Thanks sullrich, I did read that and I'm not getting drops on my queues.

Appologies for not responding sooner, I was locked out of the forum for a while because it was rejecting connections from behind proxies.

Does around 20-30pps for acks seem reasonable? That's with an 11kB upload speed, getting about 280kB down. 7kB/sec worth of acks. Seems about right, on an MTU of 1500. It never seems to get above 50pps, with an unlimited upload.

PS. I think this could be something to do with NTL, but I'm not sure what.

NTL gives you a 512kb upload, which I can max out uploading to NTL web space or Flickr. However, anything over 11kB seriously kills download speeds. That simply shouldn't happen. Does anyone have any ideas what could cause it? It's via a cable modem, so the overhead should be quite low compared with, say, ppoe. Yet, the exact same software on the same routers and PCs allowed me to upload at 40kB/sec on 480kb up ADSL without loss of download performance.

@jan:

my pfsense is acting a little strange, so i downloaded and installed a new pfsense iso, then i went on to configure traffic shaping but after finishing the wizard i could no longer surf, the traffic shaping does not need any rebooting, right? good thing i have a config back up w/o traffic shaping and restored it, and after a reboot, i can surf the internet again. there is definitely something wrong with my box, right?

Yep, sounds like you've got a broken clock.  Not much we can do about that I think.

–Bill

Hi sullrich and hoba,

Thanks  for your replies :)
I finally figured out what was happening.
First of all, I did a factory default, and then proceeded to run the Shaping Wizard once again.
After that, I noticed exactly the same problem, and I decided to do a tcpdump -vvv host MyTargetHost to get more info, and there I saw the problem!
My downstream was ToS=0x18 and my upstream was ToS=0x10  :o
However, I believe there's a bug in the matching rules, because look what happens below.

For example, this works fine:

lowdelay    yes    no      don't care
throughput yes    no    don't care
reliability   yes    no    don't care
congestion yes    no    don't care

But this, or any other combination that includes more than one tos value, will  bomb:

lowdelay    yes    no    don't care
throughput yes    no    don't care
reliability   yes    no    don't care
congestion yes    no    don't care

PF will complain as to the syntax and skip the rule of the offending line when trying to add tos=lowdelay,throughput, etc., on the same line.

So I just fixed the ToS on my Asterisk box to tos=0x18, selected lowdelay yes - on the "IP Type of Service (TOS)", and bingo!, upstream/downstream are now showing a nice red line while any phone is in use ;)

BUT, the question still is, shouldn't 0x10 match? Because it doesn't!  ???
Isn't 0x10 = lowdelay? or do I have it all wrong?

Thanks,
-Karl

Make sure RDP shows up in the qotherXXh queues. Then give that queue a higher percentage as well just like you did for the ack queues.

@hshh:

I am about to set SYN packet high priority,detail is in TCP Flags, SYN set, ACK cleared, others don't care.
After apply settings, I found the rules added by webui is,
pass in on rl0 proto tcp all flags S/FSRPAU keep state tag qLANacks tagged unshaped
pass out on vr0 proto tcp all flags S/FSRPAU keep state tag qWANacks tagged qLANacks

S/FSRPAU, why not S/SA ? Is it a bug?

flags <a>/ | / This rule only applies to TCP packets that have the flags</a> ****<a>set
          out of set **.  Flags not specified in **are ignored.  The flags
          are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.

flags S/S  Flag SYN is set.  The other flags are ignored.

flags S/SA  Out of SYN and ACK, exactly SYN may be set.  SYN,
                      SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST
                      do not.  This is more restrictive than the previous ex-
                      ample.

flags /SFRA
                      If the first set is not specified, it defaults to none.
                      All of SYN, FIN, RST and ACK must be unset.</a>

<a>–Bill</a>

Multiple Interface trafficshaping is not supported out of the box atm. Also a per user bandwidth sharing or a fairly sharing per active user is not yet possible in pfSense (and won't be for 1.0). Nobody can say if this will be possible in future versions at the current state.

BTW, priority doesn't really mean much in the shaper anyway.

–Bill

OK then, thanks for the fast response guys.

Cheers.

Scott.

Say what?  Priorities are in the queues.

Only two interfaces can be shaped.  Either wan/dmz or lan/dmz.

No its not something that can be worked around for 1.0.

It is not possible to dynamically and equal share the bandwidth.

This has been asked many times and there is even a faq for it on faq.pfsense.com.

Upgrade to latest RC2 with patches and rerun the shaper wizard. We changed some weightings between the queues.

You need to have squid on a different server, you can not do this with squid on the pfsense box.

Thanks, I changed it. Will wrap work at all?

I would try raising the ack bandwidth to 25% on both ack queues first.

Drop port 6889, will help cap some of the torrent users….at least from going off the lan....also, using another interface would work to bypass the filters so you could use it all at night:P

LAN/WAN will work as these interfaces are not bridged to each other.

I'm still not able to acheive the results I'm looking for. I think the problem is not about the amount of bandwidth being used but rather the priority or order in which packets get processed and sent out.
I want to have my UDP game packets have absolute priority over everything else regardless of the packet size or number of packet per second.
As any online gamer knows, it is low latency that needs to take place for a good gaming experience. So, are there some settings changes I could make that will achieve this?
The "model" or lets say level of performance I am trying to copy is that of my D-Link DGL 4100. It's Gamefuel technology works great for this purpose. The problem with it is that the router does not have much ram and the state table is too small so it's gets overwhelmed even doing a server search from Counter Strike. There are over 40000 servers to ping and it can't handle it. Especially when I am running a server myself and sending ping responces to everyone else searching for a server. So I'm using a PFSense with RC2, 1ghz Athlon, 256mb ram.
Thanks.

Hi all, may I help me to solve this problem?

Regards, Johnnguyen