Not sure if this can be done.

If there is a way to configure the rules to say (on the LAN interfaces) if source=LAN IP, place in front of the queue, but then if have heavy subnet to subnet traffic, that will have priority over ALL traffic coming from WAN, would that be acceptable?

I have a feeling the wizard just deals with your typical WAN-LAN, but am sure you can setup the queues/interface(s) manually.

Somebody mentions QOS/traffic shaping is just a series of filter rules applied to the egress of interfaces.  If you use the wizard on WAN-LAN, then go back in there and look at the interfaces, you will see the rules applied to the WAN-LAN.  Analyze what they do, then manually configure your own.  Show your chops how much u know this stuff :D

"Main issue is that does not show any activities…. "

That is what it looks like to me as well which is really odd..

What does say

systat -ifstat 5

show you for your interfaces traffic?  What about say something like

[2.4.2-RELEASE][root@sg4860.local.lan]/root: netstat -i -b -n -I igb2 Name    Mtu Network      Address              Ipkts Ierrs Idrop    Ibytes    Opkts Oerrs    Obytes  Coll igb2  1500 <link#3>00:08:a2:0c:e6:20 243692313    0    0 33829938506 166012308    0 220759170807    0 igb2      - fe80::%igb2/6 fe80::208:a2ff:fe        0    -    -          0        1    -        116    - igb2      - 192.168.2.0/2 192.168.2.253        95013    -    -  13184546    48803    -  10963069    - [2.4.2-RELEASE][root@sg4860.local.lan]/root: You can call up a specific vlan with say [2.4.2-RELEASE][root@sg4860.local.lan]/root: netstat -i -b -n -I igb2.5 Name    Mtu Network      Address              Ipkts Ierrs Idrop    Ibytes    Opkts Oerrs    Obytes  Coll igb2.  1500 <link#12>00:08:a2:0c:e6:20  667311    0    0  40451516    4895    0    809821    0 igb2.    - fe80::%igb2.5 fe80::208:a2ff:fe        0    -    -          0        2    -        172    - igb2.    - 192.168.5.0/2 192.168.5.253          42    -    -      20976      133    -      13931    - [2.4.2-RELEASE][root@sg4860.local.lan]/root:</link#12></link#3>

You can use limiters and shape on the WAN for ingress.

Check out this link:

https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

It worked perfectly for me, including giving me top-notch VOIP while bandwidth is fully saturated with upload or download traffic, and perfectly dividing the bandwidth between multiple users.

The most salient sections from that post follow.

Fixed Limiters

These are the more commonly discussed limits from what I've seen. Fixed limits are used when a network operator wants to permit only a very specific upper bound of bandwidth to be used by an individual device, no matter what. Use cases might include public WiFi scenarios, where a network operator wants to discourage people from relying on it being a top quality connection to avoid attracting people who camp out on their network consuming maximum bandwidth all day.

Example goal: 256kbps upload limit, 1mbps download limit (enforced per device)

The configuration in Firewall > Traffic Shaper > Limiter:

Create a new Pipe
    Name: Upload
    Bandwidth: 256kbps
    Schedule: None
    Mask: Source addresses (no need to type a number into either of the numeric field boxes in this section)
    Create a new Pipe
    Name: Download
    Bandwidth: 1mbps
    Schedule: None
    Mask: Destination addresses (no need to type a number into either of the numeric field boxes in this section)

The configuration in the applicable LAN-side firewall rule:

Advanced > In/Out: Upload / Download

Flexible Limits

These are less common, and I didn't realize it was actually possible to do this with pfSense until I got Steve's feedback (forum discussions allude to it, but I haven't seen a correct config fully described anywhere yet). The purpose of flexible limits is to allow pfSense to enforce a total cap on user traffic and to dynamically manage the connections based on real network conditions – allocating more bandwidth per device when the network is quiet and less bandwidth per device when many clients are chatting at the same time. In my case, I've seen users report pleasantly usable network conditions consistently even while the network link was 100% saturated -- this is a very good tool to have in your kit for overloaded Internet uplinks (in one case, I've got a large download capacity but a very small upload capacity, and the users would completely overload the upload, resulting in poor conditions for everyone until I implemented this flexible limiter).

Example goal: Provide a high quality user experience for hundreds/thousands of devices sharing a business-class cable connection with 300mbps download and 20mbps upload capacity.

The configuration in Firewall > Traffic Shaper > Limiter:

Create a new Pipe

Name: Upload
    Bandwidth: 18mbps (put the total amount of bandwidth available here; remember to save a small amount of bandwidth for remote management, downloading packages, etc -- in this example, we're allowing 18mbps for users on a 20mbps line)
    Schedule: None
    Mask: None
    Create a new Queue under Upload
    Name: UploadQueue
    Mask: Source addresses
    Create a new Pipe
    Name: Download
    Bandwidth: 290mbps (in this example, we're allowing 290mbps for users on a 300mbps line)
    Schedule: None
    Mask: None
    Create a new Queue under Download
    Name: DownloadQueue
    Mask: Destination addresses

The configuration in the applicable LAN-side firewall rule:

Advanced > In/Out: UploadQueue / DownloadQueue

I have been struggling with getting limiters to work in 2.4.2 since I installed PFSense about 6 weeks ago. The link posted by @1smallsausage is the first one that (a) actually made sense, (b) describes the process well, and © works. The difference between a "pipe" and a "queue" as it pertains to limiters is crucial.

Moreover, that having created two sets of limiters on my network, one for "registered" (static assignment) devices and one for "unregistered" (DHCP assignment) devices, I have finally been able to throttle my guests to a 3x1 Mib link and induce a 100ms latency, while allowing registered devices to share the available bandwidth completely equitably, including being able to maintain top grade VOIP quality while full bandwidth downloads/uploads are in progress.

The "Flexible vs. Fixed Limiters" article belongs in the docs in the Traffic Shaping category. [Although, personally, I think that limiters probably don't belong as a tab on Traffic Shaping at all, but belong on their own page.]

Posting how I got it working, incase it helps someone else in the future.

It was my error of course. When I enabled the traffic shaper and the rules, I just needed to reset the state table of all current connections.

I could either reset all states [ http://192.168.X.X/diag_resetstate.php ], or just the states that applied to the devices on my LAN using the filter [ http://192.168.X.X/diag_dump_states.php ].
Both worked.

I created an alias call VoipHosts that included the IP address for both T-Mobile devices.

I edited the floating rule that was created by the wizard, changed it to include all protocols instead of the default UDP only protocol.
At least the LineLink uses both UDP and TCP.

This site here really helped. http://pfsensesetup.com/category/setup-guides/

That says this:

Traffic shaping should now be activated for all new conections. However, existing connections will not have traffic shaping applied to them, only new connections. In order for traffic shaping to be fully active on all connections, you must clear the states. In order to do this, navigate to Diagnostics -> States. Then click the Reset States tab, check the Firewall state table check box (if it is not already checked), and press the Reset button.

I know this is a bit tab outdated but I have successfully found a way to use intel drivers instead.

This method works for xenserver 7.2 (might need some minor changes for 7.1 and below)

You have to modify the file /usr/libexec/xenopsd/qemu-dm-wrapper with following after the def main(argv) line:

def main(argv):
import os
import sys
argv = [arg.replace('rtl8139', 'e1000') for arg in argv]

This will use the intel drivers instead for all the VMs on the xenserver.  I tried a few other ways but this seemed to be the most reliable and consistent for use in a production environment.

This article gives an example of how to do what you are asking for

https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

Hi folks!
OK, so I've setup a HFSC queue, and I've assigned the few IPs I need to prioritize. So it's a 50 Mbit/s link, I defined the service curve with:
"Max bandwidth for queue." / "upper limit" / 40Mb
"Min bandwidth for queue." / "Real Time" / 3Mb

But what do I enter for "Bandwidth"? Do I put 50 Mbit/s inside?

My main question is what clients to assign the queue to? Only the ones I want to affect with QoS (max & min), oder ALL the clients? I coluld live with ALL the clients having max and min defined since it's mostly only few clients at the time trying to max out the link, so if I put everyone in the floating rule - I should be fine, right?

The problem is I can only prioritize based on IP address. Sometimes the client is pulling entertainment videos from youtube, sometimes it's performing an important presentation, I cannot know what is important and what is not. What would be the best practice for such a case?

Thanx

@Harvy66:

Then you have the issue that wifi has built in re-transmission, making Layer 1 latency highly unpredictable.

"Air time fairness" is another potential issue if you have many generations of wifi devices, especially on 2.4ghz.

Right… OK. I'm glad you replied, I thought layer 1 was "un-sniffable" without RF, thanks for confirming this! I figured it was the re-transmit, but I didn't know for sure. Would a "better" MTU or something help?

What do you mean by Aritime Fairness? Like, should I turn it ON? or OFF? The Asus AC5300 has all of the facny MuMIMO options, but it's pretty opaque on what it actually does/help.

@gsmornot I hear ya, however I'm a bit of a perfectionist, and for the first time around bench marking i want to get it right. Mainly having something highly repeatable. I've been using DSLReports but then got turned onto FLENT -which is netperf-wrapper in a nice interface.

Thinking about this more, I should setup a Netperf server on my wired LAN side, and benchmark the Wifi first to there, then move to the pfSense.

I've attached some examples of QoS with Flent. I've only managed to get ONE of the Upload, Download, or Latency at max performance, but never all at once.

Ideally I want all of the lines to be very flat, with no deviance of the other classes or "random" looking data. In addition - never hitting 0mbit, keeping all values above 20 or some nice amount. You can see that it IS possible.

🤷 Maybe I'll make a new thread on that, but it's mostly for WAN. It would be interesting to QoS the AP port...  hrm...


@test4321:

@tman222:

One question that comes to mind right away: Are you using a proxy setup by chance (e.g. Squid)?

Yes I am - is there an issue with this? How can I use both?

UPDATE: looking into this article now:

https://guglio.xyz/pfsense-2-3-limiters-and-squid-bugfix/

The reason I asked is because when using the squid proxy the configuration has to be altered somewhat (I have run into this same problem as well actually).  Otherwise, you are just using the limiter to limit bandwidth between local machine and the proxy, but not between the proxy and the machine online you are downloading from.  Unfortunately, I'm actually not quite how to make those modifications - was the article you found helpful, i.e. did you get it working?

Shaping/limiting only deals with bandwidth management. It may improve the stability of your network.

@Nullity:

Read the pfSense wiki. After some learning, struggling, and trial & error experimentation, return to tell us how we can help you.

I do not envy experiencing the pfSense learning-curve… but, we are happy to help after you've felt our pain. :)

Laughing, understand!

There are still some large spikes on the upload graph, but overall everything looks much better. You may want to reduce your bandwidth even further, by small steps of like 0.1Mb, and see if you can get rid of those spikes. Diminishing returns at this point and it's up to you to play around and decide what's a good trade-off.

One thing I would like to mention is that because you're using priq, and your download is so asymetric of your upload, when downloading, you're going to be saturating your upload with ACKs. ACKs are lower priority than VoIP, so VoIP should work, but anything lower than ACK or DNS is going to effectively die.

Hopefully VoIP will continue to work now. Let us know.