their product at the end) http://netequalizernews.com/2010/08/29/qos-over-the-internet-is-it-possible-five-must-know-facts/