UP !

Or you have UPnP enabled and he's transferring data through rules opened by UPnP which wouldn't get limits applied.

hi dreamslacker, i use 2.1-BETA AMD64 latest snapshot. i follow your config example, but the limiter only work on LAN interface. i try to add limiter rule in WAN tab, but it won't work also. do you have any suggestion? btw, i use squid proxy in transparant mode. [image: FW-RULES-FLOAT-03-EDIT.png] [image: FW-RULES-FLOAT-03-EDIT.png_thumb] [image: FW-RULES-LAN-02-EDIT.png_thumb] [image: FW-RULES-LAN-02-EDIT.png]

Anyone?

Thanks for your reply. I got this idea from Kerio Control that does just what i said but kerio control is very expensive and you get free trial for 30 days only.

Other than the sticky above on this particular forum Id be clueless. But I will add that Ive had great success with the qos that is part of the Siproxd package.  You have to enable it but works very well here. Good Luck!

The answer sadly is 'it depends'.  DS3 lines (I'm taking a shot in the dark that is what you have) are pretty stable and have good SLAs.  Assuming you are going to an ethernet private line or other service of similar caliber, you can likely run up to the high 90s percent wise (97-99) asuming you have a good /stable carrier. The short answer is as long as your limits / QoS rules 'kick-in' before the carrier's your all set.

have you researched the formal commercial support? https://portal.pfsense.org/index.php/support-subscription

Update and more info… I'm running: 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6... I found that a different rule was stepping on the one above and placing it in the default queue.   (I feel a little more sane now).   Here's where I'm getting tripped up.   if I remove all floating rules and ensure that no other rules have a queue action and add a default rule for to prioritize ACK traffic things start to fall apart. Here's a test I performed trying to understand how 'quick' performs on non-final rules (Queue only, not pass, block, reject, etc.) Test 1: Default rules before specific 'work' rules. In this test all work 'outbound' traffic is placed in the default rule.     pfctl -sr | grep queue     match quick on vr0 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)     match quick on vr1 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)     match quick on vr2 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)     match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5     match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5     pfctl -k 192.168.0.0/16     killed 49 states from 1 sources and 0 destinations     re-establish tunnels on appliance and watch pftop Test 2: Default rules after specific 'work' rules. In this test all work 'outbound' traffic is placed in the default rule.     pfctl -sr | grep queue     match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5     match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5     match quick on vr0 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)     match quick on vr1 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)     match quick on vr2 all label "USER_RULE: Default Queue - Prioritize ACK" queue(q_Default_3, q_ACK_6)     pfctl -k 192.168.0.0/16     killed 49 states from 1 sources and 0 destinations     re-establish tunnels on appliance and watch pftop Test 3: No Default Rules. In this test all work traffic is placed in the correct q_Work_5 queue.     pfctl -sr | grep queue     match in quick on vr1 inet from any to 192.168.1.0/24 label "USER_RULE: QoS Work (inbound)" queue q_Work_5     match in quick on vr2 inet from 192.168.1.0/24 to any label "USER_RULE: QoS Work(outbound)" queue q_Work_5     pfctl -k 192.168.0.0/16     killed 49 states from 1 sources and 0 destinations     re-establish tunnels on appliance and watch pftop I guess I'm confused at how 'queue' type rules work when there are multiple matches in the ruleset.  Can someone provide any clarity. Thanks!

Do you have a specific rule that puts the various IMAP ports into a different queue?  p2pcatchall will match everything that isn't specifically matched. Josh

Thankyou ermal, dreamslacker & Metu69salemi. Yes i'm on v 2.1 . I saw the path now. I will walk as per your direction. I'm sure i will reach the destination. many thanks Kalu

This was working and I think I hit a bug, but I am not sure exactly what it is or why it happened. I had the initial 5 remote sites and their respective queues. I had floating rules to direct all the traffic to the queues for each site. I added in a 6th site, a 6th set of queues and a 6th set of floating rules, and now ALL open vpn traffic destined for HQ's lan is ignoring the queue assignments in the floating rules. All traffic is going to qlink or qack on the lan interface and I haven't found out why just yet. Floating rules that apply to traffic going out the wan, or going out the lan with traffic from the lan, are still categorized to the correct queues. I am absolutely stumped right now and this is a network in use 24/7 so I can't constantly try things to fix it. I am going to have to setup a lab on VSXi and try to figure out what the heck is going on. That is, unless someone else out there knows? I still haven't found a way to prioritize OSPF packets yet either since they never touch the wan. I don't think there is a way. The way I have delt with ospf packet loss was raising the dead timers to 5 minutes, far from optimal, but it works for this setup.

There's actually 2 parts to traffic shaping - the shaper queues that determine what should happen with the traffic that's put into them, and floating firewall rules that assign traffic to the queues. What you need to do is split the firewall rule that assigns those ports into 2 (or more) separate ranges. You'll find the rules on the Floating tab in the Firewall Rules menu. What you want to end up with is a rule that does (suppose you want to exclude port 4000) port 3000-3999 and a second rule that does 4001-32000.

@cmb: it gets a bit complicated because part of your shaping has to accommodate the fact it's ESP traffic on WAN. Ah, I see … I wonder if it would be possible to copy the ToS byte from the original IP header to the new ESP header (or perhaps it's being done already?) In Cisco it's done by default, it's called the “ToS Byte Preservation” feature. Edit: Based on a quick Google search, there seems to be a system tunable net.inet.ipsec.ah_cleartos that is set by default, but I don't see a corresponding ESP tunable.

ALIX 2d13< – same as 2D3 with an added port header i believe, same hardware performance specs I can Pull 37mbit on my comcast connection while using HFSC (m1, d, m2) to mirror 'powerboost' and there is CPU headroom to do more. From the below: total throughput UP + DOWN = 4256445 bytes/sec or 34051560 bits / sec (34Mbit).  I have hit 37+, but didn't manage that testing just now. PFTOP on my setup -- note pftop is BYTES not BITS, so multiply x 8. pfTop: Up Queue 1-20/20, View: queue, Cache: 10000 PAUSED                                                          09:37:01 QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S root_vr1                       6500K hfsc    0        0        0        0        0    0                     0       0 q_Internet                    6500K hfsc             0        0        0        0    0                     0       0  q_ACK_6                      1300K hfsc         99847  9311650        0        0    0                  2406  196073  q_Default_3                   650K hfsc         50534  6710816        0        0    0                     0       0  q_VoIP_7                      260K hfsc         13948  1600184        0        0    0                     0       0  q_High_4                     1300K hfsc         99767 14564592        0        0    0                   1.0      77  q_Low_1                       325K hfsc             0        0        0        0    0                     0       0  q_WORK_5                     2600K hfsc        144461 26449303        0        0    0                    18    3193 root_vr0                         36M hfsc    0        0        0        0        0    0                     0       0 q_Internet                      36M hfsc             0        0        0        0    0                     0       0  q_ACK_6                      7200K hfsc         11044   635208        0        0    0                     0       0  q_VoIP_7                      360K hfsc         10181  1591153        0        0    0                     0       0  q_High_4                     7200K hfsc        116494  146517K      334   503654    5                  2679 4053841  q_Low_1                      1800K hfsc             0        0        0        0    0                     0       0  q_Default_3                  3600K hfsc         48156 36041316        0        0    0                   1.0     390  q_WORK_5                       14M hfsc             0        0        0        0    0                     0       0 root_vr2                         36M hfsc    0        0        0        0        0    0                     0       0 q_Internet                      36M hfsc             0        0        0        0    0                     0       0  q_ACK_6                      7200K hfsc            27     1838        0        0    0                     0       0  q_WORK_5                       14M hfsc        224248  112203K        0        0    0                    13    2871 sidenote:  Can you change pftop to bits vs bytes.  90% of the time i'm thinking in bits