Very strange.  Glad to hear you have it working with PRIQ.

@KOM:

If anyone is really hammering your link, it can affect ACK and DNS requests in a big way.

You could do it with the traffic shaper several different ways.  In general, create a traffic shaper and then put the IP address of the offending VPS in a low priority queue, or create a limiter and then set that IP address to use the limiter.

Thanks a lot! I will try this solution and return back.  ;)

I am open for other inputs as well.

Hi sideout, thank you so much for your elaborate suggestions.

We're experimenting with different approaches and will report back here which scheme gave best results.

Let me state our needs in a more simplified way:

We have 2 WANs: WAN1 (1 mbps up/down) and WAN2 (2 mbps up/down). And we have mainly 3 requirements:

A. Traffic will use policy-based routing: gateways will be either load-balancing or failover

B. Regardless of which load-balancing/failover gateway group the gateway is member of, bandwidth of each WAN will be shared evenly between the client machines those are active in the LAN at any time. This part is easily achieved by creating source/destination mask-based child queues on the main limiters as mentioned in the post.

C. The bandwidth that gets evenly shared by the LAN clients will be determined by which actual WAN the traffic is passing out through so that the LAN clients can utilize the maximum possible bandwidths made available by either the load-balance or failover gateway group. Otherwise, if we set limiter with 1 mbps limit, clients will not get the full utility of the 2 mbps WAN and if we set 2 mbps as the limit, then if traffic is indeed going through 1 mbps, the bandwidth distribution to clients will not be even/fair. For example, if there are 2 active clients and traffic is going through 1 mbps WAN1, limiter will let the both users use 1 mbps therefore causing congestion and the first user will end up enjoying the 1 mbps of the WAN1.

So, quite simply, the question is where to put the rule that'll assign the limiters and how to correlate or correspond the limiter with the specific gateway (WAN1 or WAN2) the traffic is eventually going through when policy-based routing gateway group is set as the gateway?

Eagerly hoping for some answers/hints…

Is this due to packet ttl ?

Okay so I did some lab on this and here is what I found:

1. Layer7 rule set defined on Traffic Shaper with Skypeout and SkypetoSkpye with option of queue and queue called qSkype.
a, Set qSkype to have 10% and real time 10% bandwith on LAN and WAN.
b. Placed Floating rule at top of rule set for TCP / Layer7 chosen.  Used WAN and LAN interfaces.
c. Killed all session states from test PC.
d. Tested and I can see qSkype fills up as does qHTTPSteam.  Placed Skype test call and it worked.  Ran speedtest and it worked once but then failed 2nd time and browsing was slow.

2. Replicated above but removed Floating rule and placed on LAN rule interface.
  a. Left wildcard of any host in.
  b. Same test results as above.

3. Replicated above but made changes on LAN rule for specific IP of machine I was using.
  a. Tested with same results as in #1.

So it would seem that the Layer7 part of this is not working very well or is fully implemented as I would expect it to use DPI to see the packet was a skype packet and apply the rule rather than applying all the rules to it.

Since you can define the incoming connection for Skype you would be able to shape calls coming in for it but since Skype uses any port above 1024 TCP , kind of hard to shape it unless you can get PFSense to see the program calling it and recognize it via the Layer7.

Like I said , never used Layer7 before as at LAN's not really needed.  This is just what I have found in some early testing.

If anyone else has any other ideas on how to shape Skype , I would be interested in hearing them.

Hi there,

For your WAN to LAN floating rule, did you set WAN as the interface and direction as "in"?

Thanks!
msu

They work fine together. I have previously documented that the limiter and QoS work fine together. I have shown screenshots of an LoL game going while downloading from Steam.

LoL uses UDP not TCP for the game client once the game is started.  It uses port 80 during the setup of the game.

Again if you can post screenshots of your setup so we can see it instead of blindly posting that it is not working then maybe we can help.

Otherwise it appears you just want to troll.

Either in this thread or a new one, would you mind sharing screenshots/details about your squid proxy setup

i might, if i get a chance to.

it did help when it was just me and facebook, but my dad started using a bunch of my internet and he started making us go over, so i came here to figure out how to limit bandwidth.  i currently am playing with the settings but i have it set to 150/50Kbps, at that speed the 144x170 videos can not stream from youtube.  also my email and facebook go really slow, but it is the price of having the internet i do.

i would recommend going to youtube and looking it up.  i waited a month with this post here then i had a light bulb moment and looked on youtube.  make sure that you include 'PFsense [version of PFS]' in your search.  it is a lot faster then waiting for me to remember how i set it up in 6+ months ago.

i took a minute and looked one up
https://www.youtube.com/watch?v=MeSVE_UetX4

as well for your satellite broadband?

i have exede internet <http: www.exede.com="" internet-packages-pricing="" service-availability="">.  i haven't had any problems with them charging me more if i go over my 10GB limit (they just slow me down a lot), but i am doing this bandwidth limiter to make sure they do not charge me extra in the future.  i pay $50 a month with $10 for hardware rental (or $220 for 2 years up front) and i get a 12d/3u Mb/s and unmetered from midnight to 5am local time. the unmetered period is the only reason i bought this if it wasn't for that i would still be on dialup. 
not that satellite internet is bad, but take my advice DO WHAT EVER YOU CAN TO GET LAND LINE DSL OR CABLE.  the 10GB limit is very low and 'standard' use of email and facebook will eat in no time.</http:>

Well I made HFSC work for me and didnt use PRIQ.  Packeteer does just one thing , packet shaping.  PFSense does way more than just packet shape.

There are guidelines for help , they have paid support that you can get along with paying for being a gold member. I would remind you that the key word here is free.

P2P traffic can be hard to shape due to the nature of how most of the P2P programs work.

PFSense has Layer7 shaping as well as the limiters and you will probably have to put some effort into getting Layer 7 to work for you.

I choose to take the brute force method and apply a static limiter to all unknown TCP connections rather than try and limit specifically P2P.  But then I am using PFSense at  LAN parties that only run for 2 or 3 days and not 24/7 at my place of work.

For that , we pay the big dollars and use other products.

Since you are a software developer then perhaps you would take the time to write a package for PFSense that will do the shaping you want and contribute to the greater good instead of complaining about the lack of support and enable the rest of us idiots to not make the same stupid errors.

i just figured this out last night.  go to my forum post below and it will have a picture of what i did.  also read the 1st comment (done by me) as it describes how to fix what was in my original post.

https://forum.pfsense.org/index.php?topic=77134.0

@jimp:

Bursting isn't set right in the rules on any release. Fixed by this:
https://github.com/pfsense/pfsense/commit/d0f365c2774209a5ca32a5c0de09010ddd540acf

Burst is always in Bytes, a fixed size, NOT a throughput. So it's not possible to set a burst of X Mbit/s, but you could set one for 5,000,000 (~5MBytes)

Are you sure? Looking at the information presented by diagnostic status in 2.1.2, the figure entered for burst in the limiter dialog is interpreted as Mbytes.

Steve

Thanks for the assist, but I just solved it.

I created a new queue under LAN called qLink, same hierarchy as qInternet, assigned 1Gbit to LAN and 993MBit to qLink.

Defaulted queue to qInternet, created SMB floating rule for all interfaces (top of the list) with qLink queue.

Getting a whooping 80MBit transfer speed between PC's under same network compared to 8MBit. Also getting 10Mbit between interfaces (one client has 100M NIC).

Next thing to work on: LanCache  ;D

Good questions. On the "By Queue" tab you'll see that each queue can be associated with multiple interfaces. Like you I'm unclear how available download bandwidth is shared between multiple LANs. Upload is simple as that's defined once, on the WAN interface.

I'm not sure if the wizard is doing it incorrectly as it shows all LANs as peers at the top level with no common parent. I'd have expected a single download queue with the LANs as children, sharing that bandwidth (assuming that each LAN is faster than the WAN!).

Steve

PRIQ doesn't rely on bandwidth specifications; all it cares about is higher priority packets go first.  The traffic shaper UI treis to accommodate everything at once, but not all elements apply to all shapers.

Also, the traffic shaper isn't a limiter, so your queues will use up as much bandwidth as they can get while following the rules.  If you have no action in your high queues, your low queues will zip along.  When higher-class traffic appears, it gets priority, but the lower queues aren't throttled.  If your P2P queue is still getting 600K/s, then it means that your higher queues are being properly serviced without impacting the P2P queue too much.

The wan interface is your upload BW, so 1Mb
And the lan/wifi is your download BW, so 3Mb