@Modesty How much the protocol is universally used for illegal or legal activities isn't relevant, you're making an assumption of your tenants use which unless you have data, or notices from your ISP could be incorrect. For example, you mention they use Steam, Steam uses the BitTorrent protocol to distribute data between players so they may not be doing anything illegal at all. I would say though that if the legal ramifications are a concern then you should consider having your tenants subscribe to their own service rather sharing yours. Depending on your ISP you might also be breaching your ISPs ToS by providing service to tenants not leaving you in a great defensible position should they be up to no good post gaming.

I have moved over to using QFQ (which I believe is default selected in pfSense UI) for downstream combined with Codel on the child queue. (this seems to match HFSC performance on ALTQ).

fq_codel works awesome for egress, but not so good for ingress on consumer broadband in my experience.

What i did in limiter configuration.

Pipe set the limit as documented, use droptail.
Scheduler set to QFQ
Queue set to Codel. Also on queue configure src-ip and src-ip6 masks, I used /16 for ipv4 and /56 for ipv6. I will probably change ipv6 to /48.

The idea been I dont want a flow for each individual ip, so many would be created, instead to have traffic from same providers in their own flow, /16 will usually cause that, although it will be possible you may have 2 different providers at once in the same /16, in practice this seems rare though. As an example if I used /32 for flow separation and a steam download (32 threads) was competing with a twitch stream, then it would be 32/33 bandwidth allocated to steam and 1/33 allocated to twitch, with /16 it would be 50/50.

Floating rules would be same as documentation. This still is not 100% for me but its working better for ingress than fq_codel. fq_codel I had to reduce flow limit's to 20 but that flooded my console with warnings and I still didnt have as good performance as QFQ.

Also with this system the flows are visible in the diagnostics -> limiter screen whilst fq_codel hides its internal flows. So you can see which flows have packets dropped by the shaper, to determine how well things are working.

yeah I would love cake as well, but sadly I cannot see any information on it been ported to dummynet, it looks like nothing is happening for that. :(

@luiscachog Unfortunately Zoom does not keep (https://assets.zoom.us/docs/ipranges/Zoom.txt) up to date. I have found at least 10 other IPs I had to add. Everyday there seems to be a new IP. I may see if QoS DSCP Marking can be turned on by the host.

Not an emergency, but a real issue, no one has experienced this?

The floating rule should match regardless of interface (think of a router with 5 interfaces trying to duplicate all the shaping rules). There's not a need to tie them to interfaces.

The wizard sets up a default setup. I think I would delete and run the wizard if changing types.

The queues affect outbound traffic for the interface so downloading from the Internet would be LAN outbound and ack would be WAN outbound. The rules get set up differently, for instance I think VOIP UDP traffic doesn't have an interface but has a rule for Source and another for Destination. But POP/SMTP etc. TCP gets set on WAN according to destination port by default.

@Arnaud09

Assumption:
You portforward those 3 services, each to their own isp inside lan ip ?

Then i would put the pfSense wan on your isp routers inside lan on (fixed) ip addr xxx ... Don't use DHCP , and remember to set default gw on the pfsense to your routers inside ip address.

And "portforward" the wanted ports on your isp router, to the routers inside lan on ip addr xxx (the pfSense wan ip).

Now matching (portforwarded) traffic will hit the pfSense Wan interface.

Then you need to do the same portforwarding once more on the pfSense , to portforward the interesting stuff on the WAN to the LAN.

Now you can control access to the pfSense LAN (that would be your service lan) , by putting access rules on your pfSense wan interface (preventing unwanted packages from entering the WAN .. And thereby access the Lan.

Be sure that your ISP router inside lan , and your pfSense inside lan does not have the same ip range or it will never work.

I might have given multiple VIP's a try .. Haven't used those yet.
But that might not be easy for a "Non experienced person"

If you are able to add routes to your ISP Router , things might become a lot easier.

/Bingo

@bobbenheim - I double checked and both limiter and child queue are already set to tail drop.

Here are my settings (120M in, 12M out):

target 5
interval 100
quantum 300
limit 10240
flows 20480

I think I got them from one of the posts here. It has been working ok with these since 2.4.5 came out.

I still think that I had caused a problem with the pfblockerng floating rules located before my limiter floating rules. I have reversed the order and so far the log entries have not shown again.

@DustSL - unfortunately I can't confirm if the Chelsio cards will work with ALTQ, but I can say that that they should work fine with limiters: I've setup FQ-CoDel based traffic shaping on a system that has had both T520 and T540 Chelsio cards and never experienced any issues. Hope this helps.

For others that are in a similar situation...

Turns out that with the Unifi Controller, you can change the default "User Group" to set a speed limit. Since over Wifi, I'm seeing 120/20, I set my limit to 100/20. When doing the speedtest, I'm now not seeing any bufferbloat and I'm getting an A+ from an F before, but I'm getting speeds around 80/20.

Just a tip too. For reasons unknown, in my controller, I had to specify Kbps and couldn't set it to anything over 100Mbps. I was getting some sort of weird payload error. Some say it was a bug but who knows.

For now, I'll keep it as it is and see how it works. Hopefully it will have a positive effect on zoom meetings.

@bobbenheim
What's up BOB !
/boot/loader.conf.local - final - best result ever !
if_em_load="YES"
cc_htcp_load="YES"
hw.em.eee_setting="0"
hw.em.rx_process_limit="-1"
hw.em.txd="2048"
hw.em.rxd="2048"
net.link.ifqmaxlen="4096"

4 computer downloading debian iso 4.4 gig
RTT never moved 0.6ms
RTTsd never moved 0.2ms
Lost 0.0 %

this is far the best config ever
limiter config Download
Codel
FQ_codel
queue lenght 100
ecn enable

limiter Queue Download
Mask / Destination Adresse /32
Codel

limiter config Upload
Codel
FQ_codel
queue lenght 100
ecn enable

limiter Queue Upload
Mask / Source Adresse /32
Codel

limiter on lan rules
in= upload-queue
out=download-queue

with all helps ! all people sharing knoledge ! everything's possible!
Thank you so muck