@georgeman:

Bear in mind that L7 filtering puts a heavy load on you CPU… What hardware are you running on? You might be short on CPU power

Hi, thanks for your reply.
I'm running a Quad Core Xeon. Pretty sure the CPU usage never peaks really.

Is it really that hard to do it ?
I might only need a guide I could read… Please help

Thanks

Sorry, I didn't clarify. I did mean for you to shape the VPN itself and not the traffic going into the tunnel.

Thank you for your answer.
But actually, as i have set high priority for IPSec protocol itself, everything i pass through the tunnel is automagically high priority.

Did you enable priority on both IPSec protocol itself and the ports / protocols that goes through the tunnel ? Or did you only apply queues on the inside of the tunnel ?

Thanks.

ISA server had that on every rule you specified. Loved that possibility!

Thanks very munch for the reply

I solved my own problem. I'm telling what i did and what i use for a reference for other people.

I had an ADSL connection with 830 kbit upload limit and 8 Mbit download limit (i tested with speedtest.net). I had to set traffic shapers upload limit to 450-500 kbit to prevent high packet loss. Besides of that from LAN to WAN upload bandwidth was almost getting doubled. Setting upload limit to 500 kbit was reducing my upload capability. It should be around 800-850 kbit.

Solution:
I had set pfsense's BOTH lan and wan's MTU to 1454 and MSS to 1414. I also set my Nas4Free (which is on 24/7) rig's and my main computer's MTU to same values.
These steps solved the problem, i raised my upload limit to 800 kbit, packet loss is between 0% and 4% under heavy upload and download. According to my research these values are normal.

Still problem:
From LAN to WAN upload graph is still getting doubled, for example under heavy upload i see a graph revolves around 800-900 kbit under LAN, and 1.40-1.60 Mbit graph under WAN. It doesn't affect the internet or network though but  it still remains a mystery to me

@jpalacio:

Hi all:

I am using the latest amd64 version 2.1 and I am trying to configure some limiters . I found that there is a limit of 30 limiters, when trying to add the 31st , it comes with an error  " you need at least one bw specification".

I've checked the shaper.inc code and certainly its limited to 30 limiters :

Line 3045  of shaper.inc

for ($i = 0; $i < 30; $i++) {                         if (!empty($data["bwsched{$i}"])) {                                 if ($data["bwsched{$i}"] != "none")                                         $schedule++;                                 else                                         $schedulenone++;

https://github.com/pfsense/pfsense/blob/dda9c67f7f8fdc3401a0d3c7b885630d128e2fbb/etc/inc/shaper.inc#L3045

Is this right?? Any advice on how to manage the situation when you want to use more than 30 limiters??

Thanks

No one???  :'( :'(

As far as I know, vmxnet3 via the official vmware tools doesn't support altq.

I think vmxnet2 using the open-vm-tools package might, but I can't confirm or deny it either way 100%

I wouldn't count on it being supported though.

I also posted a blog on creating a firewall rule to place traffic into a specific queue; not sure if this will help:

http://pfsensesetup.com/traffic-shaping-rules-in-pfsense-2-1/

Hi LiquidSmoke

Can the clients ping to the wan ?

We had a smiliar issue already. Check out this thread

http://forum.pfsense.org/index.php/topic,67012.0.html

regards

supermega

I have the same problem! :(

I am just starting to try to configure the traffic shaping properly.  This is a question I would be interested to find out more about as well.  Finding it more difficult than I expected to get things into the correct queue.

I'm mostly concerned with getting voip higher priority than other traffic, and making sure that torrents don't clobber anything else, this is just a home connection.

A quick update…

I've had this enabled for a few weeks now, with a couple of hundred users a day, over a dozen sites - no complaints received so far.

Final parameters used were 1Kbit/s source address, 50ms delay.

I'll stress again though - this will not prevent DNS tunnelling, it will only slow it, hopefully to the point where abusers will move on and find another target.

FYI, the above is correct, it's only that changes are applied to new connections, ie if you have an endless ping running you don't see the changes (in latency for example) in realtime.
Stop the ping, wait a few seconds and restart the ping  :-[

Floating rules are an area generally used to MATCH traffic.  The LAN, WAN and VPN tabs are where PASS or BLOCK rules are kept.  PASS rules are one way.  If you want your rule to pass traffic from LAN > WAN then put your PASS "allow all" rule in the LAN tab rather than the FLOATING tab.

Any traffic not matching a rule will automatically go to the default queue.  Change the default rule "checkbox" from qP2P to qDefault is step #1.  Can only have one default queue.  Step #2 is reviewing your rules that they are getting hits rather than going to the default queue.

@markn62:

I don't believe you can shape across a bridge.  You likely need to remove the bridge and re-run the shaping wizard.

You certainly can shape on a bridge. In fact, that's the only way I know to propely handle a multi-LAN scenario

EDIT: I mean, you can shape on a bridge composed by two LANs, towards a WAN. I don't know, but I don't think you can shape if you have LAN and WAN as a bridge