Thanks again for the info.  I'll see what I can do.

Yes, that's it. Thank you!

I also just found out that if I enable/disable a queue Interface (e.g. WAN), saving in between and apply, the stats (drops, etc.) reset.

yakupm

I have a similar pfsense box with the features you ask. Please see my post.

http://forum.pfsense.org/index.php/topic,42927.0.html

Hope this helps.

The devices are iPads and we dont wish to use a proxy. iPad apps dont all work nicely with proxies, especially if that proxy requires authentication. So we have a seperate web filter that operates as a transparent bridge which does web filter, but not SSL intercepting. Then we have pfSense box on the other end of that as our main WAN router. One single subnet for our whole internal network, so pfSense is just being used for pure firewall and NAT type stuff.

Had hoped the L7 stuff was the answer, as there doesnt appear to be any other way to do it.

Guess we just have to live with iMessage and FaceTime on our net :(

you'll have to tell that it uses vlan's.. pfsense cant look from crystal ball if vlans are needed or not ;)

hi again.

I changed the cron entry a little bit so it suits my setup.

Perhaps for future pfsense relases this could be realized that there aren't so many (unneccessary) filter reloads.
In a scheduler I have to define a start time and an end time. every time needs an "hour" and a "minute". per haps it can be realized that the minutes and the hours could be entered in the cron job.

So lets say:
Start:
[hour1]: 6
[minute1]: 0

End:
[hour2]: 17
[minute2]: 30

out of these times we can create a cron job like that:

[minute1],[minute2] [hour1],[hour2]  *  *  *  root  /etc/rc.filter_configure_sync 

I am no coding expert and I do not know what is behind the scenes but it is an idea :)

You can manually add the queues yourself.

Go to traffic shaper ->  Wizard -> Single-LAN, Multi-WAN.

Key in '1' for number of WAN connections.

Select HFSC for both LAN and WAN.  Choose 10Gbit/s for bandwidth.

Don't select anything in the wizard, just click next all the way.

When you're done, you should have:
WAN:  qACK, qDefault
LAN:  qLink, qInternet, qACK, qDefault

Now select LAN.  Delete all the queues.  Then add qACK and qDefault.

For qACK, set the bandwidth to 10%, Priority 7, Realtime M2 10%.
For qDefault, set Default, ECN, Bandwidth to 1%, Priority 3, Realtime M2 1%.

Go to queues tab, clone both qACK and qDefault onto WAN.

Now go to Firewall Rules,

under LAN tab, you will see a "Default allow LAN to any rule".
Click edit ('e' button), scroll down till you find the section that says Ackqueue/ Queue.  Click the 'Advanced' button.  Then select 'qAck' in the left box and 'qDefault' in the right side box.

Go to the Floating Rules tab now,
Click the '+' button to add a new rule.

For Action, select 'Queue'.
Check the box under 'Quick' section.
Under Interface, highlight 'WAN'.
Direction set to 'In'.
Protocol as 'Any'.
Source as ANY.
Destination as 'Lan Subnet'.
Set Description as:  "CatchAll Inbound".
Set Ackqueue/ Queue as qACK/ qDefault.

That should be all you need to do.

Well, since i have no patience i did not wait for an answer to that, and cleared everything then reran the wizard.

The OPT1 interface is not a "real" interface, and will not be allowed it seems. I could only choose 1 WAN interface in the wizard.

So, my next question would be: How do i shape any traffic <-> OPT1 interface (my IPV6 traffic)?

C

In other threads there were discussions about only allowing ports which are in general only used for legal traffic (http,https,pop3,…) and the same for traffic shaper.
Giving high priority to "legal" traffic and only low priority for "unknown" traffic.

This will not block torrent at all but perhaps slow down it.

For blocking other downloads I am using squid and squidguard and blocking torrent in URL and the well known filehoster as rapidshare, uploaded.to and so on.

There are some (free) blacklists for squidguard but they are blocking oftem more than I just want to.
You can give it a try of course!

http://www.shallalist.de/
http://urlblacklist.com/

Generally, it would be instructive to know if/how one can shape traffic that originates on pfSense and is just not passing through from interface to interface.

No help from me either im afraid, but the idea is awesome imo..

Debugging queues and general traffic management with such a tool would indeed make things a LOT easier :)

C

Good point. Thanks.