Pfsense 2.0.1 HFSC setup example please? - asymmetric home internet



  • Hi - been reading countless threads and google pages on pfsense QoS setupm particularl HFSC, but haven't been able to get it working correctly without without the wizard.  Was hoping someone that has it working with their home internet connection could please post their config from the debug.rules so that I might use them as a starting point.

    I'm sure many people will benefit from this information.

    Basically I am trying to traffic shape:

    WAN (4 Mbit upstream)
    qack
    qSkype - HD requires at least 1.5 Mbit/1.5 Mbit if not greater for 1080p
    qDNS
    qSSH (shell access w/ priority over bulk sFTP traffic)
    qdefault/bulk
    qbackup - I use Crashplan
    qUsenet - for downloading from news server
    qtorrent - lowest priority - though I understand HFSC ignores priorities

    LAN (28 Mbit downstream)
    when I download from usenet at full speed, I seem to get way too many drops

    Thanks in advance.



  • I have similar setup which is (almost) working, some problems still exist.

    My PRIQ queues are (both WAN & LAN)

    altq on  rl0 priq bandwidth 1536Kb queue {  qHigh,  qAck,  qNet,  qHTTP,  qDefault,  qBackup,  qLow  }
    queue qHigh on rl0 priority 7 priq (  ecn  ) 
    queue qAck on rl0 priority 6 priq (  ecn  ) 
    queue qNet on rl0 priority 5 priq (  ecn  ) 
    queue qHTTP on rl0 priority 4 priq (  ecn  ) 
    queue qDefault on rl0 priority 3 priq (  ecn  , default  ) 
    queue qBackup on rl0 priority 2 priq (  ecn  ) 
    queue qLow on rl0 priority 1 priq (  ecn  )

    And the rules:

    match log  quick  on {  rl0  }  proto { tcp udp }  from any to 192.168.10.0/24 port 6880 >< 7000  queue (qLow)  label "USER_RULE: Throttle P2P"
    pass  in log  quick  on $WAN reply-to ( rl0 83.145.208.254 )  proto tcp  from any to  $phobos port 80  flags S/SA keep state  queue (qHigh,qAck)  label "USER_RULE: NAT www"
    pass  in log  quick  on $WAN reply-to ( rl0 83.145.208.254 )  proto tcp  from any to  $phobos port 22  flags S/SA keep state  queue (qHigh,qAck)  label "USER_RULE: NAT ssh"
    pass  in log  quick  on $WAN reply-to ( rl0 83.145.208.254 )  proto udp  from any to 83.145.208.207 port 1194  keep state  queue (qHigh,qAck)  label "USER_RULE: OpenVPN FULL"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 192.168.10.0/24 port 6880 >< 7000  to any keep state  queue (qLow)  label "USER_RULE: Throttle P2P"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 192.168.10.0/24 to  173.225.132.0/24 keep state  queue (qBackup)  label "USER_RULE: Throttle CrashPlan"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 192.168.10.0/24 to  209.208.241.0/24 keep state  queue (qBackup)  label "USER_RULE: Throttle CrashPlan"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 192.168.10.0/24 to any port 80  keep state  queue (qHTTP,qAck)  label "USER_RULE: Boost HTTP"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 192.168.10.0/24 to any port 443  keep state  queue (qHTTP,qAck)  label "USER_RULE: Boost HTTPS"
    pass  in log  quick  on $LAN  proto { tcp udp }  from 192.168.10.0/24 to any port 53  keep state  queue (qNet,qAck)  label "USER_RULE: Boost DNS"
    pass  in log  quick  on $LAN  from 192.168.10.0/24 to any keep state  queue (qDefault,qAck)  label "USER_RULE: Default allow LAN to any rule"
    pass  in log  quick  on $OpenVPN  from any to any keep state  queue (qHigh,qAck)  label "USER_RULE: OpenVPN FULL"

    Requirements/Notices:

    • Torrent clients must run on default ports (6881 - 6999)
    • My CrashPlan backs up to 173.225.132.0/24, other IP block for Code42 is 209.208.241.0/24

    -Pete-



  • Thanks Pete for sharing.  Question - do all rules you've listed go on the FLOATING tab? or do only the WAN rules go on the FLOATING tab and any LAN rules actually need to be added to the LAN tab?



  • Only way I get them to work is to add all LAN rules to LAN tab and WAN rules to floating

    -Pete-



  • Turns out, I've managed to get this working if I put all on the FLOATING tab.  Unique rules for WAN vs. LAN interface.  No need to place any rules on the LAN tab.


Locked