You can enable logging temporarily on your queue match rules to see what is happening, and then turn your attention to the firewall logs for more information.

Nice write up.
i've already created "reversed" torrent shaper.. So I do allow torrent to be used, but if you can use it with ~10kbps connection  ;D

@iservices:

you're giving very little information.

It should work if the config is like this:

client –>squid -->pfsense-->Internet

if you've got a config

client -->pfsense-->squid-->internet it'll never work,

as the pfsense can't distinguish if the traffic is cached by the proxy!

For better help give better information!

Hi there! Pardon me for the incomplete info. I am installing Lusca Squid package on my PfSense. Squid and Pfsense are in one machine.

So are you saying that it will work if squid is on a separate machine?

Thanks.

Sorry. First see your answer now.

Thanks a lot. I will experience with a LAN/WAN rule and see if I can get same result.

BR. Anders

@fil23:

The problem starts when in the settings of the SQUID transparent mode switch on the server. The Internet very slow loading web.

The core of Freebsd 8.1
More than 200 users

You haven't given much helpful info, but my guess would be that you've either configured Squid with too little memory, you're using disks that are too slow for your cache, or your Internet connection is very fast.

In my case I use Squid to only cache large files because small ones can usually be fetched from remote servers faster than they can be grabbed from cache, even with it backed by SLC flash.

Thanks for the clarification.

Given that I don't do NAT on my pfSense, so the rule should match on a private source IP.

:) Thanks Podilarius… in doc.pfsense.orf there is a paper how to do it, but the version of pfsense they use is 1.0 BREBETA2-BUGVALIDATION-EDITION5 and the newest one doesn't have the pages they show. even the webconfigurator of newest version of pfsense, doesn't have anythinhg about bridge mode. That's why I entered the foroum and made this request. But I'f i get the information I'll post it here for all the people in the foroum...

Thanks for your time...

thanks! I think most of us are waiting with joy!

Yes could potentially use PFSense to throttle his speed.  I know for a fact that WoW has parental controls that you can enable.  I dont think the other games do.

You would have to throttle the connection to the point that is super super slow.  I would hazard that you try other methods to limit his gaming time though and perhaps if you would game with him or show an interest , even if faked on your part , in his activity , you might have better luck at limiting his time?

You would have several options in PFSense to do this from using a schedule to traffic shaping to actually using the limiter.

Also how technically inclined is he as well?  If he is pretty tech savvy then it will make the job that much harder.  Most Xbox's and PS3's have WiFi so if your in a densely populated residential area , there would potentially an unprotected WiFi he could jump on and avoid your throttling altogether.

As a father myself , I find that by gaming with the kids and showing interest in their hobbies , it makes it easier and they are willing to live with limits on game time and have reached the point that for the most part they do it themselves without me having to tell them.

Good luck to you.

My recent post covers the basics of this:
Works! Limiting multiple LAN users, thru single external proxy
http://forum.pfsense.org/index.php/topic,60861.0.html

In general, to create different speed groups, you need to do some coordination of your network addresses, and you can't just use automatic address assignment by DHCP for the entire building LAN.

You'll probably want to inventory all the MAC addresses of the public machines so that they can be assigned addresses within the same common block, via DHCP MAC reservations . (You can also manually assign addresses directly to each machine without DHCP reservations, though this can be a maintenance hassle if the machines are wiped and reimaged occasionally.)

The collective address range is then restricted by the limiter. Anything outside the range would be permitted full speed.

A more thorough option is to group all the wired public machines into a single network switch or a VLAN, and then applying a subnet and automatic DHCP to that entire group through an optional interface on your pfSense router.

This requires lots of fiddly crawling around under tables, locating of ports on walls and who is what port number, and then moving cables around in closets to put all the wires into a common group on a single switch or to make a VLAN range of ports.

(You can also create a freeform VLAN for scattered ports across the switch without moving cables on the switches, but this is more management hassle later if there's a problem, IMO.)

This would allow the computers to all be limited without needing to do DHCP reservations, and also allows for an open public wifi service for patron laptops and mobile devices to join the subnet and be limited also.

This can only be done properly on 2.1, where each limiter can have multiple bandwidth entries and you select the schedules there in the limiter config.

Here are the screenshots for you:

It should balance the load when full, since all traffic will have equal priority.

Boy that is weird. The ISP says we are 23 * 1000 * 1000 or 23,000,000.

So apparently I gotta convert from 1000 to 1024 for the shaper wizard?

23,000,000 / 1024 = 22460.9375

I paste that in:

And the resulting config is different.

What's going on here?

@ttblum:

I see.

What I put into the Wizard's 'Connection upload speed' shows up afterwards in the WAN 'Bandwidth' field.

Is it possible I have upstream and downstream mixed up?

Shaping happens outbound on an interface. Uploads go out WAN. So it's correct.

Hi.
I will listen here as I would like to know to.

I do not know what the bandwith is for. I would like to know to. Both with and with out limits in the service curve

Regarding the link share I guess it is the quaranteed bandwith share if the connection is congested. If there is free capacity then more traffic can be given to the queue. To avoid a queue to use all your bandwith you can add an "upperlimit" along with your linkshare. Say 5% linkshare and 15% upperlimit. Then the queue will have minimum 5% when line is congested and a max of 15% even if there is a lot of free capacity.

Why you do math I do not understand. 3x10% What are you trying to ask? I you have a queue with 50% and a subqueue with 50% the last will get 50% of 50% = 25% of the bandwith. But I guess that is not your question.

Thanks. That works for me too.

Yes, you have to define the traffic shaping like that.

Regarding the rules, what I am currently doing is to specify on tab LAN (for download shaping) and on tab "Floating" (for upload shaping).
But, I think I read somewhere that it may be sufficient to only specify them on the "Floating" tab (you then set "Direction" to "any").
I haven't tested that.

Maybe someone else can confirm that.