Traffic Shaper in pfSense 2.0

Have you recently upgraded from pfsense 1.2.3 to pfsense 2.0?  Are you having difficulty getting the traffic shaper to work properly?  A significant change in how the traffic shaper works between these releases, combined with a lack of documentation created a very frustrating situation.  Fortunately I have been able to get the shaper to work as I want it to on my network.  To help alleviate others frustations, I have included a simple tutorial here.

The first step is to use the Traffic Shaper Wizard that is most appropriate for your network.  In most cases, you will use the “Single LAN, Multi WAN” wizard.  Do not worry if you don’t have a multi WAN network.  We will just use ‘1’ when the wizard asks us how many WANs we have.  Continue through the wizard, but only prioritize VoIP traffic at this time.  We essentially just want to get a few queues started for us so we can customize ourselves.  There is no need to go into detail about each device or protocol you want shaped at this time.

OK, we are finished with the wizard.  We now want to customize the queues to our liking. Everyone is likely going to have a different wish list for their network.  On my network, I wanted to prioritize two types of traffic.  VoIP phones and Media streaming devices.  I have two Voip phones, and several Roku streaming devices on my network.  Voip phones will get the highest priority, media streaming devices will get the next highest priority, and then everything else will be considered default traffic.

Go to Traffic Shaper -> By Interface tab and select the ‘LAN’ section as highlighted in the picture.  Select “PRIQ” for the scheduler type if not already selected.  Also, fill in the Bandwidth since the wizard neglected to fill this out for us.  Go ahead and save these changes.  Now, you will see the ‘Add new queue’ button at the bottom.  We will now create all the WAN and LAN queues that we need for our traffic shaping.  I created a qVoip, qHTTP, and qStream.  Notice that these queues are created both on the WAN and LAN interface.

When creating these queues, you need to enable the queue, give the queue a name, priority, and finally select the “Explicit Congestion Notification” check box.  When finished, all the queues should look like this example.  The WAN and LAN queues should be identical.  For priority, you can assign a value from 1-7.  7 being the highest priority. Each priority should only be used by one queue.  For my network, the qVoip queue gets a 7, the qStreaming queue gets a 6, and the qhttp queue gets a 5.

OK, so we have the queues set up with correct priorities.  Now we need to make rules to move traffic into these queues.  Now, the traffic shaper wizard has attempted to create some rules for us, but I have found that they dont work. Go to Firewall -> Rules -> Floating tab.  Delete any rules that the traffic shaping wizard created for you.

For the traffic shaper to work correctly, I have actually found that two rules for each type of traffic are required.  First, a LAN rule, then second, a floating rule.  So after we deleted the floating rules, head over to the LAN tab.

Create a new rule with the following attributes:

  • Interface: LAN
  • Protocol: UDP
  • Source: IP address or alias of your VoIP phones
  • Destination: Any

Before you create the rule, scroll down to the advanced options, you will see a field called “Ackqueue/Queue”  For this, choose “qAck/qVoip”  This is where you are actually assigning which queues traffic that meets this rule will go into.  Uplink traffic will go into the qAck queue, and downlink traffic will go into the qVoip queue.  Lastly, save this rule.

OK, now lets move over to the Floating Rules tab.  This one is very similar, but with a slight twist, so pay attention.  This is probably the most importation part for people who so far have been following with ease.

We create a new rule with the following attributes:

  • Action: Queue
  • Protocol: UDP
  • Direction: DO NOT SET
  • Interface: DO NOT SET
  • Destination: Any
  • Source: IP address or Alias for your VoIP phones
  • Select the “qAck/qVoip” in the Advanced Settings just as we did in the LAN rule

Save the rule and reload the filters.  Your VoIP traffic should now be given priority over all other traffic.  You can use this example to set up other queues as well.  As you can see in my example, I also have a rule set up for Streaming traffic that points everything to the “qAck/qStreaming” queue.

This example works well when you are giving priority to specific devices on your network. However, what if you want to give priority to a specific port instead?  I have found that under the Floating rules, you need to make one adjustment.  This is probably best illustrated by showing you the LAN and Floating rules together in one image.  You can see it in the above example with port 53 (DNS).  On the floating rule only, ensure you list the desired port under “Destination” rather than under “Source”.  This is the opposite of what we did when shaping by IP address or Alias.  However, all other settings are the same.  The LAN rule should keep the port under “Source”.

That’s it, if you follow these examples, you should be able to prioritize traffic on your network using pfsense 2.0.

 

This entry was posted in Uncategorized. Bookmark the permalink.

37 Responses to Traffic Shaper in pfSense 2.0

  1. Jason says:

    How do you determine the bandwidth values to backfill them for LAN and WAN after running the wizard?

    As stated in this step: “…Also, fill in the Bandwidth since the wizard neglected to fill this out for us. Go ahead and save these changes. Now, you will see the ‘Add new queue’ button at the bottom…”

  2. admin says:

    Jason,
    Great question. There are several ways to determine your expected bandwidth rates. Depending on your ISP, they may be very clear with the speeds at which you should get. For instance, I am with Comcast, and they are very clear on their website that the performance tier gets a 12Mb down and 2Mb up connection. If your ISP isn’t as clear, there are some other ways to determine. If you have cable internet, you can likely go to your modem’s diagnostics page (192.168.100.1) and it will show you the provisioned speeds. If that doesn’t work, do a Google search for ‘shaperprobe’. This small test application will determine what your sustained bandwidth is. You can then use those values to enter into the wizard.

  3. Gary says:

    In the image you have your Default LAN to any rule for no queue at the top.
    Doesn’t pfSense work top to bottom and so this rule will cover all traffic and therefor not process any rules below it?

    • admin says:

      I believe the ordering of the floating rules actually takes priority in this situation. The matching LAN rule was something I had to add to get it to work properly.

      • matthiasr says:

        In pf in general, the rules are evaluated from the top to the bottom, and the last matching rule “wins”. As long as you are only looking at pass/block rules, this effectively works as if they were evaluated from the top, but what really happens is that any given packet (resp. connection, because pf only concerns itself with the initiation of a connection, once it is established all rules are superseded by this) may match many times, changing “state” from pass to block back to pass. The last matching rule wins.

        The queue association works the same way – but even if a connection matches a later rule, this will only change the queue if there is another queue specified. Thus, the last matching rule _with a queue_ wins.

        That is, unless a rule uses the quick keyword/flag. If a connection matches this rule, all evaluation stops. Later queue associations are ignored as well as later pass/block rules.

  4. Mike says:

    Could you discuss the role of the qACK queue and also how to setup queuing on the WAN interface? This seemed to be glossed over a bit.

    Thanks! Very useful so far…

    • admin says:

      qACK is one of the default queues created when you use the Traffic Shaper Wizard. Its purpose is for acknowledgement packets for TCP requests. It is created as a high priority queue. Since UDP does not have acknowledgement packets, I like to put my uplink voice packets into this queue.

  5. Andre says:

    First I like to thank you for your useful info. What about making the shaper work when I have the “loadbalance” link on. As that I have to set the gateway as “LoadBalancer” (or something like that) and when I use a gateway on floating rules I have to set a direction too but this is not working correctly because I didn’t see queues working on qVoip

    • admin says:

      I know that the traffic shaper did not work with Dual WAN on pfsense 1.2.3. I honestly have not tried it again on pfsense 2.0. Let me see what I can come up with.

  6. Roy says:

    Thank you for this valuable information…

    Just a question… why do we need to use a Lan and Floating rule to do the shaping? shouldn’t floating rules be enough? Do we always need LAN and WAN identical queues? considering the fact that floating rules allow us to select interfaces and direction, is it possible to do the same, just with WAN and floating rules?

    I’m trying to do the shaping of 14 vlans… and after reading all comments on the net, still I’m not sure how to do it. I though we can create queues related with no interfaces, and managing the rest with floating rules… but it seems doesn’t work in that way, unless we go to limiters. But I like the “sharing” feature between queues, which I’m not sure can be done with limiters…

    Thanks for your clarification and any advise on the best way of addressing the shaping in my case.

    • admin says:

      Floating rules should be enough, but in my testing, I had to create the matching LAN rule to get the expected results. The Traffic Shaper changed significantly between the 1.2.x release and the 2.x release. I’m hesitant to call it a bug, but I believe the traffic shaper will still need some tweaks before it works exactly the way the developers intended.

      Are you trying to give different vlans different priorities? I have multiple vlans on my network and the shaper rules I set in this post handle them all.

      • Roy says:

        Thanks for your quick response and clarification…
        This is a short summary of what I have and would like to do:

        Have:
        – 14 Vlans, including offices, faculty and student residences.
        – pfsense 2.0.1 release as gateway and DHCP server. It is “in front” of another pfsense running a transparent proxy (Squid+Squidguard) and doing filtering and NAT ( I read transparent proxy and traffic shaping aren’t good friends)
        – 6Mbps Inbound/Outbound (yes…is very little, but is all what I have right now)
        – around 500-600 users
        Would like:
        – to set different priorities for each Vlan
        – to set different priorities by port and services
        – to have TWO set of priorities (working hours, non-working hours)
        – to share bandwidth between Vlans. If only ONE users is connected, he/she should get ALL the bandwidth!
        – to limit by users when needed (most of the time) to avoid a single user having 100 connections and eating all bandwidth
        – to avoid shaping of internal traffic and web services (I think this is easy)
        – to limit Youtube and Facebook!!!! (I don’t this is possible with traffic shaping)

        Do you think pfsense and traffic shaping could help on this scenario? I’ve read all you can find online, and I’ve learned a lot, but evidently not enough to make this work. Any help? advise? ideas? all are more than welcome!

        Thanks in advance.

        • admin says:

          Much of what you want to do can be handled easily by pfsense. I am not aware of a way to prioritize traffic by vlan, however prioritization by port/service is covered in this blog post. You can schedule rules by going to Firewall->Schedules. Create a schedule for working and non-working hours and create rules specific to those schedules. In the advanced settings of each rule, you will see the ability to tie the rule to a schedule. You can limit access to certain domains by going to Services->DNS Forwarder. At the bottom, you will see the ability to override complete domains. Just enter the domain (youtube.com) and you can redirect it to an error page or to another website. Internal traffic that does not cross the WAN will not be shaped and all users will share available bandwidth.

          • Roy says:

            Thanks again.

            Inspired in this blog and with the last comment on this other:
            http://forum.pfsense.org/index.php?topic=37639.0

            … I decided to go ahead with this. It is running right now, but I have a couple of questions I would like to ask you:

            – how to know whether it is really shaping or not? it is just because you see packages going to each queue? I’m asking this because I see only few drops, and no borrowing at all. With the level of congestion I have here, I expected to see at least more drops. Should I also expect to see some borrowing? I’m using sharelink for most queues.

            – could you please explain little more the two rules you found necessary for each type of traffic, in terms of inbound and outbound traffic? which one does what… I’m little confuse the way you set the ports…

            Finally, the shaping seems to be running, but I’m not limiting the bandwidth that a single user can take.. Can limiters be used at the same time with traffic shaping? or maybe I should try to do it later when passing through Squid…

            Thanks for your comments and good ideas.

      • Hiranmoy Mishra says:

        Hi,

        I had posted a question earlier but seems like it did not update properly. Anyway, here is my question again:

        Wouldn’t the presence of VLANs by definition mean, additional interfaces to be able to interact with those VLANs? If so, the traffic shaper wizard would be multi-WAN and multi-LAN, right?

        That said, how would that figure into the traffic shaping algorithm? I am trying to follow along your example and trying to adapt it to mine but I have an additional VLAN which I have tied to an interface named GST. So the queues generated by wizard don’t take the GST interface into account, so sure how the traffic shaping would work in that case. Could you please shed some light on this situation?

        Thanks,
        Hiranmoy

  7. admin says:

    Yes, ensuring that traffic is going into the right queues is the first step. With 500-600 users, this may prove challenging. I usually run my tests with only me as the user. I start a .iso download of a linux distribution that typically uses my entire pipe. Then I start events that should be shaped such as a VoIP phone call. I should see the VoiP queue traffic as well as a slight decrease in the .iso queue. You should test all your rules to ensure traffic is going into the appropriate queue.

    I’m confused on the way I set ports too. I think the shaper in 2.x needs further development until it works the way the developers intended. That is why I wrote this post, to be able to help others in what I found to work. I by no means am an expert with pfsense traffic shaping.

    I have not tried to limit bandwidth by user. I generally let all users share bandwidth and only shape by the application. ie, voip gets priority over video, video gets priority over web, etc.

    • Roy says:

      Just a short post to say “thank you”. I’m in the hard “tuning” process, but I have the shaper working. I have to limit individuals yet, but limiters could be a solution for now. Will see.

      Thanks for this blog and your answer to my questions!

  8. Bob says:

    First off, thanks for this post. It helped me as a starting point with HFSC traffic shaping in PFSense 2.0.1. I’d like to point out a few things that I discovered through my trials and errors with PFSense 2.0.1 to help others searching for documentation.

    Firstly, in PFSense 2.0.1, now Floating Rules are all you need for traffic shaping. One difficulty that I had was determining what interface to use for the floating rules, but I eventually figured it out (my configuration is the same as yours — one WAN and one LAN interface). To shape traffic going out to the internet, you need to select WAN as the interface (to use the WAN queues). Conversely, you need to use the LAN interface (to use the LAN queues) to shape traffic coming in from the internet. It’s counter-intuitive to me, but that’s indeed how it works.

    Secondly, the “Ackqueue/Queue” advanced settings for the floating rules both refer to packets headed the same direction. The first queue name (qACK in your example) tells PFSense what queue to use for special short length packets (mostly ACK packets but not always). The second queue name (qVoip in your example) tells PFSense what queue to use for general data. In PFSense 2.0.1, you must select an interface for the queues, so you may need two queue rules to accomplish your goals: 1 for inbound traffic (LAN interface–from the internet) and 1 for outbound traffic (WAN interface–to the internet).

    I hope my observations come of use to people setting up PFSense 2.0.1 traffic shaping. It’s not the easiest thing to get setup, but once it is, it works beautifully.

    • mtbahri says:

      Thanks Bob! for the clarification regarding the “Ackqueue/Queue” field, it really helped me.

    • Dmitri says:

      Nice article, thank you.
      For pfSense 2.0.1 I have made 1 rule on LAN interface for UDP (voip) traffic and 2 floating rules, one for LAN with source IP of my voip box and another for WAN. I have 1 LAN and 1 WAN interface and very simple PRIQ shaper with only voip traffic with high priority and the rest is default.
      It is working, but I’m still not sure if I need 2 floating rules. The documentation says that floating rules can be applied to multiple interfaces, but there is no way to select ‘any’ interface.

  9. Jason says:

    1.) It appears LAN rules are assigned an ACTION = Pass but FLOATING rules are set to ACTION = Queue. Is this accurate or should both be set to Queue?

    2.) Under ADVANCED FEATURES, should the Acknowledge/Queue be set to qACK/[qName] for all LAN AND Floating rules? Both directions.

    3.) Under FIREWALL > TRAFFIC SHAPER > BY INTERFACE, should WAN – qDefault have the same priority as LAN – qLink? And should both WAN – qDefault and LAN – qLink both have the parameter Default Queue “checked” (enabled)?

  10. Jason says:

    Also, I failed to ask what the settings should be for Skype. For example, if you designate your own port such as 5555 and uncheck the ‘use alternative port 80 or 443 for incoming connections’. I never see any traffic go to my skype queue.

    Audio is fine but video quality is poor/grainy. 28 mbit down, 4 mbit up.

    Thanks again!

  11. Paul Charles Leddy says:

    “Your VoIP traffic should not be given priority over all other traffic.”

    Is the word “not” correct here, or should it be “now”?

  12. Greg Shaw says:

    Firstly, great post. Unfortunately, sorely needed to clarify how to configure pfSense.
    In looking at your Floating rule it has a Source of the VoIP phones so it is only LAN traffic that would have such a source. All packets coming to the IP phone from outside would have a destination of VoIP phone not source. To my reading although the rule is floating it will only ever apply to the LAN interface. So in some ways it is a repetition of the LAN specific rule.
    Am I reading that correctly?

    Also, What should the ‘Status: Queues’ page look like when the shaper is working well and when it is not working well?

    Thanks, again.

    • admin says:

      The Floating rule should have been the only rule needed. It would handle the WAN and LAN traffic. However, in my experience, it did not work correctly in 2.0, therefore I had to add the LAN specific rule. I have read that certain traffic shaper bugs have been resolved in newer versions of pfsense. I will try and take a screenshot of t queues page in action.

  13. taner says:

    Hi
    Is there any way droop internet speed after filling the quota ?

    • admin says:

      Not sure if I understand the question. Are you asking if its possible to throttle the internet connection speed once a certain amount of bandwidth has been consumed in a certain time period?

  14. I just wanted to say thanks for writing this up. You clarified a few things that made it difficult for me to have my traffic shaping and limiters working properly.

  15. Rich says:

    Nice post. Let me start off by saying that the traffic shaper is a challenge. In my configuration I don’t use floating rules. In pfsense 2.0.1 your lan rules are in the wrong order. The allow all to anywhere should be the last rule. Interface rules are processed from top to bottom and the first rule matched gets used. Another item to keep in mind is that pfsense is a stateful firewall. Queues with the same names on different interfaces are created for a reason. Connection states in the firewall will cause you grief if you don’t realize what is going on. For example, lets say we have one lan rule for shaping http traffic. You go to a website so packets are put in the WAN qWeb queue. Since the connection is stateful, if you have qWeb queue on the LAN interface then packets will be put into that queue. Now if you have your own webserver you would need a WAN rule to shape the packets. This is why many people use floating rules.

    Oh, be careful of entering bandwidth on the LAN interface. From my experience that bandwidth value will work as a limiter. If you use the squid proxy server you may impact its performance. I use squid to cache software updates. Setting the bandwidth capped my repeat downloads to 3Mbit. When I removed the bandwidth value my repeat downloads hit 200Mbit.

    Hopefully I’ll help someone by sharing my experience.

  16. TooMeeK says:

    Hi, You”re my MASTER!
    This method works. Just leave playing around with HFSC, which doesn’t seem to work, and go with PRIQ!

    Tested this not on server side, but on client side (Firewall: Rules -> source: client LAN IP, src port: any, destination: any, dest port: 80, Queue: qACK/qWWW).

    Thanks a lot!

  17. KurianOfBorg says:

    The reason a manual interface rule is required in addition to the interface rule is because there is a separate incoming connection for SIP that is not related to the state of the outgoing connection. Queues applied to outgoing connections are only applied to incoming packets that are in response to the original outgoing connection.

  18. Havary says:

    Greate tutorial man, simple and solve my doubts about the traffic shaper!

  19. Pingback: Queue Configuration in pfSense 2.1 - pfSense Setup HQ

  20. VoipTester says:

    With actual 2.2.1 release there is NO “queue” anymore in the floating rule settings !
    Only block, reject, match and pass.
    So looks like 2.2 ist different here again.

    • Filip says:

      With actual 2.2.1 release there is NO “queue” anymore in the floating rule settings !
      Indeed. I used Match, this seems to work.

  21. sadex says:

    Im running 2.2.4 and I have a quad port intel lan card and a 1 WAN port.I’am confuse, I used the wizzard in traffic shaper, turns out the generated queue names (qLink,queAck,internet) are the same in each LAN interface so my question is isn’t it confusing for the firewall rule, I mean how would it know which is which queue in the traffic shaper im referring to, especially when I deleted one “queAck” in a LAN interface? In the firewall rule about the queAck/queue, is queAck referring the queNames in WAN interface and queue is referring to LAN interface or both are referring to all queNames in all interfaces?

Leave a Reply

Your email address will not be published. Required fields are marked *