I think I will add a "local" queue, so that any locally generated traffic from the firewalls are not held to 25Mbit. There isn't a great deal of it, but when it happens I'd like it to be able to go at LAN speed.
I'll have to test this, where I set the queue to "local" on pass/block rules for local traffic from and to the firewalls.
Code:
queue internal on $internal_nic bandwidth 100M
queue local parent internal bandwidth 75M
queue down parent internal bandwidth 25M burst 100M for 1600ms
queue son parent down bandwidth 12500K
queue std parent down bandwidth 12500K default