Hello,

I'm having the same issue. My pfsense is limiting my upload to all of my LAN. I have not defined anything. Any idea?

No it's not. I got same error message.
Please create ticket on redmine if you want it to be fixed.

fwiw, got it all working.  Originally, I was setting the bandwidth in Mbps and that seemed to be misinterpreted.  I found an older thread on here talking about a bug when using Mbps and instead used Kbps to set the bandwidth and then all was good.  Once the b/w issues were resolved, the rest fell into place nicely.  Got all my PRIQ queues setup and functioning as desired.  Running all my "end goal" queues as desired.

@RickyBaker:

I will def read this …

well I did it! and you were right @Nullity , it made a lot of the concepts a LOT clearer.  Not least of all that QOS really isn't an exact science.  I think i'll need to ruminate on my new found knowledge a little bit, but I feel a bit more optimistic now.

Still seems like IP based prioritization might still be a reasonable first step, or maybe I should just skip straight to prioritizing http and let everything else go to default….

I will do that. Thanks again.

I already have VOIP in my house through italkBB.

The point I was making was that you could use the wizard functionality to create a basic queue structure for you to modify, and the VoIP example is closest to what you want to do: put all traffic to/from a particular destination into the highest queue.

@rvjr:

Hi MrJonny,

that happened to me too on the SG4860:

I had used only two gige ports, port1 for WAN, and port2 for 4 LANs as tagged VLANs. I didn't use the port2 untagged. I setup traffic shaping rules for the VLANs, but for an experiment I added a shaping rule on the untagged port2 interface, and then the pfSense box was completely dead. Booting resulted in it to hang on "Starting dns resolver…" on the serial console, and booting without lan cables attached caused a kernel panic. I could only restore a very old config because I had no recent backup (which will never happen to me again ;-)), and I don't know about other recovery methods. Unfortunately I didn't have time to consult the forum or any official support because I had to get everything running as fast as possible again.

Good to hear its not just me, hopefully someone will look in to this.

I restored my config, by going in to single user mode.

Remounted the filesystem as read/write. Went to "/cf/conf/"  deleted "conf.xml" and went in to "/cf/conf/backups/" copied one of the most recents backups to "/cf/conf/config.xml" not the most recent because I'm guessing that one would have the change we made to traffic shaper. Rebooted and working fine again

@NogBadTheBad:

Are you surprised, its quite easy to search the forums before posting here.

:o
Damn. Almost got teary-eyed reading that. BARKEEP! Give this man a beer.

yeah thats pretty much what I am doing.

@chrcoluk:

youtube.com is just the portal.

video's come from googlvideo* hostnames.

the easiest way I have managed to classify youtube is to add google's ASN table to a alias via pfblockerng, but I do this to keep google higher priority than other stuff not lower.  Youtube shouldnt be causing bufferbloat as it is only a single tcp session to stream the video and also only bursts high at the start of the video.

Prior to TCP BBR there was no packet pacing and even though there was a single TCP connection, going from idle to full meant that single connection would burst an entire transmission window at line rate before settling down to a sustained pace. Even a year ago, I was seeing 1Gb/s bursts from YouTube for each request as long as it was on an established connection that was idle. I am not sure if BBR is fully rolled out, but I know Google is at least in the process of.

Hello Derelict.

Sorry for the delay of my response as I promised to comeback and advise if it works or not.

I applied your rules on a fresh pfSense install and started testing. The PC had Internet until I applied the FROM_VSAT and TO_VSAT to WLAN out traffic. After setting up the in/out settings, I was able to resolve, ping and traceroute to the host, but could not browse the page itself.

What I did was to add a rule in Firewall>Rules>LAN with the following:

Action: Pass
Interface: LAN
Address Family: IPv4 (we do not use IPv6 in the company)
Protocol: any
Source: any
Destination: any
Description: LAN ANY TO ANY
In/Out: To_VSAT / From_VSAT

Saved the rule, moved it to the top, applied the settings and after that all works like a charm. Incoming connections are limited to the speed and latency setup in limiters for both directions but at the same time any LAN traffic is unlimited so a ping from the LAN Net to LAN Net is not affected. I find it useful to have an option to apply the limiters to the LAN network as well for some tests, where in production environment a need to troubleshoot a slow network/latency is needed.

I am extremely grateful to your help and I hope that this short tutorial plus your extensive instructions would be useful for others who need to emulate VSAT or just any other bandwidth, latency, package drop etc. limitations. The options are limitless and it is up to us to see how can we use it.

@Yanisss:

i gave high priority to gaming in general because i didnt find where to prioritize any port or ip adress, and lower everything else :-X

What is your real-world upload & download bitrate?

What is your configured QoS upload & download bitrate?

Which queueing algorithm did you choose?

and any other useful information.

If you haven't read this already, you should: https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

Using a quick & dirty limiter, if anyones interested :-

Create an upload & download limiter via Firewall -> Traffic Shaper ->Limiters

Create a firewall rule to pass traffic through the interface, Firewall -> Rules -> Interface

In my case I'm limiting the GUEST Lan to 2 Mbps and they can only access the Internet.

In the above rule that was created goto Advanced Options and add the 2 limiters to the IN / OUT pipe.

View the limiter info via  Diagnostics -> Limiter Info and run a speed test

Log in to see the screenshots :)


If all the VLANs have the same subnet mask you should get a separate pipe for each, say, /24 mask in the limiter config.

If putting them on LAN mask on source addresses on the in limiter (user uploads) and dest addresses on the out limiter (user downloads).

Oh ok, I understood you right the first time around and my suggestion still applies.  Create a limiter of 60 Mbps and create a LAN firewall rule to push the traffic from just that one client into the limiter.  The limiter will ensure that it can use up to, but not more than, 60 Mbps.

You could accomplish the same goal with a properly-configured HFSC shaper, but it would be MUCH more complex than a limiter.

It's a known bug that some graphs shows twice as much as the actual traffic.