Are you using the traffic shaper?

You said you have only 1 LAN, but you mention you have multiple subnets. What do you mean? Are you using VLANs?

It's OK, the limiter will be applied to whatever gets catched by the rule, and incoming NAT traffic won't.

Thanks fixed my problem.

@GomezAddams:

@georgeman:

Sounds good. Anyway on the second rule you said "proto UDP", so I wouldn't select an acknowledge queue (unless you know what you are doing)

What does selecting an ack queue do for UDP traffic (since UDP doesn't have acks)?

Not really sure. What I can tell you is that some traffic might be catched, depending on the packet flags I guess. To make sure everything works the way I want, I prefer to create two rules: one with acknowledge queue for TCP, and one without for UDP

No, there is not currently any way to do that.

That is a known issue that was fixed in 2.1.

Could I most politely ask if what you mean is actually the qACK below root_pppoe0 that needs to have a QLEN > 0?

Yes, I can hear you. The answer is no.

Any help on this would be greatly appreciated.

Thanks.

Hey georgeman, I get what you're saying, trust me I'd love to do one floating rule, but I found this during my testing and research of the settings.

https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Setup_Limiters

“pfSense currently only allows setting the source address or the destination address as the mask, meaning that you can give each host behind your firewall its own set of pipes so that each node is restricted to using a certain amount of bandwidth. To do this you would give your In pipe a Source Address mask, so that each host sending packets gets it’s own dynamic pipe for uploading. You would give your Out pipe a destination address mask, so that each host receiving packets gets it’s own dynamic pipe for downloading.”

Also on the mask config in the pfSense GUI it reads:
If ‘source’ or ‘destination’ is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host.

My understanding of these documented statements is that the limiter can limit upload for each LAN –> WAN session (source), or download can be limited for each WAN –> LAN session (destination).
When I tried using the mask source configuration, I saw my steam client download from multiple remote sites which, broke the whole concept of limiting download bandwidth for a single LAN IP, as I need to limit the sum of all download connection sessions. It worked for single streams of traffic to single IP addresses, such as with speedtest, but not for downloads from multiple remote sites. Either that or I configured it wrong. I tested with the new limiter config using the mask for source, made new rules, and one machine still topped out the qHTTPandSteam queue. Let me know if you find testing to be different in your environment.

Interesting.  I happened to remember my pbx is set up to set diffserv/tos bits on RTP and SIP packets, so I deleted the shaper and created a new one with 'generic(lowdelay)', and the 2 floating rules were replaced by 1.  I just tried making another call, and lo and behold queueing.  This is probably one of the most frustrating things about using pfsense.  I really love the thing, but there are some aspects that are black juju, and it is more than a little frustrating.  You google for stuff like this and find literally a score of different articles, many with incomplete, wrong or contradictory advice.  Sigh…

Try and uncheck this for each queue in your traffic shaper:
Explicit Congestion Notification

Then test again.

You will probably see that you now get close to your max speed.

Aparently the "Explicit Congestion Notification" need all network equipemnt to be configured just right to work as intended. If just one piece of equipment drops packets at a lower treshold your will see significantly lower speeds.

Please try and post your findings

Turns out, I was still getting a few ACK drops on my WAN connection with bandwidth set to 30%.  I've slowly inched it up to 38% bandwidth and I no longer appear to be getting ACK drops when both my upload and download bandwidth are saturated.

Hello
I do have a similar issu
update: My setup is all IPv4. But still similar to your issue. The issue may not be specific to IPv6 at all….

First issue
First of all, there seem to be trouble with the limiters. I set a limiter for 50Mbit down and 100Mbit up.
Later changed to 55Mbit down and 50Mbit up.

In limiter info it says:
limiter 1: 55Mbit (from after I changed the speed)
limitre 2: 100Mbit (from before I changed the speed)

Now how is that possible?

Second issue
When doing a speedtest I get aprox. 50Mbit throughput in download (thats is fine with a 55Mbit limiter)
But I get an initial 40-45Mbit upload fast dropping to somewhere between 10 and 17Mbit during the test.

limiterissue.png
limiterissue.png_thumb

I have just finished configuring this option.

http://people.pharmacy.purdue.edu/~tarrh/Transparent%20Firewall-Filtering%20Bridge%20-%20pfSense%202.0.2%20By%20William%20Tarrh.pdf

Turn pfsense into bridge mode with firewall filtering turned on, this then allows all public IP's to be on the LAN side of the bridge and the limiter rules specified in the LAN firewall rules also still work.

Fantastic!