Thanks for the answer!
Follow my topology:

External Users —————WAN <————>  PFSENSE <———> LAN <———> Web Server
                                                                                                                                                    |
                                                                                                                                                            |
                                                                                                                                              Internal Users

I'm using limiter and not the queueing e i don't install suricata or snort.
I created a down and up in Traffic Shaper / Limiter (limiter file attach)
And adding down and up in advanced Wan firewall rule (firewall rule file attach)

I used this same rule in version 2.1.3 and it worked. After upgrading to version 2.2.6, it stopped working. I've looked several posts on the internet and I have not found a solution to this case. As this web server has a high traffic of access, I need a speed limit, while I do not think a solution, the rule is disabled.
It still now a post Bug, from the earliest versions 2.2.x this problem persists. Like much of a help!

Thanks!  ;D

LIMITER.png
LIMITER.png_thumb
LIMITER.png
LIMITER.png_thumb
firewallrule.png
firewallrule.png_thumb

@foonus:

@Nullity:

@mcwtim:

Heh. I did something similar at a past LAN and had a clever fellow keep changing his MAC. Unfortunately for him his PC name was descriptive enough; "Lian Li" that I just walked through a few aisles looking for that type of case until I found him.

lol. The best traffic-shaping is nothing compared to physical confrontation.  :o

This is when you download one of those fake pirated FBI screensavers and put a password lock on the workstation, and see how they grovel to you not to rat them out so they can keep their job when they see it.

BOFH
;)

@sofakng:

I'm still a little confused…

It sounds like pfSense 2.3 might support fq_codel type of queueing/shaping?  …but 2.2.6 applies codel and fairq in the wrong order?

The unfounded, "wrong order" theory was a red herring. Forget about it. :)

We currently have "fair queueing" algorithms (HFSC & FAIRQ), which can use the CoDel de-bufferbloating algorithm. It is not exactly fq_codel, but it is similar. How exactly it differs, I dunno. Documentation on fq_codel's internals is available but the internals of FAIRQ+CoDel are found only in source-code, which I do not yet understand.

We will (after 2.3) get proper fq_codel, but we have to wait for it to be completed and added to the upstream FreeBSD code before we can add it to pfSense. Though, for most ALTQ users, I think this will not be very useful, since fq_codel will be implemented in the limiters (dummynet) section of traffic-shaping will not be a traffic-shaper queueing (ALTQ) algorithm.

I do not know how useful fq_codel (in dummynet/limiters) will be to us ALTQ users. We will just have to wait and see, I suppose…

You dont specify gateway groups or any gateway with floating rules.  For floating rules chose the WAN interfaces , if you have more than one use CTRL to select them all.  DO NOT CHOOSE THE LAN INTERFACE IN A FLOATING RULE.

If you make a LAN interface rule then choose the gateway group.  So you should have specific rules in the LAN interface page to send traffic out SPECIFIC WAN INTERFACES.  Then the last rule which is the any/any rule or any other generic rule , you should choose your WAN GATEWAY GROUP as the interface to send the traffic out on.

This is what I have done and I find it works best for me and what I use the traffic shaping for.

Since, in theory, the max any interface can use is the full bandwidth of the LAGG, you'd want to use 2G there in most cases.

@petek8103:

So I think I got it working, they way I wanted. But is there a way to see traffic inside the queues like a detailed list of active traffic say coming from 192.168.30.50 to x.x..x.x port 80 in queue_high?

Would really help if there is a way to do t see what devices are using what port.

The only way I know of is to use tcpdump's abilities to integrate with pflog, a trick I found in "The Book of pf". You can either search my old posts to find more info or Google "tcpdump pflog".

@Derelict:

Rule should be source LAN Net dest any.

Interface rules match on connections coming into an interface. Connections from LAN hosts will have a source address on LAN net.

Thank you!

If it does technically work on LAGG, it definitely would not be able to have strict guarantees about packet timings without knowing which interface a packet will get scheduled.

@roccor:

Ah crap.. Thanks KOM.  I was waiting on someone who'd know to toss an answer in.  I overlooked that crucial bit of info.

@Null I can try single wans at a time.. I'm likely over-complicating it but I was/am unsure of what all I'd need to manually change by adding in two more WAN interfaces after the fact.

I used the wizard to give me an idea of how the rules & queues were setup, then I manually created my own rules & queues, which really helped demystify pfSense's traffic-shaping setup.

You'd probably have to write a script to do that since you'd have to check if there is a connection to netflix. Why not just limit them to 80% of the traffic at all times?

Got it - thanks!

@roccor:

Null you mention some good things, i didnt think of a tracert at the time, I have so little experience with TS that finding an effective starting point is hard for me.  I'd rule out a congested ISP simply because I've had the same setup for 1.3 years now.. I play at the same times every night so I've got a historical feel for this. Could I be wrong? Sure, but IDK I kinda doubt it.

Honestly for having 3 3mb DSL lines I've got some very nice latency and throughput reading into the 10-11mb range.  I had the installers (Note: with ATT business is you order 2 or 20 circuits they must all be installed on different says) Run the 10-ish feet of cat5 into my basement making sure to route totally away from any electric, not even a 90* intersection.  My biscuit jacks are above the rack and power enters from below.  I an a bit anal about that just because I know I just bought shit for internet.  gotta squeeze every little bit I can out of it.

As far as the rules and everything.. I actually was going back through the wizard to give you details when I hit this:
You cannot set the VoIP download bandwidth on connection 0 higher than 80% of the connection.

Umm when you set 32kb/s on all three WAN uploads and 1024 on LAN download.. how the hell am I exceeding 80% of the download on connection 0 when the only connection 0 listed on the page is for WAN #1 upload?

I realize something as acutely intricate as Traffic Shaping/QOS is not for the faint of heart.  I'm a technical guy but these wizard are damn bloody obscure and like in this case totally mis-labelled.  I love pf and always will but.. ugh.

I never really began to understand the traffic-shaper until I quit using the wizard. Manually setup 1 queue at a time and confirm that it work then move on.

Post some pictures or information about your queues to see if we can find your error.

Thank you for the reply. In my opinion traffic is flowing in the queues, see attached picture, but nothing is showing on the RDD Queues Graph.

What would you check in logs or from command line to see if something is wrong? Thank you!

queues.png
queues.png_thumb

Hello, been a while that topic is old and it seem not work property… anyone have a better guide so I can get it to work property?

I only want internet to be slow during bed time but full speed on internal network, external speed need to put on limiter

Thanks

@drvirus:

thank you agiAN.

nowall what i need is as below :
i have 4/4 up/down speed
i need a  to limit speed on interface lan  total to be like 2 M …down
and limit speed on wan to be 2 M up
and i want to have queue that satisfy my needs as below :
giveport 5060 for  out of lan to be 1 M guranteed
and  shape http to 512 K
and out the other traffic in the default quque

can u just tell me  brief steps ?

i read alot and still has much conflict

i will  be thankfull for u so much

kind regards

To limit LAN just use the interface's "Bandwidth". (but I am not 100% sure I understand your intentions)
Same with WAN. Set bandwidth at interface.

Whichever interface your port 5060 will be leaving, create a wqueue there with link-share 1Mbit.
Then you want source/destination port 5060 on LAN to have minimum 1Mbit upload? Then setup a firewall rule on LAN to catch source-port or destination-port 5060 (I dunno if you want both or either) and assdign the traffic to the queue you created.

Bleh, I am tired as hell. I will be back later to possibly finish this post. :)

If you want every IP address to get its own 1500k pipe, mask by source/destination IP address on the top-level limiter and delete the child limiters. If you want all IP addresses to share the same 1500k pipe, leave it like it is.

@cmb:

em1 isn't a 10 Gb NIC, you have a 2 Gb queue on a 1 Gb NIC is the issue.

Good catch. :)

@OP, maybe your NICs or there labeling got switched around? Like LAN1 was 10Gbit but somehow the LAN1 label was changed to the 1Gbit emX NIC?

Not in all cases such as a 3x3 Mbit pipe per IP address.