Oh i should of said it sooner.  The ones i am changing are

net.inet.ip.dummynet.pipe_byte_limit
net.inet.ip.dummynet.hash_size

i change the pipe size to 3145728 and the hash size to 1024, when i reboot the machine they always go back to default.

@georgeman:

Easiest way to shape incoming OpenVPN is to assign the appropriate queue on the allow rule on the WAN interface. The whole tunnel will be shaped

Thank you for your time @georgeman!
I believe that you can't shape incoming openVPN traffic because the traffic has already hit the WAN and won't be processed further, but, I've read somewhere that the outgoing traffic could be shaped because the state created early.
Anyway, with only this rule I couldn't shape the traffic inside the tunnel, I believe that I would need to create rules to the openVPN interface as I did.
The attachment show the RRD graph; I believe it's working although I don't have a feedback yet.

Ps.: Why RRD graphs reset every time you change the traffic shape?

rrdVOIP.png
rrdVOIP.png_thumb

Hi,

i search in the forum if i mistake some tips but i found no answer of my problem.

Anyone use traffic shapping with portal captive here ?

So i don't know if i do wrong or is a bug on pfsense.

Best regards.
Myke.

well.. that was a terrible idea and didn't really work.  after setting up firewall rules to place source and destination traffic into the qIntranet/qDefault.. everything ended up in it, completely ignoring the floating rules.

The traffic that did go to the internet was handled though with WAN floating rules…  I suppose I could remove the queues for LAN1 and LAN2 qInternet entirely, relying only on WAN floating rules for internet traffic and setup just a single qIntranet/qDefault assigned as described above (just dropping the qInternet stuff for those interfaces)?

not really to sure.

Going to need some information to go on with examples of both states: working and not working (after down).

system.log
ps aux
any other pertinent logs

PRTG will give you a free 30 sensor license if you put a link to their site on a public webpage fyi.

Hi @dreamslacker,
    I was looking for the same question, I tried to shape the tunnel as you mentioned, but no packets arrived into the queue. I have not tried to shape LAN -> OPENVPN yet.

Nope! :D

Thanks, Jim!

thank you georgeman.

i've attached the images to an imgur album (http://imgur.com/a/RzHJO)

i'm pretty sure it's working now … the main thing i did was to change rules' settings to make them apply to both wan and lan, that seemed to do the trick... or perhaps it just needed a while to take (i left it overnight, when i woke up it was working)

the only thing i notice is that previously usenet hit about 1800KB/s, now it tops out at about 1600KB/s (having nothing else going on the network).

should i be able to hit 1800KB/s or this is due to the 95% rule of bandwidth ?

You will need to provide more details about your setup… It would be great if you posted screen caps of the relevant sections (with sensitive info obfuscated)

/24 worked like a charm. :)

I have had challenges of my own trying to queue bittorrent with L7 rules, but my understanding is that you create your L7 rule with a block action. Then you create a firewall pass rule with the L7 filter as target. Even though you are "passing" your torrent traffic, you're just passing it to the L7 rule which should block it.

That's my understanding. Like I said, it's untested at this point.

L7.PNG
L7.PNG_thumb

I got same error in my screen .I got the the reason for this problem . that I was made a rule for an ip to block in internet . IP address were from the dhcp server . On that client system user was a computer savvy he give ip address manually.when I remove that rule from firewall problem solved for me  this cause the problem . let you check in your side with the example

OK.  I will try to expand on this.

We currently have 8 clients.  Each client is assigned their own vlan 172.30.4.0/27, 172.30.4.32/27 etc.
All 8 vlans run over a trunked interface on the firewall.
I have created an inbound and an outbound limiter for each of the 8 interfaces.
I have then assigned the inbound and outbound limiter to each of the rules for each of the interfaces.
So each of them have 8 rules (they are all the same) and I have applied both the inbound and outbound limiter to each rule.

Is there a better way to do this.  I am sure I read that if I apply the limiter (set to 8MB)  to two rules say.  Then each rule gets 8MB not 8MB for the interface.

I am trying to figure out when creating the rule, in the mask section it indicates a source and mask.  If I understand this correctly.  I can select "source addresses" from the source list and then enter 27 for the mask and this would provide the desired bandwidth limiting.

I am in the process of rebuilding one of our firewalls and would like to streamline the configuration if possible.

Thanks

@georgeman:

I would have predicted the opposite, I thought that two simultaneous Speedtests were going to also exceed the limit, when combined.

What about two simultaneous downloads, from two different sites? Does that exceed the limit?

I found a proper alternative to this, the Captive Portal limiter. It seems to work in a different manner than the FW-rules applied one. I'm guessing it acts as a proxy to a particular MAC-address, and those even torrent won't bother with fiddling with.

Forget about m1 and d for now. Take m2 as the value you want to set. HFSC works with the same structure as CBQ, so you can use the same values and structure you posted, on linkshare m2. The benefit here will be the possibility of setting realtime values as well (which is a minimum guaranteed bandwidth for the queue)