Have you recently upgraded from pfsense 1.2.3 to pfsense 2.0? Are you having difficulty getting the traffic shaper to work properly? A significant change in how the traffic shaper works between these releases, combined with a lack of documentation created a very frustrating situation. Fortunately I have been able to get the shaper to work as I want it to on my network. To help alleviate others frustations, I have included a simple tutorial here.
The first step is to use the Traffic Shaper Wizard that is most appropriate for your network. In most cases, you will use the “Single LAN, Multi WAN” wizard. Do not worry if you don’t have a multi WAN network. We will just use ‘1’ when the wizard asks us how many WANs we have. Continue through the wizard, but only prioritize VoIP traffic at this time. We essentially just want to get a few queues started for us so we can customize ourselves. There is no need to go into detail about each device or protocol you want shaped at this time.
OK, we are finished with the wizard. We now want to customize the queues to our liking. Everyone is likely going to have a different wish list for their network. On my network, I wanted to prioritize two types of traffic. VoIP phones and Media streaming devices. I have two Voip phones, and several Roku streaming devices on my network. Voip phones will get the highest priority, media streaming devices will get the next highest priority, and then everything else will be considered default traffic.
Go to Traffic Shaper -> By Interface tab and select the ‘LAN’ section as highlighted in the picture. Select “PRIQ” for the scheduler type if not already selected. Also, fill in the Bandwidth since the wizard neglected to fill this out for us. Go ahead and save these changes. Now, you will see the ‘Add new queue’ button at the bottom. We will now create all the WAN and LAN queues that we need for our traffic shaping. I created a qVoip, qHTTP, and qStream. Notice that these queues are created both on the WAN and LAN interface.
When creating these queues, you need to enable the queue, give the queue a name, priority, and finally select the “Explicit Congestion Notification” check box. When finished, all the queues should look like this example. The WAN and LAN queues should be identical. For priority, you can assign a value from 1-7. 7 being the highest priority. Each priority should only be used by one queue. For my network, the qVoip queue gets a 7, the qStreaming queue gets a 6, and the qhttp queue gets a 5.
OK, so we have the queues set up with correct priorities. Now we need to make rules to move traffic into these queues. Now, the traffic shaper wizard has attempted to create some rules for us, but I have found that they dont work. Go to Firewall -> Rules -> Floating tab. Delete any rules that the traffic shaping wizard created for you.
For the traffic shaper to work correctly, I have actually found that two rules for each type of traffic are required. First, a LAN rule, then second, a floating rule. So after we deleted the floating rules, head over to the LAN tab.
- Interface: LAN
- Protocol: UDP
- Source: IP address or alias of your VoIP phones
- Destination: Any
Before you create the rule, scroll down to the advanced options, you will see a field called “Ackqueue/Queue” For this, choose “qAck/qVoip” This is where you are actually assigning which queues traffic that meets this rule will go into. Uplink traffic will go into the qAck queue, and downlink traffic will go into the qVoip queue. Lastly, save this rule.
OK, now lets move over to the Floating Rules tab. This one is very similar, but with a slight twist, so pay attention. This is probably the most importation part for people who so far have been following with ease.
- Action: Queue
- Protocol: UDP
- Direction: DO NOT SET
- Interface: DO NOT SET
- Destination: Any
- Source: IP address or Alias for your VoIP phones
- Select the “qAck/qVoip” in the Advanced Settings just as we did in the LAN rule
Save the rule and reload the filters. Your VoIP traffic should now be given priority over all other traffic. You can use this example to set up other queues as well. As you can see in my example, I also have a rule set up for Streaming traffic that points everything to the “qAck/qStreaming” queue.
This example works well when you are giving priority to specific devices on your network. However, what if you want to give priority to a specific port instead? I have found that under the Floating rules, you need to make one adjustment. This is probably best illustrated by showing you the LAN and Floating rules together in one image. You can see it in the above example with port 53 (DNS). On the floating rule only, ensure you list the desired port under “Destination” rather than under “Source”. This is the opposite of what we did when shaping by IP address or Alias. However, all other settings are the same. The LAN rule should keep the port under “Source”.
That’s it, if you follow these examples, you should be able to prioritize traffic on your network using pfsense 2.0.