@Arnaud09 Assumption: You portforward those 3 services, each to their own isp inside lan ip ? Then i would put the pfSense wan on your isp routers inside lan on (fixed) ip addr xxx ... Don't use DHCP , and remember to set default gw on the pfsense to your routers inside ip address. And "portforward" the wanted ports on your isp router, to the routers inside lan on ip addr xxx (the pfSense wan ip). Now matching (portforwarded) traffic will hit the pfSense Wan interface. Then you need to do the same portforwarding once more on the pfSense , to portforward the interesting stuff on the WAN to the LAN. Now you can control access to the pfSense LAN (that would be your service lan) , by putting access rules on your pfSense wan interface (preventing unwanted packages from entering the WAN .. And thereby access the Lan. Be sure that your ISP router inside lan , and your pfSense inside lan does not have the same ip range or it will never work. I might have given multiple VIP's a try .. Haven't used those yet. But that might not be easy for a "Non experienced person" If you are able to add routes to your ISP Router , things might become a lot easier. /Bingo

@bobbenheim - I double checked and both limiter and child queue are already set to tail drop. Here are my settings (120M in, 12M out): target 5 interval 100 quantum 300 limit 10240 flows 20480 I think I got them from one of the posts here. It has been working ok with these since 2.4.5 came out. I still think that I had caused a problem with the pfblockerng floating rules located before my limiter floating rules. I have reversed the order and so far the log entries have not shown again.

@DustSL - unfortunately I can't confirm if the Chelsio cards will work with ALTQ, but I can say that that they should work fine with limiters: I've setup FQ-CoDel based traffic shaping on a system that has had both T520 and T540 Chelsio cards and never experienced any issues. Hope this helps.

For others that are in a similar situation... Turns out that with the Unifi Controller, you can change the default "User Group" to set a speed limit. Since over Wifi, I'm seeing 120/20, I set my limit to 100/20. When doing the speedtest, I'm now not seeing any bufferbloat and I'm getting an A+ from an F before, but I'm getting speeds around 80/20. Just a tip too. For reasons unknown, in my controller, I had to specify Kbps and couldn't set it to anything over 100Mbps. I was getting some sort of weird payload error. Some say it was a bug but who knows. For now, I'll keep it as it is and see how it works. Hopefully it will have a positive effect on zoom meetings.

@bobbenheim What's up BOB ! /boot/loader.conf.local - final - best result ever ! if_em_load="YES" cc_htcp_load="YES" hw.em.eee_setting="0" hw.em.rx_process_limit="-1" hw.em.txd="2048" hw.em.rxd="2048" net.link.ifqmaxlen="4096" 4 computer downloading debian iso 4.4 gig RTT never moved 0.6ms RTTsd never moved 0.2ms Lost 0.0 % this is far the best config ever limiter config Download Codel FQ_codel queue lenght 100 ecn enable limiter Queue Download Mask / Destination Adresse /32 Codel limiter config Upload Codel FQ_codel queue lenght 100 ecn enable limiter Queue Upload Mask / Source Adresse /32 Codel limiter on lan rules in= upload-queue out=download-queue with all helps ! all people sharing knoledge ! everything's possible! Thank you so muck

Upgraded to 2.4.5, still the same problem.

@Stewart been running it for almost a month and it works well. As long as the limiter is masked it will create individual bucket in the alias list. Else, it's shared.

@kiokoman said in Traffic Shaping (CODEL/FQ_CODEL) kills all traffic, no internet access: yes it's not working on 2.5.0 https://redmine.pfsense.org/issues/9643 Thanks for info, I keep forgetting about the bug tracker. Watching that one now.

Which nic's are you using and what version of pfsense? If you are using nic's which use the ix driver then altq are disabled due to driver instability in 2.4.5 and earlier but It has recently been enabled in the 2.5 development snapshots again.

@bobbenheim Cake implementation would be nice!

If you are not using limiters, then note this from the guide; The ALTQ framework is handled through pf and is closely tied to network card drivers. ALTQ can handle several types of schedulers and queue layouts. The traffic shaper wizard configures ALTQ and gives firewall administrators the ability to quickly configure QoS for common scenarios, and it allows custom rules for more complex tasks. ALTQ is inefficient, however, so the maximum potential throughput of a firewall is lowered significantly when it is active. pfSense software also supports a separate shaper concept called Limiters. Limiters enforce hard bandwidth limits for a group or on a per-IP address or network basis. Inside of those bandwidth limits, limiters can also manage traffic priorities.

@noplan said in Reverse proxy with HAProxy pointing to the firewall: @Bob-Dig Oh yes... I forgot that one Move to something like 99443 Nothing like 80443 0r 8080 Smashed it out of the park =D thanks for that, needed to do some reading but moving the port seemed to do the trick.

What will be the next thing to do? I am also wondering how can pfsense allocate a dedicated bandwidth or a percent of bandwidth from my total bandwidth to a group and limit each member to for example 3mbps.