Million Thanks cmb, you're life saver :) been working on this issue for a week and cant find any info on internet about this.

HFSC doesn't actually have any sense of priority, that is just a GUI mistake.  So one queue doesn't really have any more priority than any other, except if a queue is marked as realtime, but that was designed for low latency stuff like voip, things that are not necessarily high bandwidth, they just need low latency. The other problem is that bittorrent traffic is so ill-manered, it is hard to control.  Since bittorrent traffic is usually made up of hundreds/thousands of separate longer lasting and short lasting flows/sessions it doesn't react quickly to packet drops, which is the only way that a pfsense router can try to shape the incoming traffic, by dropping packets that have already made it to you, to try to get the sender to back off.  TCP/IP is supposed to back off it's transmit rate when packet loss is detected, but that doesn't work so well when there are 100 different connections that need to back off, and it doesn't happen instantly. Web traffic on the other hand is made up of numerous short lived connections.  So when you view a web page there is a flurry of activity grabbing the different elements, and then it is done (internet video is obviously not like this of course).  So when you try to view a web page PFSense will try to slow down the bittorrent traffic, but it takes longer to slow it down than it takes for the web page to load. Add into this the bufferbloat problem with most consumer grade network equipment, which just makes it worse since the tcp/ip backoff takes even longer with there are multiple seconds of packets buffered. My suggestion is to just limit your torrent bandwidth to %40-%50 percent of your total bandwidth.  Game of thrones.. I mean your legal linux ISO's will still download in a reasonable amount of time, and other traffic will remain responsive.  Plus your ISP won't hate you as much (you should also consider not torrenting during prime time 6pm-midnight, which your ISP will again appreciate.) You could also try the priority queuing shaping method, that actually does use priority, but it still won't be perfect.  Oh and one other person reported that making the p2p queue really huge, like 2000-3000 packets helped control bittorrent better… but I don't remember if that can be done from the GUI. There aught to be a FAQ on this. Oh and as far as I know, I think I know what I'm talking about, but I'm always happy to be corrected. Josh

The network card also needs to be pushed into static arp mode, ifconfig (interface name) staticarp pfSense can setup static ARP in the GUI in the DHCP settings, but I believe that requires you use the DHCP server on pfSense… if another box is your DHCP server, I don't know that it would work from the GUI.

Honestly don't know. I have never used the limiter. My guess would be to setup the limits and on your firewall rule use the in/out setting. I tried once, but it didn't work and I was not in the mood to learn it. So I just used traffic shaping.

That is in the traffic shaping rules and not the limiter. I have not utilized the limiter yet.

Be careful when classifying the ports for Steam.  The gameplay uses UDP ports, the downloader uses TCP. You are likely to want to prioritize the gameplay and not the patching/ download ports, so don't match both TCP and UDP when setting up your rules. I've used pfSense in a Cybercafe production environment before due to the traffic shaping capabilities (keep gamers infinitely happy while other users are happily streaming videos and chatting with loved ones back home) so it definitely would do what you need. The main problem you are going to face is the actual rules configuration and the queues setup.

@SeventhSon: Nice one, using google drive myself, don't have very big files in there, so haven't noticed this behavior. Until recently I hadn't noticed it either. It only showed up when I dumped a couple of isos into it. I'm hoping they implement at least deltas, if not throttling. @SeventhSon: One thing I would do, is move it to a floating rule, instead of LAN. I did make the rule floating but it's not clear in that post; I'll add a note to clarify. I have the floating rule assigned to LAN since I didn't care about queuing incoming on those connections (I'm assuming those are the upload-only connections judging by the domains). I did consider making a different rule (or altering this one) to handle incoming downloads, but I haven't had a chance to sort out which domains/IPs I need to filter against and test that yet.

I am far from being an expert and offer this only as something to try since nobody else replied. I have a couple IP phones and have DHCP give them a static IP based on their MAC address so they never change. Then I created an alias called VOIP-Phones that contain their IP addresses. In screenshot_4 enter the alias in the area you left blank. Regarding bandwidth. G.729 uses about 20-30k/Call. G.711 uses about 70-80k/call. Devices tend to default to G.711. Let me know if that helps.

I am using traffic shaper to limit bandwidth. I have overall bandwidth and specific ones for p2p traffic. No worries though, there is a limiter also.

This information is taken from this link…Please reference for further information: http://calomel.org/pf_hfsc.html realtime: the amount of bandwidth that is guaranteed to the queue no matter what any other queue needs. Realtime can be set from 0% to 80% of total connection bandwidth. Lets say you want to make sure that your web server gets 25KB/sec of bandwidth no matter what. Setting the realtime value will give the web server queue the bandwidth it needs even if other queues want to share its bandwidth. upperlimit: the amount of bandwidth the queue can never exceed. For example, say you want to setup a new mail server and you want to make sure that the server never takes up more than 50% of your available bandwidth. Or lets say you have a p2p user you need the limit. Using the upperlimit value will keep them from abusing the connection. linkshare (m2): this value has the exact same use as "bandwidth" above. If you decide to use both "bandwidth" and "linkshare" in the same rule, pf (OpenBSD) will override the bandwidth directive and use "linkshare m2". This may cause more confusion than it is worth especially if you have two different settings in each. For this reason we are not going to use linkshare in our rules. The only reason you may want to use linkshare instead of bandwidth is if you want to enable a nonlinear service curve. nonlinear service curve (NLSC or just SC): The directives realtime, upperlimit and linkshare can all take advantage of a NLSC. In our example below we will use this option on our "web" queue. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d milliseconds the queue gets the bandwidth given as m1, after wards the value given in m2.

it works : i configure "services -> proxy server -> traffic mgmt -> maximum download size" i set 300 kilobytes, i tray to downlod a file from a web site that have 417kB and the download is blocked  :D

When there’s no any free mbuf clusters available FreeBSD enters the zonelimit state and stops to answer to any network requests. You can see it as the zoneli state in the output of the top command. The state of used mbuf clusters can be checked with 'netstat -m' You can increase quantity of the mbufs clusters through the kern.ipc.nmbclusters parameter: sysctl kern.ipc.nmbclusters=65536

Many thanks for the help, time for me to play around a little.  If anyone does know where there is a write up on the V2 shaper it would be very helpful!

dreamslacker: Thank you for your great reply.  I have the new router in place and am finalizing my plan to shape the bandwidth properly but I'd like to run some things by you, and others, to create a bit of a brain-trust on this before I actually try it. I'm thinking of creating limiters as follows: VPNInLimiter -> 10 Mbps -> Mask:None -> Delay:0 -> LossRate:0 -> Queue:empty -> Bucket:empty VPNOutLimiter -> "all the same settings as above" GeneralInLimiter -> 5 Mbps -> Mask:None -> Delay:0 -> LossRate:0 -> Queue:empty -> Bucket:empty GeneralOutLimiter "all the same as settings above" So basically, I'd be providing the VPN a dedicated 10 Mbps and everything else would go to the GeneralXLimiter pipes.  I'd would then like to add standard shaping to the GeneralXLimiter pipes to ensure QoS is working properly within that 5 Mbps. I think what dreamslacker said would work by using the alias and firewall rules to assign the VPNs to the specified limiters.  Any thoughts out there on this?