I would love to see something like this.

Turns out, I've managed to get this working if I put all on the FLOATING tab.  Unique rules for WAN vs. LAN interface.  No need to place any rules on the LAN tab.

I may have answered my own question! The flow of data sent through the default queue is minimal, in my case about 1packet/sec or 520 bytes/sec. Given that I am using pfSense to handle the PPPOE connection for my ADSL, I am wondering if this could be the ICMP packets required to maintain the PPPOE link. If this is the case the ICMP data must be injected into the network flow after the firewall packet inspection but before being queued to leave the wan adapter. Can anyone confirm that this is the case and/or know of a network flow diagram for pfSense that may be able to confirm this? Also, is there a way to log the packets through a specific queue to show what exactly is being sent?

In the case of this scenario, how would you ensure ssh_bulk gets priority over ssh_login? WAN   SSH       ssh_login - interactive ssh shell access       ssh_bulk - SFTP transfer

Thanks dhatz.  Here are my HFSC rules as a starting point.  I have only one WAN (em3) and one LAN (em2) interface.  My down/upstream are 28/4 Mbit from my ISP.  I backed each down to ~97% to start.  Now I wasn't quite sure how to setup my SSH rules so that SFTP traffic goes into the ssh_bulk queue and ssh interactive shell goes into the ssh_login queue.  Appreciate all your guidance. Lastly, I still notice drops. but my ack is currently set to 30% on both interfaces.  I've read some places that say to set it as high as 60% but I wasn't sure whether that was accurate? altq on  em3 hfsc bandwidth 3.88Mb queue {  ack,  dns,  ssh,  bulk,  usenet,  backup,  bittor  } queue ack on em3 bandwidth 30% qlimit 500 hfsc (  realtime 20% )  queue dns on em3 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue ssh on em3 bandwidth 20% qlimit 500 hfsc (  realtime 20% )  {  ssh_login,  ssh_bulk  } queue ssh_login on em3 bandwidth 50% qlimit 500 queue ssh_bulk on em3 bandwidth 50% qlimit 500 queue bulk on em3 bandwidth 20% qlimit 500 hfsc (  ecn  , default  ,  realtime 20% )  queue usenet on em3 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue backup on em3 bandwidth 5% qlimit 500 hfsc (  upperlimit 95%  )  queue bittor on em3 bandwidth 1% qlimit 500 hfsc (  upperlimit 95%  ) altq on  em2 hfsc bandwidth 28Mb queue {  ack,  dns,  ssh,  bulk,  usenet,  backup,  bittor  } queue ack on em2 bandwidth 30% qlimit 500 hfsc (  realtime 20% )  queue dns on em2 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue ssh on em2 bandwidth 20% qlimit 500 hfsc (  realtime 20% )  {  ssh_login,  ssh_bulk  } queue ssh_login on em2 bandwidth 50% qlimit 500 queue ssh_bulk on em2 bandwidth 50% qlimit 500 queue bulk on em2 bandwidth 20% qlimit 500 hfsc (  ecn  , default  ,  realtime 20% )  queue usenet on em2 bandwidth 5% qlimit 500 hfsc (  realtime 5% )  queue backup on em2 bandwidth 5% qlimit 500 hfsc (  upperlimit 95%  )  queue bittor on em2 bandwidth 1% qlimit 500 hfsc (  upperlimit 95%  )

I have yet to get PRIQ shaping to work even after following the Hammerweb guide  I really wish there was a solid how-to available.

PRES, I would reconsider userbased Up-down q's! Departements will do fine. And then again, it's the traffic type you gonna shape, not the user q! Departements then again should be or VLAN'd and/or Subnetted (higher security) so you can wel…. if you have a network that large most of these things are in place!

@podilarius: go to Firewall -> Rules -> Floating. In there create a rule that passes port 22 either as a source or destination ( you might have to create 2 rules if you want it bidirectional). Ah.  This is what I was looking for.  I found the queues, but had no idea where the matching of traffic to queues was happening.  I duplicated another high priority queue rule and just set it to port 22. One thing I don't know how to do is to differentiate interactive vs. bulk ssh traffic.  For example, I want my terminal sessions to take priority over an scp or sftp bulk transfer.  The ssh client deals with this (see more here: http://kerneltrap.org/node/505) by setting the ToS field differently for interactive and bulk ssh traffic. It would be kind of nice to have ssh in the wizard, there's a ton of fairly obscure stuff in there already, I was quite surprised to not see ssh in the list of protocols.

@ermal: Put a feature request for it in redmine.pfsense.org. Sure, I'll be doing it ASAP. Just that in pfSense its not so easy to monitor through ping since the icmp packets themselves are subject to throttling as well! Yes, but they can still give an idea of the situation. Actually, it's more or less the same in Gargoyle, but the result is excellent. While it can be given a thought in general just record it in redmine to have it always there when i find time to play with this option. Ok! I'll be doing it. Thank you for your kind attention!

@turiyain: The information is given below: Version 2.0-RC3 (i386) built on Tue Jun 21 16:50:25 EDT 2011 Ask if you need any other detail. Regards, VJ@@@// @kalu: oh that's great. could you please let us know your pfsene, squid and squidguard version information ? oh yes. please tell me your squid and squidguard version. Thanks

Here is a link that was quite informative to me about Layer 7 and protocols: http://l7-filter.sourceforge.net/protocols Of course, a reading about regular expressions is a must.  Thanks Google!

@argyx - This doesn't work, all HTTP traffic is still getting dumped into qlandef, which by default receives 1% bandwidth from the wizard.