@Harvy66: Your LAN interface is set to 1Gb/s. Your traffic is probably going into the default queue of qLink, which is limited to….. 1Gb/s. If you want your traffic to be under your qInternet, you need to place it in there somewhere Errr, this was what I was trying to ask back in my other thread  ;D https://forum.pfsense.org/index.php?topic=111762.msg623842#msg623842

@Harvy66: Prioritizing is the wrong way to think about shaping Shape the bandwidth. Decide how much bandwidth you want each class of traffic to have when your connection is fully loaded I recommend HFSC. Don't use "Real Time", just use "Bandwidth", and treat "Bandwidth" as your minimum bandwidth Make your default queue your "P2P" queue, then classify traffic out of the queue. Most P2P traffic is hard to classify and most high priority traffic is easy to classify. Hello Sir thanks for the reply, your comments have opened my eyes and given me a better idea. I will go about it, I have a few more questions if you could help. When I use the wizard, it asks me how much bandwidth in % I want to allocate to my P2P and I normally put 2%. Then I normally reconfigure it after I chose HFSC, but how do I put my P2P as my default? also in my any to any firewall rule under my WAN and LAN interface I put "qACK/qDefault" and WAN I used "none/qP2P". I did this- I wont lie because I am still new to pfsense and traffic shaping- because I looked around the site for some information. But when I do tests ( 2 laptops connecting to same vlan and running youtube on 480p while torrent is being downloaded) it seems the torrent still eats up a lot of Bandwidth. Am I doing something wrong?

80% is the rule of thumb. Some connections are worse, dedicated connections should be nearly perfect. I use 99% myself with a dedicated connection and I get 1ms of bufferbloat, so I know it's working.

@pfuser0: You neglected to mention what algorithm you were using. HFSC does not even use the "Priority" parameter, and plain old Priority queueing has it's own set of fundamental problems. Thanks. I'm using PRIQ, but I don't remember actually choosing it over HFSC. I'll try switching. It still looks like qLink was being used for LAN<–>WAN traffic. In my setup the only LAN<->LAN traffic hitting the router is management traffic (no DNS/DHCP). Anyone willing to share their insight into Queue Limit? You are worrying about things that are currently not very useful to you. Here, read this QoS tutorial. The wizard is intended to be 1 setup that can work well everywherd, so everyone gets the qLink setup because it causes no harm to those who do not run multi-LAN. Queue limits make little difference. Most defaults are optimal. Search the forum for more info.

@ stiadmin, did you found a solution?

I generally set the direction to both on Floating rules when choosing direction and WAN as the interface.

Your best bet here is to create Alias's for the games with ports and protocols then create floating rules and assign them to qGames.  If you choose to use TCP/UDP combo for protocol then make sure to choose qACK for your rules. Also choose the WAN interfaces for floating rules as well.

@mattlach: So, the improved buffer bloat is what I was expecting, but at what cost?  A loss of ~10Mbps up and down?  That's more than some peoples entire connections… The loss of bandwidth is proportional to the stability of your connection. You may be "losing" 10Mb/s of your bandwidth to maintain a low bloat, but I only need to lose about 1.5Mb/s. And when you say "at what cost", it almost sounds sarcastic because the cost is so low. So you lose 7% of your bandwidth, but now your ping will be between 80ms and 200ms lower during saturation of your connection. You can still play games. And some connections are latency sensitive, like HTTPS. With 11 round trips, a 200ms ping increase will take 2.2 seconds before your web page starts to download. With a 2ms ping, it will take 22ms. That's the difference between instant and twiddling your thumbs.

@meruem: Is there anything in the traffic shaper configuration to say "ignore this local ip" completely ? Traffic is assigned to a particular queue by firewall rules. All unassigned traffic uses the "default queue". If you are using CODELQ (I think it is just a single " default" queue), I dunno if you can avoid the queue. The bigger problem is that Plex does not halt playback mid-stream for an unavailable, external resource. Additionally, pfSense should not even be encountering the LAN-to-LAN traffic… your switch should be handling that traffic. If you could share more details about your LAN toplogy and your pfSense setup, it would help.

Did you reset pfSense's states? If you still have problems, you can use pfSense's firewall logs or tcpdump to see what is happening from pfSense's perspective. Do you need to use DSCP? Could use standard source/destination IP/port filtering?

You can use HFSC to create queues and assign minimum bandwidths, but I think there is a limit of 16 queues. The biggest issue with with anything that is "per IP address", is it is algorithmically complex and will have at least O(n) scaling. There is no good way to solve this issue and anyone who does have a "solution" is going to have performance issues at high speeds. If you need to supply an SLA, there is no cheap solution except for low speeds. If all you care about is best effort, you're better off looking into stateless algorithms like CoDel, fq_CoDel, or Cake. Cake is the only one that can actually near perfectly distribute bandwidth among devices. CoDel and fq_CoDel just fight buffer bloat which in and of itself makes a world of difference. I know I didn't answer the question at all, but I gave some food for thought.

Ok, i've got various gateway definitions (2 cablemodems being T1, one being T1, ADSL being T1, etc) as a way of distributing traffic between interfaces. To catch all traffic for a given interface, without messing all the other rules, how should i build the rule? And being that not a single one of those wan links is symmetrical, where CODELQ asks for bandwith, does it mean download or upload?

If you need more than a few PRIQ priorities, then you should not use PRIQ… https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Priority_Queueing_.28PRIQ.29 Read the "Cons" section. (Starvation) You may have a legitimate bug, but the bigger issue is that you should not be using PRIQ. Use CBQ, FAIRQ, or HFSC.

@bwf.it35218: Thanks for the help so far The reason I want to also mark packets depending on VLAN is On the LAN side there are two VLANs - VLAN 1 is the office network, VLAN 2 is the guest network Both VLANs use WAN2 as the default gateway, but VLAN 1 has a failover to WAN1 Now I would like to use Limiter dynamic queues to equally share the available bandwidth with all the clients. So the office network traffic (VLAN1) needs to go into the same queues - for WAN2 - as the guest network (VALN2) until it fails over. Then the office network (VLAN1) traffic needs to go into queues for WAN 1 @Nullity - So what I'm thinking is, first mark packets from VLAN1, and then only match those marked packets in the two rules you suggested VLAN2 will be directly added to the queues for WAN2 as that is the only gateway it uses. If WAN2 (default GW) fails, you want the guest network (VLAN2) to be completely blocked? If so, you could mark/tag the VLAN2 originating packets, then create a floating rule on WAN1 that blocks/rejects said packets. I guess you could do the inverse and explicitly PASS only office (VLAN1) packets through WAN1, but I am too tired to comprehend whether that makes sense…

@moikerz: I got fed up with the same problem - it seems the web page can't keep up with the queue updates, and it backlogs something chronic. Instead, try connecting to pfSense using PuTTY, and call the pfTop command: pftop -s1 -v queue. It updates a lot faster. (reference: https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#View_Queues_with_pfTop) Here's a pretty picture (attached). I have one WAN, two LANs, which is why the existing 5 Queues are repeated 3 times, once for each interface. Yeah, I have never trusted the queue stats either. FYI, you can view pftop via the GUI. Diagnostics->pfTop :)

the e/book "freeradius beginner's guide" will probably be your best source of help. Read it a few years back and it was quite useful.

@devlin016: How can I install tcp cubic into pfsense? https://tools.ietf.org/id/draft-rhee-tcp-cubic-00.txt This is a guess… :) TCP congestion algorithms like CUBIC rely on connections which are point to point. Therefore, the TCP congestion algorithm of an intermediary network node (your pfSense router or any other router/switch between the TCP connection's end-points) is a non-issue because they are simply relaying/forwarding the IP packets. The TCP congestion algorithm is only used when you are the creator or receiver of a TCP connection. Example: Your TCP connection is connecting from localhost to Google. You are not creating a TCP connection from localhost to pfSense, from pfSense to the next node, etc, etc, until you connect to Google. tl;dr - the TCP algo of your router is moot unless your router is the initiater of the TCP connection.

Hi Thank you so much for your reply. I will do some more research on your answer.

Depends on whether you're shaping on the OpenVPN client or the server. If the server, set the queue on the firewall rule that passes OpenVPN traffic into the firewall. If on the client set a floating match rule on WAN out for the OpenVPN client (UDP/1194?) and set the queues there. There is not anything in the wizard for this. Use the wizard to establish basic queues and manually tweak from there.

@kfkehua: Nope. My initial guess was correct. see here: https://www.youtube.com/watch?v=nMJnp7GMwcg In 2.2 they still had the descriptions. In 2.3 they removed all the description.  >:( the first screen is where you spec your pipe bandwidth. the second screen is where you reserve or guarantee the bandwidth for your VOIP. thanks. That's exactly what I said. Thanks.