Going to be a luser and post a reply to my own question right away.

I'm going through again, and this time I notice the "Penalty Box" section that does seem to put absolute caps on upload and download bandwidth. Seems to me that I could specify the IP range of the WiFi interface (172.16.0.0/24) for the address value, then just put in the numbers I want.

Would that work?

(I know, I know… just go try it out and see....)

[1] the rules produced by the wizard are latest match ones. Meaning the latest match takes the action.
For the ip i will take a look at all the things i am fixing in the wizards!

[2] It is all transparent it means that if you have load balancing active the rules will convert to conform to it automatically when they reload.

Hi guys! Trying to figure out the traffic shaper, does it mean that if I have 2000 kbits download I have to deduct at least 70 kbits to set the correct value?

Well, unfortunately that computer is not on the network right now, so I can't tell, but I did set a static IP to that IP address that I have in the traffic shaper and it followed the rules, so I'm hoping that when the computer comes back to the network it will do the same. I can see the traffic in the queue.

When I said encrypted traffic I meant mainly from bittorrent. Thats the main reason why I want to put a squeeze on this computer is because its consuming the whole network, bring it to a crawl. I set the upload to 256kbits/sec and 2500 kbits down, that seems fair, but won't destroy the network. We have a 16/2 business comcast setup. I setup a test computer on that IP and ran encrypted bittorrent of a linux ISO download and it followed the rules, so I hope it works now. I don't know why it wasn't working before.  ??? I didn't change anything.  :-\

Edit:
I think I figured it out why it wasn't working. I turned on the traffic shaper while the computer was downloading, expecting it to start slowing all of the active connections down, but the traffic shaper needs to be in place before the computer starts downloading things again. So, I will leave the traffic shaper enabled and when the computer comes back to the network I will see if it now follows the rules.  :o ;D I figured this out by looking at the queues, some traffic was going through the shaper, and already open connections were going through the LAN/WAN queues. Thanks for pointing me in the right direction.
BTW, I think I was expecting it to act like it did in m0n0wall, where as soon as you enabled it, it would slow open connections, not just new ones starting.

SIP registration usually uses UDP 5060 and not TCP, though it could be TCP… you should double-check to make sure. You should ask your provider which RTP ports they use and forward those as well.
One way audio in SIP calls usually has to do with RTP ports either being full (no more left to assign), or the RTP packets could get lost (improper forwarding), packet loss, etc.

For the VoIP shaping.
1- You should know that 1.2 does not do multiple interfaces.
2- If you have activated shaping for the Voip interface and WAN than the changes in 3 would make it better.
3- Change the output of the wizard in 1.2 to have realtime priority only on the qVoIP* queues and not on the others. Increase its realtime parameter to the desired value. Usually number of phones * average of 25Kb per phone should give you a nice result for the realtime parameter or just use a % parameter in there.

This should get you up and running perfectly.

As for the shaper contribution there is no stated minimum though i think people should get reasonable cause 1$ does not mean much! Though that is a contribution still.

Ermal

Hi,

I have faced your problem too, so i digged myself into the issue a bit.
The core problem:
"The question is, why doesn't my qLAN_P2P queue behave in similar fashion as my qLAN_Default queue?"

I think the reason is: Because a P2P traffic usually consist of many connections, while normal HTTP or FTP only few. This makes huge difference on traffic shaping.
Freebsd uses queues, meanwhile it can only work if there is always empty space in each queue. So, when you try to prioritize your P2P traffic by assigning the lowest priority to it, what will happen? PF will drop packets from P2P queue first, as it has the lowest prio. And what will happen after this? One of your many-many P2P connections will be slowed down a bit, but nobody knows which one, and you still have a lot of others, which all tries to use your connection. That is why you feel: traffic shaper does not limit the bandwidth. It tries, but it can not.
In other words: freebsd can not shape traffic with overloaded queues if there are a lot of connections belong to it, because it simply can not know which connection uses the most bandwidth within the a queue. It simply drops packages by random from the respective queue - I guess.
You can check this by going out to shell, and type: pfctl -vsq
You see, the default queue size of freebsd is 50. This is ok for low number of connections, but for P2P it is nothing.

Solution:
You have to increase the size of your P2P queues manually in order to avoid the queue saturation.
See my post at:
http://forum.pfsense.org/index.php/topic,9427.0.html
It works for me perfectly since weeks. Now i can prioritize P2P traffic without any problem. I have queue size for P2P of 2000! (of course the latency is higher with such big queue, but for P2P this is not a problem at all)
Unfortunatelly the current webgui does not support this setting, but with 'vi' you can modify the setting in '/tmp/rules.debug' in seconds.
Then you reload the modified ruleset by 'pfctl -A -f /tmp/rules.debug'.
I think it would have reason to include queue setting into the Webgui.
Hope this helps.
Viktor

Well that seems logical, because pf will match the packets based on which interface they came from and which interface they left from. An packet coming from WAN to your FTP server would enter through WAN, but it won't leave. It probably won't be matched to any queue and avoid traffic shaping. Same for SMTP.
I'm not too sure about Squid, because the packet does transit WAN->LAN or LAN->WAN, but since it's intercepted by Squid in the middle, it might not be matched by pf either for traffic shaping.
Anyone else feel free to prove me wrong, I'm just guessing here from what I know about pf, hfsc, etc.

Yes, worked. I'm use this.

ok what should i click first for http traffic sorry im new of this thing and i love to know more about pfsense.thnks

jerm,

Thanks a lot on your input. My problem is mainly with incoming traffic, since I can decide what goes out or doesn't go out on this connection. That is, if my outbound bandwidth is saturated, I could easily fix it. If my inbound bandwidth is all used, I can hardly do anything on my side, since gaming traffic is already coming to me delayed. I can shape it on my side, but whatever I do will never be 100% as efficient as it would be on my ISP side.

So as I have it right now I am more than happy. A 12ms on average ping increase while someone is updating TF2 is good enough for me, way better than with no shapping at all, when Steam was usiong all available bandwidth as soon as someone needed to update something (even the update of the Steam client would give everyone several seconds of lag!)

I think that problem is in UPnP… I have UPnP enabled and may be this is the reason why Penalty IP works for 10 to 15 minutes... This is the usual time to activate UPnP port. So UPnP traffic is not shaped at all.

Will be this fixed in pfSense 1.3?

adjusting queues would work. moving already established traffic from one queue to another one won't.

Yes I have six vlan interfaces WAN, LAN, OP1, OPT2, OPT3, OPT4
(WAN,LAN,VOIP,CAPTIVE PORTAL,WLAN,VENTRILO)

Did you reset states after running the shaper wizard? How did you specify the lanhosts in the penalty field? Did you set WAN and LAN  as outbound and inbound interface when running the wizard?

OK, I think I've resolved this problem. I've done the following steps:

Tweaked the Windows Registry using numerous HOW-TO's found on the Internet, especially TCP Windows Size, Request Buffer Size and TCP 1323 Options.

Rebooted the Windows server.

This has resolved the problem, and copying a 300MB file now takes approximately 2 minutes!

Thanks for everyone's assistance and time.

Im running 1.2 final and I may be trying to do something similar, can someone confirm?

I have my Webserver in the DMZ and have a LAN and WAN if.  Currently I am shaping the LAN and WAN with simple shaping to prioritze the VoIP data.  I also want to limit all LAN -> WAN traffic to some KB limit to ensure the DMZ if gets all the bandwidth it needs.

Since the DMZ is bridged to the WAN, is this not possible in 1.2 ?

Thanks