OK. Thanks a lot for your reply.

It can be done in squid+squidGuard, I believe. It's been asked and answered many times on the forum. Search and you'll find better answers.

Have you tried limiters?

Hi, I haven't used limiters, but maybe you could do it as follows: 1. Create a firewall rule for the IP range to exclude as follows: Pass Source: $ALIAS_EXCLUDED_IPs Destination: any In/Out: None 2. Create a second firewall rule for the remaining IP range as follows: Pass Source: $ALIAS_OTHER_IPs Destination: any In/Out: UploadLimiter/DownloadLimiter I'm not 100% sure, but do tell me if this works.

Thanks, I will retry asap. EDIT: did a cross check while I was using another ALIX with ipfire on it … there the backup went through fine and much quicker. I don't have a clue what to look for in the iptables there ... Just as a reference. I will re-check things when I plugged in the pfsense-box again.

In theory this would be possible with freeradius2 package and captive portal. I say "in theory" because there is still some bug on accounting on CP. You should at least use pfsense 2.1. Search the forum for more information or take a look here: http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

Hi You should create two limiters and set one for mask destination (download to LAN) and one for mask source (upload from LAN). Then add a FW rule above your default rule on the LAN and add the limiters to this. IN = upload from LAN (with source mask) OUT = download to LAN (with destination mask) This way all clients will get there own sets of limiters You can read it in the link from ptt under "Dynamic queue creation"

No sorry. Icannot reproduce it. It sounds like a bug of some kind. I have spend all weekend trying out different things with the limiter. Creating and deleting limiters over and over and I have had no problem doing that. Limiteres first really come to use after beeing assigned to a firewall rule. Therefore it is even more weird that your box messes up just after a limiter has been created. Suggestion: Time to do a restore to factory defaults and try again? Good luck with your project. Anders

Well. Glad you found a solution. Even though not the preferred one. I am playing with limiters at the moment. I need to limit users to max 50Mbitps. PF can do this dynamically. But when testing I can get no more than 16-18Mbitps through a limiter… I start with 1Mbit, 5Mbit, 10Mbit, 15Mbit and it works great. Then 20Mbit, 30Mbit, 40Mbit etc. all stay on same 15Mbit download 18Mbit upload ffor the user... If I remove the limiter then 60Mbit or more. Aparently there are small issues like this based on configuration, hardware etc. It is not easy.

@vlassic: Why do I see traffic in the default queues that the wizard creates before I create any firewall rules to put traffic in them? Traffic needs to go somewhere. Uncategorized traffic (traffic which is not directed somewhere else by a rule) falls within the default queue for that interface. There must be 1 default queue for each interface. Which scheduler are your trying to configure? (PRIQ, CBQ, HFSC)

In your case, "Single Lan multi Wan" would be the right choice.

jimp, Thanks for your time to explain all these fundamentals. So, it seems to me that there are 4 cases here: 1. LAN user initiates an upload to an external server 2. LAN user initiates a download from an external server 3. WAN user initiates an upload to an internal server (download from the perspective of the firewall) 4. WAN user initiates a download from an internal server (upload from the perspective of the firewall) For cases 1 & 2, the states created are IN on LAN & OUT on WAN. For cases 3 & 4, the states created are IN on WAN & OUT on LAN. So far, I think this is OK. Now, the objective is to shape all uploads and all downloads, whatever the origin of the connection. Let's take an example for each of the 4 cases: 1. local user at IP address 10.0.0.100 on LAN initiates an HTTP upload to external server 100.101.102.103 2. local user at IP address 10.0.0.100 on LAN initiates an HTTP download from external server 100.101.102.103 3. external user at IP address 200.210.220.230 on Internet initiates an HTTP upload to internal server 10.0.0.200 (download from the perspective of the firewall) 4. external user at IP address 200.210.220.230 on Internet initiates an HTTP download from internal server 10.0.0.200 (upload from the perspective of the firewall) Firewall rules on pfSense (Cisco-style): On LAN tab: permit ip host 10.0.0.100 host 100.101.102.103 (this rules caters for cases 1 & 2) On WAN tab: permit ip host 200.210.220.230 host 10.0.0.200 (this rules caters for cases 3 & 4) Return traffic is dealt with by stateful pf. Do I need to create the queues as follows for each of the 4 cases above? 1. qLAN-Upload (applied on LAN interface) 2. qLAN-Download (applied on LAN interface) 3. qWAN-Download (applied on WAN interface) 4. qWAN-Upload (applied on WAN interface) How should I apply these queues to the rules (LAN, WAN, floating)? LAN tab: A. permit ip host 10.0.0.100 host 100.101.102.103 => Queue: qLAN-Upload/qLAN-Download ??? WAN tab: B. permit ip host 200.210.220.230 host 10.0.0.200 => Queue: qWAN-Upload/qWAN-Download ??? Floating tab: src 10.0.0.100 => dst 100.101.102.103: Action: Queue, Direction: Out, Interface: WAN, Queue: qLAN-Upload Please help clear the confusion… Thanks

This is what I mean - I've currently got this setup so that anything to and from 38.0.0.0/8 gets put into the qCrashplan queue (i've now renamed my crashplanout queue to qCrashplan) I've attached what I see, why is only the incoming Crashplan queue dealing with packets and not the outgoing? Does anyone have any ideas? Could anyone share what they see in their queues? Thanks