There are likely a few ways to accomplish your goal.

You could try creating a firewall rule on both WANs to catch the incoming OpenVPN packets and mark them (it's in the Advanced section of the rule). Then match these marked packets with a LAN firewall rule and assign them to the appropriate queue.

I've always found these graphs to be inaccurate as a gauge of traffic.  Even the traffic rate on this screen can be misleading. What you want to look at is dropped packets.  It looks like you have 4 dropped packets in the picture.  The queues will only drop packets when they get full and reach the end of their queue length.  BTW, a 5 packet Queue length is not very much of a shaping buffer for most things unless you want to have packets dropped almost immediately when the limit is hit for the queue.

Others have said that looking at the shaper through the terminal screen are more accurate.

I hope this helps in your understanding.

I've run into similar issues trying to apply shaping to some site to site vpns that I have.  We also have 5Mb upload speed and the best I figured out was to create traffic shaping queues on my two VPN interfaces themselves.  I simply have a default queue and a high priority queue for that particuler tunnel/interface.  I cap the bandwidth at 2Mbps for each of my two outbound tunnels.  Then I feed those queues into a aVPN queue together that is alongside the other traffic shaping queuest on my outbound WAN.  Then the qVPN queue is shuffled into the needs of the other priorities on my WAN.

VPN 1 - –------------------------------                    WAN Shaper
                                       
                                          \                qDefault
  -qDefault                             
  -qPriority                              /----------------qVPN
                                          /
                                        /                  qVoip
VPN 2 -  -------------------------------                    etc.....

-qDefault
  -qPriority

Sorry for my crude drawing but I hope it helps.  You can work with the queues on your WAN to make this work.  The downside is that if both of your vpn 1 and 2 queues send 2Mb up and fill the queue on the WAN interface and there is also competing traffic on the wan, you might get packets dropped in places where you don't want them.  For me it has been working pretty well with the assumption that both of my vpns don't tend to get loaded up at the same time as everything else.

If anyone else has further ways to make this better I'm open to them.

Practically any traffic-shaping tutorial should be able to teach you how to achieve your goal.

CBQ, HFSC, and FAIRQ all are capable of "link-sharing" or "bandwidth borrowing", meaning that when there's unused bandwidth it can be used by anything.

I think you primary problem is that you don't understand how download & upload traffic-shaping are different. Read this: http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

Also, TCP ACK packets need to be guaranteed the minimum bit-rate required achieve maximum download speed. To estimate this bitrate you could initiate a max-speed download and see what your ACK queue's bitrate is.

Actually, the following observation might be your biggest problem…
You also seem to have a very strange problem that may be unfixable… I calculated that I needed transmit ~300kbit of ACKs to achieve a 12Mbit download and for you to achieve 100mbit download you would need 2500kbit of ACK packets, which is more than your upload is capable of. This means that while you are downloading, you probably will not even have any upload bandwidth free for any other vital services… that is not good at all.

Edit: To clarify, with your current 100Mbit/2Mbit connection, it's likely that even with an optimal traffic-shaping setup that your download will suffer when prioritized traffic (VOIP, RDP, etc) is being transmitted since it will decrease your already borderline ACK bitrate.

Yes I have newer configs posted as Nullity said.  (And thanks for that man!!!)

I have switched models to using multiple modems and grouping DHCP clients into pools and then using LAN firewall rules to send those aliases out those modems.

I did it this way because the trend has been to go back to TCP for games now and limiting per client for TCP / UDP is easier than running complex shaping rules with HFSC..

I have been keeping about 50 people on a modem and this config has worked out great.  My config has been run and tested in 3 separate LAN's of over 150 people.  This is a LAN party config done for that purpose.

My HFSC config can be used for LAN parties but I am not updating the Alias lists for the newer games so that will need to be done.

You can use the HFSC config and modify it how you need as some have done for their purposes.

If I ever get a venue with a big connection , I would go back to HFSC for shaping but in my area , it's TWC / Spectrum or nothing and they wont give a big connection so we have to chain multiple residential modems together.

Here is the link to my public PFSense config location.  I have been running it virtually as well. This is my modified Vmware PFSense.

https://drive.google.com/drive/folders/0B96G4GloGCiKRklTaE83SU9nY0E?usp=sharing  password is pfsense2016 for the build.

I've added the internal IP addresses of the phone handsets and the iPECs IP and it now appears to be adding the traffic into the correct queue. This was done with an Alias group IPs. Should the wording on the wizard be altered to suggest the external SIP provider and ALSO the internal addresses of VoIP devices?

I'm not an HFSC guy so I'm not certain of these settings but you need to make sure that your specified bandwith limits are less than your tested maximums.  For example, if you have a 50 Mbps link for your ISP and speedtest shows that you consistently get 47 Mbps, then you should set your qInternet bandwidth setting to 90-95% of the tested speed, so instead of using 50 Mbps, you would set it to 43 Mbps.  You need to be the bottleneck if you want to shape the traffic properly.  Same goes for LAN.  qLink should be 90-95% of either your witch speed or direct cable speed.  200 Mbps seems low for Gigabit and high for 10 Mbit.

@KOM:

The wizard come sometimes come up with some strange values for the various HSFC variables.  It may have set an arbitrarily low UpperLimit on the queue your TV is using.  You're best to post screen shots of your floating firewall rules as well as your queue details in order to get meaningful help.

Alright so here are those screenshots. Let me know if there are any missing ones I should post.


Hm,

I must use LAGGS because I use a failover setup with different hardware`(different device names for the NICS).
Is there any other way to do a QoS/Trafficshaping for my VOIP packets with this setup?

Thank you very much for that

I was able to get this working by changing my hardware over to my virtual server.  It is confirmed that it was the USB Dongle causing the issue.

You seem to be make some assumptions with what you're talking about and you're leaving out the details and reasoning. At an abstract level, many of us understand how the queues in PFSense work and it seem reasonable. The only reason it would not seem reasonable is because of an incorrect assumption on your part or something you think could be simplified, but you have not really made much of that clear.

One thing that I do clearly see if you talk about upload and download. Technically, you can only shape egress traffic. Practically, you can shape download traffic, but it gets messy code-wise. It's easier just to shape data leaving. In this way, you have a separate queue for WAN and LAN so you can shape data leaving each interface.

I think qInternet and qLink is only needed if you have multiple LANs.

Can be easily done:

Just make a limiter for every speed. And a queue in it.

Then make a rule to put the traffic in the limiter. Select the queue name not the limiter it self.

And yes you have to make separate limiters for up and download.

Here is more info https://forum.pfsense.org/index.php?topic=63531.0 Nullity pointed out to me earlier :)

@drbobo:

So too sum it up!

A good way would be using a simple priority queuing scheduler. For the following q's:

qAck
qHigh - Special users
qNormal - Normal users
qLow - Guest users ( a lot of mobile phones and such)

Each with Codes on for lowering the ping problems and such.

Then add a limiter on all traffic, to not have downloaders saturating the link.

Still think Fairq would be better then Priorty or CBR cause it keeps everything more dynamic.

Or any opinions?

I don't think that's optimal, but you can always try it and find out.

Here's my favorite QoS tutorial: http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

Ok. Thank you.

https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

This is the best write-up I've seen so far.

This isn't a traffic shaper issue.

You might be able to do something like this with squid proxy & squidguard.  If I remember right, one of those two had a section where you could deny certain file types.  I don't remember if you could link it to a schedule or not.