If CAP is captive portal you do not need subnets, just include your Mac on bypass list.

I should mention that I didn't create the video, that was somebody on DSLReports, but he did such a good job of it I had to share it here.

@clarknova:

When you create a shaper rule on the floating interface without the quick option, the rule will apply to any matched packet and the packet will continue to be compared to your firewall rules for a match. Rules on the non-floating interface are implicitly quick, so if your packet matches a floating rule and some other firewall rule, both rules will normally apply.

Thanks for your advice here. I keep trying to make the floating interface rules work, but it's just not showing up for me.

I create limited with no mask so they will apply to all traffic rather than create one queue per address, then I create a floating rule with pass or queue policy (doesn't seem to matter), setting an interface (WAN or one of the LANs), a direction, and selecting limiters in in/out in the advanced section. I reset the states to wipe out any existing connections, and look in the limiter info page. I don't see buckets getting filled in as I do for the rules on a fixed interface with a source or dest mask in the limiter.

Any ideas what I'm doing wrong?

Thanks,
    - Tim.

@KurianOfBorg:

I found it too much of hassle to define outbound rules for games. Only inbound ports are properly documented. You might as well make a pass-all exception for your IP address/MAC address since if you're playing games on the workstation, it's already been "compromised" with stuff running with administrative access.

You really only need to have one port opened by Origin to allow full connectivity for BF3. You shouldn't need to physically open all the ports they require. The ports I have listed above do seem to work for outgoing. I have allowed 3 additional port ranges for "incoming" now so all BF3 QoS traffic is prioritized (to my best guess). Remember this is QoS, not actually physically opening ports.
EA uPnp Port:
3659 keep state udp xxx.xx.x.xx EA Tunnel

Additional Incoming Ports:
UDP * 25200 - 25300 * * * qGames
TCP * 42127 * * * qACK/qGames
TCP * 9988 * * * qACK/qGames

Run the traffic shaping wizard. About the third or forth page in you will have the option to set different protocols to different priorities - high, normal, and low. Change NNTP to low.

bump

well, ever since I enabled the flag, ECN tests work.  Without this set, even with ECN enabled in traffic shaper, ECN tests fail.  Perhaps it should be force set if enabled in traffic shaper.

Remember that only the traffic that comes from squid's cache will be marked. So you have to keep an eye at squid's log (tail -f /var/log/squid/access.log) to see if cache HIT are sent with appropriate tos (using tcpdump).

It worked as expected when I tested it a few months ago.

@ermal:

The skype pattern is not correct and needs to be fixed.
I noted this quite late so you have to edit or create a custom pattern for it to work.

Hi ermal,

I do not use skype in layer 7. So is there another pattern which is not correct or is it another problem ?
Is there any other way to find out which pattern makes the problem instead of just select and unselect one ?

Thanks

@marcelloc:

Edit the firewall rule you want to set connection limit.

setting # in Maximum state entries per host would limit numberr of connections?

Try queueing with "In" on WAN with source w.x.y.z and dest. "Lan subnet" instead for the download matching.

And use rules in the LAN tab instead to do outbount shaping.

Not that I'm aware of, I think it would end up the same, only applying to new connections.

Same  problem  reported here http://forum.pfsense.org/index.php/topic,37399.0.html

pfctl -vsr

scrub in on fxp0 all min-ttl 255 fragment reassemble  [ Evaluations: 3366630   Packets: 683193    Bytes: 240344701   States: 0     ]  [ Inserted: uid 0 pid 34968 ] scrub in on re0 all min-ttl 255 fragment reassemble  [ Evaluations: 1887278   Packets: 1035091   Bytes: 496825229   States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "relayd/*" all  [ Evaluations: 33964     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log all label "Default deny rule"  [ Evaluations: 33964     Packets: 17161     Bytes: 1107535     States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out log all label "Default deny rule"  [ Evaluations: 33964     Packets: 12        Bytes: 1416        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick inet6 all  [ Evaluations: 33964     Packets: 30        Bytes: 2160        States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop out quick inet6 all  [ Evaluations: 7376      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any port = 0 to any  [ Evaluations: 33934     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto tcp from any to any port = 0  [ Evaluations: 18322     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any port = 0 to any  [ Evaluations: 33936     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick proto udp from any to any port = 0  [ Evaluations: 15590     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from <snort2c>to any label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop quick from any to <snort2c>label "Block snort2c hosts"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <sshlockout>to any port = 2299 label "sshlockout"  [ Evaluations: 33938     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"  [ Evaluations: 11827     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in quick from <virusprot>to any label "virusprot overload table"  [ Evaluations: 26564     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 from <bogons>to any label "block bogon networks from WAN"  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! fxp0 inet from 87.120.xxx.0/24 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 87.120.xxx.yyy to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on fxp0 inet6 from fe80::4e00:10ff:fe54:4632 to any  [ Evaluations: 26565     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"  [ Evaluations: 19933     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"  [ Evaluations: 19933     Packets: 2766      Bytes: 237779      States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on ! re0 inet from 192.168.0.0/24 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in inet from 192.168.0.254 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] block drop in on re0 inet6 from fe80::21c:c0ff:fec4:da44 to any  [ Evaluations: 23799     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 6630      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet proto udp from any port = bootpc to 192.168.0.254 port = bootps keep state label "allow access to DHCP server"  [ Evaluations: 1         Packets: 2         Bytes: 717         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out quick on re0 inet proto udp from 192.168.0.254 port = bootps to any port = bootpc keep state label "allow access to DHCP server"  [ Evaluations: 8218      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 31174     Packets: 4         Bytes: 536         States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out on lo0 all flags S/SA keep state label "pass loopback"  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 31172     Packets: 266001    Bytes: 255650100   States: 79    ]  [ Inserted: uid 0 pid 34968 ] pass out route-to (fxp0 87.120.xxx.y) inet from 87.120.xxx.yyy to ! 87.120.xxx.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"  [ Evaluations: 7376      Packets: 332423    Bytes: 246309331   States: 44    ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = http flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 31174     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = https flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 6         Packets: 443       Bytes: 189501      States: 1     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 proto tcp from any to (re0) port = 2299 flags S/SA keep state label "anti-lockout rule"  [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "userrules/*" all  [ Evaluations: 31171     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto icmp from any to 87.120.xxx.yyy keep state label "USER_RULE"  [ Evaluations: 31171     Packets: 19        Bytes: 1978        States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = https flags S/SA keep state label "USER_RULE"  [ Evaluations: 17154     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on fxp0 reply-to (fxp0 87.120.xxx.y) inet proto tcp from any to 87.120.xxx.yyy port = 2299 flags S/SA keep state label "USER_RULE"  [ Evaluations: 5999      Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] pass in quick on re0 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" dnpipe(1, 2)  [ Evaluations: 24520     Packets: 323866    Bytes: 237555787   States: 54    ]  [ Inserted: uid 0 pid 34968 ] anchor "tftp-proxy/*" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ] anchor "miniupnpd" all  [ Evaluations: 24547     Packets: 0         Bytes: 0           States: 0     ]  [ Inserted: uid 0 pid 34968 ]</bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

pfctl -vsn

no nat proto carp all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natearly/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat-anchor "natrules/*" all   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 7870      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 87.120.xxx.yyy port 500   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 192.168.0.0/24 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 6838      Packets: 347150    Bytes: 259653965  States: 41    ]   [ Inserted: uid 0 pid 34968 ] nat on fxp0 inet from 127.0.0.0/8 to any -> 87.120.xxx.yyy port 1024:65535   [ Evaluations: 245      Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] no rdr proto carp all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "relayd/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "tftp-proxy/*" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ] rdr-anchor "miniupnpd" all   [ Evaluations: 33730    Packets: 0        Bytes: 0          States: 0    ]   [ Inserted: uid 0 pid 34968 ]

pfctl -a miniupnpd -vsn

rdr pass quick on fxp0 inet proto tcp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.0.10 port 51413   [ Evaluations: 34050    Packets: 270701    Bytes: 255875228  States: 81    ]   [ Inserted: uid 0 pid 16714 ]

You are looking at limiters queues.
You can actually create childs on limiters as well :)

I'm trying the same without success. None of the BF3 traffic goes in the qGames. I even added just the udp ports with no success.