Sooo I guess that is my answer…. From what I have read inbound shaping doesn't work and can cause more congestion. The way to go would be restrict all net from HQ, upgrade Internet bandwidth or get anothe 1.5Mbps DSL and route all VPN down one of the pipes, dedicated.

Am I right?

first of all l7 filtering isn't working with rc1, try rc3, and check this site for explanation of each filter: http://l7-filter.sourceforge.net/protocols

your best bet to limit videos over http is to use squid transparently with delay pools for .swf, .flv .avi … etc

Did you ever use the shaper before? If you have never used the shaper, you have no shaper config, so it's safe to proceed.

Also you should be on at least 1.2.3. 1.2.2 is quite old and no longer supported.

To elaborate, when limiting downloads you are effectively just dumping packets that are coming your way and hoping that the applications involved actually notice that there are issues and throttle back on the speed when negotiating with the host.

So setting a 5Mb hard limit won't result in 5Mb heading your way on the WAN side.  It's actually higher than that because the applications involved will request a re-transmit of the data that is dumped until the speed throttles back to an acceptable level.

In the worst case where the application or the host does not care, the result is actually a snowball effect where you get the transmitted packets and a duplicate of the packets that were dumped heading your way.  This ends up saturating your line even further.

It's a real time tool but it does have a lot of options.
I'm not convinced speedtest.net is the best tool. It is able to combine feeds from several wans though if you are testing a loadbalancing setup.
I don't know how many clients you have or how much profit you are hoping to make (if any) but it might be worth getting some assistance from bsdperimeter.

It's all good learning experience!  :)

Steve

@zephxiii:

I'm still wondering on what tweaks that can be done to prioritize NNTP lower than other traffic when other traffic is happening (like Netflix) but yet still have NNTP max out the connect when it isn't in use. Was wondering if the priority level set has any affect on that etc.

If you're using HSFC, put NNTP ino qOthersLow and HTTP in qOtherDefault should do it.

Priority is almost irrelevant for HFSC. Try playing with bandwidth instead. The bandwidth setting depends on what traffics go there. Normally qOthersDefault should be reserved primarily for Web and qOthersLow for NNTP, mails and other bulk downloads. Then the suitable bandwidth for qOthersLow and qOthersDefault would be around 10% and 20% respectively.

You can do that with the squidGuard package on top of squid.

It lets you setup ACLs to match groups of IPs, and lists of sites can be set to pass/block based on the members of those groups.

There are several tutorials here on the forum and wiki for setting up squidGuard.

I see, my intention was to run everything on that box (a firewall, gateway and seedbox) and my idea was to catch all the traffic from the seedbox using an alias IP and then set it to go to the P2P traffic shaping queue but the filter can't catch the traffic going out the WAN on the box itself, wether its an alias IP or the real lan IP, just any upload or traffic going out the WAN iface initiated from the pfsense box itself is bypassing the traffic shaper according to my tests.

It does works with incoming traffic, i can see the incoming packets to the alias IP being caught and queued into the P2P queue, but unfortunately it seems it doesn't work the other way for outgoing packets. So, i guess i'll have to think on doing this in some other way, perhaps deploying pfsense using vmware ESX or some other virtualization technology so i'd run pfsense + a separate OS on the same box to get the seedbox traffic shaped.

Thanks again for clearing up this :)

It does not seem like your traffic shaper is even initialized properly.

Have you tried re-running the shaper wizard?

If all else fails, you can set the queues and rules manually.

so experts ?

i tried to do it configuring first a limiter and then using http video in the layer 7 section of trafic shaper and choose the limiter i created for this protocole. but didn't work.

i even tried on the lan interface to activate the limiter at the bottom of the pic, in front of ' l-7' advanced option ( i think) but also no result. help please !

ps : i have 2 interfaces : 1 wan and 1 lan

I've not used that.  I just prioritize RTP traffic, so I have no info on your issue, sorry…

@kirlox_kitoy:

It is the wizard configuration that set the values of 1 and 25 percent

I thought in 1.x the wizard sets default queues = 10% and ack queues = 10% (and 1% to the real-time bandwidth).

Anyway qwandef=1% is too small to suppress qP2P (unless you don't want to) and qwanack=25% is much larger than necessary for a symmetric link. I would prefer something like 5%-20% and 5%-10%, respectively.

Graphs tell you nothing about accuracy of the shaper. Queue loads should be calculated from systematic measurements with pftop.

TCP traffic needs to acknowledge that it received a packet. That is what the qAcks is for. UDP traffic doesn't acknowledge that it received a packet. If you look at the rules you will see that TCP traffic uses qACKs/qGames while the UDP traffic only uses the qGames queue.