The ISP replaced the modem and now the bandwidth is OK.  So the limiters were not to blame.

Because you cannot control how packets arrive on an interface or in what order. All you can control is how they are sent. Downloads are managed with queuing on the destination/sending interface, such as LAN.

I find naming things harder than all of the other problems in CS. Concurrency is trivial comparatively. "Splitting download bandwidth by groups and fairly sharing upload"?

So after I did this I noticed a bunch of errors in the logs like: statepfsync_undefer_state: unable to find deferred Turns out this is a known bug with limiters and HA: https://forum.pfsense.org/index.php?topic=108815.0 Does anyone know of a similar guide for the same functionality without using limiters?

For anyone unsure how to change a limiter's ID, just take an XML backup, open the XML backup, and find the parent limiter you're looking for by name, and change only the "number" field. Here's an example to change the id from 5: <queue><name>limit_name</name> <number>5</number></queue> to 7: <queue><name>limit_name</name> <number>7</number></queue> I chose numbers 6 and 7 when fixing my issue above because they were the next unused/available numbers numerically.

https://forum.pfsense.org/index.php?topic=122689.msg677577#msg677577

churchtechguy could you please post your configuration. I am looking for something like that. Thanks

There are likely a few ways to accomplish your goal. You could try creating a firewall rule on both WANs to catch the incoming OpenVPN packets and mark them (it's in the Advanced section of the rule). Then match these marked packets with a LAN firewall rule and assign them to the appropriate queue.

I've always found these graphs to be inaccurate as a gauge of traffic.  Even the traffic rate on this screen can be misleading. What you want to look at is dropped packets.  It looks like you have 4 dropped packets in the picture.  The queues will only drop packets when they get full and reach the end of their queue length.  BTW, a 5 packet Queue length is not very much of a shaping buffer for most things unless you want to have packets dropped almost immediately when the limit is hit for the queue. Others have said that looking at the shaper through the terminal screen are more accurate. I hope this helps in your understanding.

I've run into similar issues trying to apply shaping to some site to site vpns that I have.  We also have 5Mb upload speed and the best I figured out was to create traffic shaping queues on my two VPN interfaces themselves.  I simply have a default queue and a high priority queue for that particuler tunnel/interface.  I cap the bandwidth at 2Mbps for each of my two outbound tunnels.  Then I feed those queues into a aVPN queue together that is alongside the other traffic shaping queuest on my outbound WAN.  Then the qVPN queue is shuffled into the needs of the other priorities on my WAN. VPN 1 - –------------------------------                    WAN Shaper                                                                                   \                qDefault   -qDefault                                -qPriority                              /----------------qVPN                                           /                                         /                  qVoip VPN 2 -  -------------------------------                    etc..... -qDefault   -qPriority Sorry for my crude drawing but I hope it helps.  You can work with the queues on your WAN to make this work.  The downside is that if both of your vpn 1 and 2 queues send 2Mb up and fill the queue on the WAN interface and there is also competing traffic on the wan, you might get packets dropped in places where you don't want them.  For me it has been working pretty well with the assumption that both of my vpns don't tend to get loaded up at the same time as everything else. If anyone else has further ways to make this better I'm open to them.

Practically any traffic-shaping tutorial should be able to teach you how to achieve your goal. CBQ, HFSC, and FAIRQ all are capable of "link-sharing" or "bandwidth borrowing", meaning that when there's unused bandwidth it can be used by anything. I think you primary problem is that you don't understand how download & upload traffic-shaping are different. Read this: http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/ Also, TCP ACK packets need to be guaranteed the minimum bit-rate required achieve maximum download speed. To estimate this bitrate you could initiate a max-speed download and see what your ACK queue's bitrate is. Actually, the following observation might be your biggest problem… You also seem to have a very strange problem that may be unfixable… I calculated that I needed transmit ~300kbit of ACKs to achieve a 12Mbit download and for you to achieve 100mbit download you would need 2500kbit of ACK packets, which is more than your upload is capable of. This means that while you are downloading, you probably will not even have any upload bandwidth free for any other vital services… that is not good at all. Edit: To clarify, with your current 100Mbit/2Mbit connection, it's likely that even with an optimal traffic-shaping setup that your download will suffer when prioritized traffic (VOIP, RDP, etc) is being transmitted since it will decrease your already borderline ACK bitrate.

Yes I have newer configs posted as Nullity said.  (And thanks for that man!!!) I have switched models to using multiple modems and grouping DHCP clients into pools and then using LAN firewall rules to send those aliases out those modems. I did it this way because the trend has been to go back to TCP for games now and limiting per client for TCP / UDP is easier than running complex shaping rules with HFSC.. I have been keeping about 50 people on a modem and this config has worked out great.  My config has been run and tested in 3 separate LAN's of over 150 people.  This is a LAN party config done for that purpose. My HFSC config can be used for LAN parties but I am not updating the Alias lists for the newer games so that will need to be done. You can use the HFSC config and modify it how you need as some have done for their purposes. If I ever get a venue with a big connection , I would go back to HFSC for shaping but in my area , it's TWC / Spectrum or nothing and they wont give a big connection so we have to chain multiple residential modems together. Here is the link to my public PFSense config location.  I have been running it virtually as well. This is my modified Vmware PFSense. https://drive.google.com/drive/folders/0B96G4GloGCiKRklTaE83SU9nY0E?usp=sharing  password is pfsense2016 for the build.

I've added the internal IP addresses of the phone handsets and the iPECs IP and it now appears to be adding the traffic into the correct queue. This was done with an Alias group IPs. Should the wording on the wizard be altered to suggest the external SIP provider and ALSO the internal addresses of VoIP devices?

I'm not an HFSC guy so I'm not certain of these settings but you need to make sure that your specified bandwith limits are less than your tested maximums.  For example, if you have a 50 Mbps link for your ISP and speedtest shows that you consistently get 47 Mbps, then you should set your qInternet bandwidth setting to 90-95% of the tested speed, so instead of using 50 Mbps, you would set it to 43 Mbps.  You need to be the bottleneck if you want to shape the traffic properly.  Same goes for LAN.  qLink should be 90-95% of either your witch speed or direct cable speed.  200 Mbps seems low for Gigabit and high for 10 Mbit.

@KOM: The wizard come sometimes come up with some strange values for the various HSFC variables.  It may have set an arbitrarily low UpperLimit on the queue your TV is using.  You're best to post screen shots of your floating firewall rules as well as your queue details in order to get meaningful help. Alright so here are those screenshots. Let me know if there are any missing ones I should post.          

Hm, I must use LAGGS because I use a failover setup with different hardware`(different device names for the NICS). Is there any other way to do a QoS/Trafficshaping for my VOIP packets with this setup?

Thank you very much for that

I was able to get this working by changing my hardware over to my virtual server.  It is confirmed that it was the USB Dongle causing the issue.