Now I am really confused.  You say you agree with me, but my complaint is that I never see anything in qACK - and that makes sense as the generated rules don't reference qACK.  ???

try to look failover and loadbalance settings for your wan connection.
and look also for policybased routing

Hi,

thanx for the info. I am searching for a good solution to block skype in our network. I don´t understand how to integrade it in L7. Can you help?

Regards, Valle

Thanks Metu69salemi.
sorry i shoudn't have asked such simple issues.
Feels like i'm being spoon feeded.
thanks anyways
kalu

Hi again,

It's look to they have a problem with the wizard and the Penalty Box, actually I don't have any queue who's maid by the wizard, just one in Firewall -> Rules -> Floating who refer to a queue who don't exist.
in this rules I don't see the Alias or the Ip I put in the wizard.

Regards

Totorux

Update your snapshot.

Hi,

need this too. Do you have a solution for this problem? Need this for the captive portal.

Thanks for the input!

I agree that the shaper wizard in 2.0 should put as much as possible in terms of % of bandwidth.

And actually after reading the forums some more, it appears as though we would have to add the qLink queue to the LAN side so that internal traffic could go from lan to vlan or vice-versa without being shaped.

I've tried messing around with pf and it appears the challenge in getting this scheme to work is to be able to match a packet coming in on an interface, regardless if it is an established connection or not.  Right now it appears that PF will only match a new connection on an interface.  Maybe the pfsense folks would have some influence over the pf developers to get this feature added?

WAN
– qInternet 1.5Mbit
---- qAck
---- qDefault
---- qVoIP

OPT1
-- qInternet 256Kbit
---- qAck
---- qDefault
---- qVoIP

LAN
-- qLink
-- qInternetWan 1.5Mbit
---- qAckWan
---- qDefaultWan
---- qVoIPWan
-- qInternetOpt1 256Kbit
---- qAckOpt1
---- qDefaultOpt1
---- qVoIPOpt1

L7 rules - they don't work so well catching torrent, and particularly utorrent. Only a very small amount of packets are identified - uTorrent encrypts its protocol and that feature is on by default mostly - so you aren't really going to be able to block it.
At our site we use the bandwidthd package to find who is using torrent and add them to a penalty box type queue. The limiters are best for that because they can be set to a per individual speed.
I have had issues that if you try to filter all your traffic via the L7 rules performance can take a hit depending on your CPU power - it was maxing out my dual core ATHLON!

Anyway, I have been trying to stop it for years.
On Zentyal firewall the L7 rules seem to work slightly better, but that thing gives you very little ability to analyse your network traffic. Even then, when you force encryption in uTorrent it becomes unstoppable.

Good luck

It doesn't seem to be a DNS or Traffic Shaping problem after all.  The original machine I was noticing the problem on is a laptop (Thinkpad T43P) on a wireless connection (claiming 54Mbps speed at the time) and during playback I was only getting 1.5Mbps through the firewall.  Then I tried a different and faster machine with wired Ethernet and it was able to play back not only at 720P, but 1080P and the traffic went up to 5.5Mpbs through the firewall.  So then I tried sitting the T43P next to one of my wireless access points and wiring to it.  I was able to play back 720P, but despite having network throughput it was not able to keep up with playing back 1080P.  So then I switched back to wireless and was back down to 1.5Mpbs despite network status showing 100% signal on a 54Mbps wireless G connection.

So traffic shaping appears to be working and it's a specific client PC problem.  I'll start chasing after updated drivers.

No, because "WAN Optimization" isn't one thing - it is a number of technologies. Some of those (eg QoS) are built in to pfSense and some (eg Squid) are packages. You need to work out which will help you and then apply those.

If no queue is selected in the rule, then the traffic matching that rule will go in the "default" queue for the interface it is heading to.  There is required to be one and only one default queue for each interface that has traffic shaping enabled.

Assuming this is a simple default setup with one WAN interface which is the internet and one LAN with the local host(s), and all WAN traffic coming in blocked…

To limit download, remember that the download traffic is only allowed in from the WAN because it was initiated by a LAN host.  The firewall rule that allows the traffic and sets the traffic shaping queue can be the same rule, the one on the LAN tab that allows the traffic out.  The traffic that is allowed back in is still matched to that one rule that allowed the connection to take place, on the LAN tab.  So to limit downloaded http traffic to a host "192.168.1.50", you need a queue called, for example, "qHTTP" on the LAN interface, with the limits set how you want, and a firewall rule on the LAN tab, which says pass TCP traffic, destination any, source 192.168.42.50, port 80(http), and queue="qHTTP".

That's the general idea.  If you want to limit the http going out, just make a queue with the same name, "qHTTP" for example, on the WAN interface also.  The same firewall rule will use that queue too.

Hi,

Can I use "Limiter" feature to shape the bandwidth according to requirement?

My Requirement is

In my company there are 3 user groups existed.

1. Top Management
2. Executives
3. General Staff

According to the neediness of internet traffic I want to allocate 60 %, 30% and 10% respectively. Can I do that with pfsense traffic shaping facility?

Please upload step by step guide to Bandwidth shaping

:'( :'( :'( :'(

Okay, I think I'm cool now.  Updated to snap from August 12th.  I do think it's kinda weird that the floating rule the wizard created didn't seem to work - I had to delete it, and create one for the LAN for the voip host, then edit the existing rule for the RTP ports on the WAN to add qVoip.  Oh well…

Ye, it looks familiar to how the wizard creates queues. But nice explained though!

How I see it, the Queues are actually the ones creating bandwidth limits for ip adresses, aliases, interfaces, whatever… No need for LIMITERs as I see it.
Or what?

I have tried with limiters the past few days, but cant seem to make them work as intended :(

Rafter

in opt2 interface which is renamed, work as lan. didn't try limiter yet

You should have different subnets for each Vlans, yes?

If so, simply set 3 queues under the traffic shaper in order of priority and use PRIQ (note, this is only applicable to pfSense 2.0).

Assign all traffic to or from each Vlan (by specifying the source or destination subnet) into the individual queues using the Vlan's interface tab (for outbound) and the floating tab (for inbound).

eg.  Setup 3 queues (qVLan1, qVlan2, qVlan3 with priorities of 3, 2, 1 respectively).  Set qVlan3 queue to be the default queue since this is the lowest priority queue anyway.

Set the default rule under Vlan1 tab to pipe all traffic to qVlan1 queue; The protocol/ destination will be any and the source address will be the subnet of Vlan1.  Go to floating and set the same except that the Protocol/ Source will be any and the destination will be Vlan1's subnet.  Also, ensure that the interface is set to WAN (this will accomodate for inter-vlan routing at higher speeds with other rules)

Do the same for Vlan2 and Vlan3.