As I anticipated might happen, I figured it out through trial-and-error. I have limited understanding of linux/unix/freebsd & with the limited info I found (the definitive pfsense guide & http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter) I couldn't figure it out. Sure enough its THIS simple: setup two limiters (as suggested), apply to firewall rule (I did it to LAN). I knew that, however there are a few catches a newbie like me didn't catch: 1)you cannot set the Destination to WAN address (I believe because it will them pump it through WAN, bypassing the virtual dummynet limiters) 2)you HAVE to put the rule ABOVE the 'Default allow LAN to any rule'. Either that or simply modify that existing rule to add the in/out limiters I was pulling my hair out. Sure enough it IS working in 3rd way I described above, where two or more people cannot reach past the set limiter. Right now I am testing the schedule-based aspect of this, crossing my fingers. I am sure some more knowledgeable people are giggling at me. If anyone wants to chime-in the best way to setup some kind of content filter (without changing our existing DNS system) through pfSense my ears are open wide! Also note to admin's again: Broken link: http://files.pfsense.org/tutorials/squidguard/squidGuardQuick.htm on the main tutorial page: http://doc.pfsense.org/index.php/Tutorials Side note to people use the schedules: you can't use a space in the name, it took me like 5min to figure out why it didn't like mine

You can run the traffic shaper wizard and select Priq as the algorithm, punch in your upload and download speeds (actual; not rated) accordingly. Run through everything (no need to check anything). You should have a simple priq parent queue for WAN and for LAN. Go to Firewall -> Traffic Shaper. Click 'LAN'. Click 'Add New Queue' Set priority to say 7. Name it as qAck. Add queue again. Set Priority as 5.  Set as Default Queue. Name it qDefault. Add another queue. Set Priority as 1. Name it qLow. Repeat for WAN tab. Now go to Firewall -> Rules. Click Lan tab. Click the 'e' button beside the 'Default allow LAN to any rule'. Scroll down till you find 'Ackqueue/Queue'. Set to:  qAck/ qDefault Click Save. Now click the '+' sign beside the rule. Go to 'Source'.  Change from 'LAN subnet' to 'Single Host or Alias'.  In the box below, fill in the IP address of the computer to throttle. Scroll down to 'Ackqueue/Queue'. Set to: none/qLow. Rename the Description to 'Throttle Download'. Click save. In the LAN tab, you will now see both rules.  Check the box to the right of 'Throttle Download' then click the Arrow button beside 'Default allow LAN' rule to move the throttle rule above it. Click Save.  This settles the upload throttling. Now for download throttling.  This gets slightly trickier. Click on 'Floating Rules' Tab. Click Add new rule (+ button). Check 'Apply the action immediately on match' box. Under interface, choose WAN only. Set direction to 'In'. Set Protocol to Any. Set Source to Any. Set Destination to Single host with IP of the download machine. Go down and set the queues to none/ qLow. Set Description to 'Download throttle'. Save the rule. Under floating rules, duplicate this rule. Change Destination to 'Lan subnet'. Go down and set the queues to qAck/ qDefault. Set Description to 'Default CatchAll'. Save the rule. No re-ordering is necessary.  Just click the save at the top of the page. That should do the trick.

As far as i know, in PFsense u can only set speed limits with either captive portal or limiters. However if u need quota management, pfsense can't do it therefore u shall get something like daloradius and map it to pfsense to handle user and quota management. (server farm in ur house) :D

update 1 to be sure it is not related to squid . i used uTorrent to download some files which off-course will not go thoruth the squid  and yet the limiter didnot work. by the way the rule created in firewall is for any for source/dest/ports/TCP-UDP

This is driving me mad …. All the different traffic flows are being sent to the proper queues based on the related rules, that is a fact. But beyond that, it seems that the queues respective priority is not taken in account  :( -> I added the following rule in order to prioritize ICMP traffic Proto    Source            Port Destination Port Gateway Queue ICMP     high_priority_pc1 *    *           *    *       qVoIP -> without any traffic on the line, ping requests to external IP is around 40ms. -> with download traffic originating from low_priority_pc2, average ping requests response time is around 150ms , despite being passed to the highest priority (7) queue. I'm lost ….

pfsense is mostly using ALTQ (check http://en.wikipedia.org/wiki/ALTQ http://www.freebsd.org/doc/handbook/firewalls-pf.html ) and to a lesser extent, dummynet.

It's not possible to do in any meaningful way. Using a hostname is possible in an alias, but for most large web sites, the IPs returned by DNS change often or are randomized. So the firewall would be tracking one IP thinking it's that site, when really it's another one entirely. It may be possible with squid, but I don't know for sure. Someone else may know better on that part.

dhatz, Thank You much for the link you provided. I am in a  big learning curve on the traffic shaping gig. I am trying to get my head around looking at the queues in the rrd graphs,trying to decypher what the meaning of this translates to. OK, You made a good point. The ip phones are in fact on a seperate vlan aside from actual PC's so what you are suggesting sounds like a plan. I am going to give my generic traffic shaper setup,,,for ONLY voip,and as I mentioned earlier the voip tab does in fact have an entry for the Panasonic TDA phones,which are what we have at both building,so fingers crossed this may work out. In a weeks time if nothing has improved I will go to plan b with your 'by ip range' setup Take Care, Barry

The snort tagging would be only useful if snort is put inline. Furthermore the encryption of torrent will just make it impossible for snort as well to detect it.

Ideally you should use the traffic shaper, to ensure that business traffic gets priority over bulk downloads, instead of using a hard bandwidth cap via the CP limiters. It's also a decision between favoring best utilization of bandwidth vs consistency. Anyway, the biggest problem with P2P traffic is that it's quite difficult to identify (in order proceed to the next step of limiting it).