Thats a good point. I just watch the download speed on a PC or the traffic graph in pfSense. And I do see ACKs flowing out on the WAN interface of course, but that shouldn't influence the borrowing of downstream queue capacity, right? And the ACK queue has 700kbits reserved and I only see about 100-125kbits of ACKs.

A little late to the party, no?  This post is 4 years old and this guy hasn't logged on in almost a year.

Interesting.  So with some cooperation from the client, it would be possible to do what I'm thinking.  Good to know.  I'll definitely refer back to this thread if/when I ever need to shape within my ovpn tunnels.

Yes for all questions.  Read this: https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

And the story goes on: it seems that the observed 'half-duplex' behavior is actually not a problem of pfSense. It's really the DSL line! I'm observing the same phenomenon when connecting my machine directly to the DSL modem. No way to do any kind of traffic shaping if we cannot rely on any specific bandwidth, i.e. when downstream bandwidth is dependent on upstream etc. I guess we have to look for another more reliable connection… Thanks everybody for the good suggestions!

How are you qualifying your traffic?  Have you confirmed that your traffic is going into the proper queues?

Hello, I'm having the same issue. My pfsense is limiting my upload to all of my LAN. I have not defined anything. Any idea?

No it's not. I got same error message. Please create ticket on redmine if you want it to be fixed.

fwiw, got it all working.  Originally, I was setting the bandwidth in Mbps and that seemed to be misinterpreted.  I found an older thread on here talking about a bug when using Mbps and instead used Kbps to set the bandwidth and then all was good.  Once the b/w issues were resolved, the rest fell into place nicely.  Got all my PRIQ queues setup and functioning as desired.  Running all my "end goal" queues as desired.

@RickyBaker: I will def read this … well I did it! and you were right @Nullity , it made a lot of the concepts a LOT clearer.  Not least of all that QOS really isn't an exact science.  I think i'll need to ruminate on my new found knowledge a little bit, but I feel a bit more optimistic now. Still seems like IP based prioritization might still be a reasonable first step, or maybe I should just skip straight to prioritizing http and let everything else go to default….

I will do that. Thanks again.

I already have VOIP in my house through italkBB. The point I was making was that you could use the wizard functionality to create a basic queue structure for you to modify, and the VoIP example is closest to what you want to do: put all traffic to/from a particular destination into the highest queue.

@rvjr: Hi MrJonny, that happened to me too on the SG4860: I had used only two gige ports, port1 for WAN, and port2 for 4 LANs as tagged VLANs. I didn't use the port2 untagged. I setup traffic shaping rules for the VLANs, but for an experiment I added a shaping rule on the untagged port2 interface, and then the pfSense box was completely dead. Booting resulted in it to hang on "Starting dns resolver…" on the serial console, and booting without lan cables attached caused a kernel panic. I could only restore a very old config because I had no recent backup (which will never happen to me again ;-)), and I don't know about other recovery methods. Unfortunately I didn't have time to consult the forum or any official support because I had to get everything running as fast as possible again. Good to hear its not just me, hopefully someone will look in to this. I restored my config, by going in to single user mode. Remounted the filesystem as read/write. Went to "/cf/conf/"  deleted "conf.xml" and went in to "/cf/conf/backups/" copied one of the most recents backups to "/cf/conf/config.xml" not the most recent because I'm guessing that one would have the change we made to traffic shaper. Rebooted and working fine again

@NogBadTheBad: Are you surprised, its quite easy to search the forums before posting here. :o Damn. Almost got teary-eyed reading that. BARKEEP! Give this man a beer.

yeah thats pretty much what I am doing.

@chrcoluk: youtube.com is just the portal. video's come from googlvideo* hostnames. the easiest way I have managed to classify youtube is to add google's ASN table to a alias via pfblockerng, but I do this to keep google higher priority than other stuff not lower.  Youtube shouldnt be causing bufferbloat as it is only a single tcp session to stream the video and also only bursts high at the start of the video. Prior to TCP BBR there was no packet pacing and even though there was a single TCP connection, going from idle to full meant that single connection would burst an entire transmission window at line rate before settling down to a sustained pace. Even a year ago, I was seeing 1Gb/s bursts from YouTube for each request as long as it was on an established connection that was idle. I am not sure if BBR is fully rolled out, but I know Google is at least in the process of.

Hello Derelict. Sorry for the delay of my response as I promised to comeback and advise if it works or not. I applied your rules on a fresh pfSense install and started testing. The PC had Internet until I applied the FROM_VSAT and TO_VSAT to WLAN out traffic. After setting up the in/out settings, I was able to resolve, ping and traceroute to the host, but could not browse the page itself. What I did was to add a rule in Firewall>Rules>LAN with the following: Action: Pass Interface: LAN Address Family: IPv4 (we do not use IPv6 in the company) Protocol: any Source: any Destination: any Description: LAN ANY TO ANY In/Out: To_VSAT / From_VSAT Saved the rule, moved it to the top, applied the settings and after that all works like a charm. Incoming connections are limited to the speed and latency setup in limiters for both directions but at the same time any LAN traffic is unlimited so a ping from the LAN Net to LAN Net is not affected. I find it useful to have an option to apply the limiters to the LAN network as well for some tests, where in production environment a need to troubleshoot a slow network/latency is needed. I am extremely grateful to your help and I hope that this short tutorial plus your extensive instructions would be useful for others who need to emulate VSAT or just any other bandwidth, latency, package drop etc. limitations. The options are limitless and it is up to us to see how can we use it.