Traffic Shaping in pfSense: Part Six

Traffic shaping in pfSense

The screen for raising or lowering priority levels of protocols in the pfSense traffic shaping wizard.

Traffic Shaping in pfSense: Raising and Lowering Protocols

The last configuration screen of the pfSense traffic shaper wizard lists many other commonly available applications and protocols. How you chose to handle these protocols are handled will depend on the environment that your pfSense router will be protecting. Mail protocols such as SMTP, POP and IMAP could be de-prioritized, and the end users might not even know the difference. Protocols that require low latency, on the other hand, like Remote Desktop Protocol, might have their priority raised, esepcially in a corporate environment. At home, you may consider multimedia streaming more important. Check the check box for other networking protocols, and then pick and choose from the list of protocols.

Each of the protocols listed can be given a higher priority, lower priority, or left at the default priority. if you enabled p2pCatchAll earlier, you will want to use these settings to ensure that these other protocols are recognized and treated normally, rather than penalized by the default p2pCatchAll rule. Press the Next button when you are done.

Now, all the rules and queues will have been created, but are not yet in use. By pressing the Finish button on the final page, the rules will be loaded and active. [NOTE: If you have problems getting traffic shaping to work, you might consider changing the queueing discipline. PRIQ seems to be the safest bet; I had problems getting CBQ to work using the wizard.]

Traffic shaping in pfSense

Displaying queue status in pfSense 2.2.4.

Traffic shaping should now be activated for all new conections. However, existing connections will not have traffic shaping applied to them, only new connections. In order for traffic shaping to be fully active on all connections, you must clear the states. In order to do this, navigate to Diagnostics -> States. Then click the Reset States tab, check the Firewall state table check box (if it is not already checked), and press the Reset button.

In order to be sure that traffic shaping is working as it should, you may monitor it by navigating to Status -> Queues. This screen will show each queue listedby name, its current usage, and some other statistics. The graphical bar on this page will show you how full a queue is. The rate of data in the queue is shown in both packets per second and bits per second. Borrows happen when a neighboring queue is not full and capacity is borrowed from there when needed.

External Links:

PF: Packet Queueing and Prioritization at

pfSense Setup HQ Mailing List Launched

In the first two days since I launched the official pfSense mailing list, several readers have already signed up. If you sign up for our mailing list, I’ll send you a brief pfSense resource guide that contains all the essentials on how to get up and running with pfSense.

Also, I want to thank everyone who has made a purchase through this site’s Amazon affiliate link. Your purchases on Amazon (which come from Amazon’s end of the sale and don’t cost you a cent) help keep the lights on here at

Traffic Shaping in pfSense: Part Five

Traffic shaping in pfSense

Configuring peer-to-peer networking settings in the pfSense traffic shaping wizard.

The next screen, “Peer-to-Peer Networking”, will let you set controls over many peer-to-peer (P2P) networking protocols. By design, P2P protocols will utilize all available bandwidth unless limits are put in place. If you expect P2P traffic on your network, it is a good practice to ensure that other traffic will not be degraded due to its use. To penalize P2P traffic in pfSense, first check the first check box at the top of the page.

Many P2P technologies will deliberately try to avoid detection. Bittorrent is especially guilty of this. It will often use non-standard or random ports, or even ports associated with other protocols. You can check the p2pCatchAll check box (the second check box on the page) which will cause any unrecognized traffic to be assumed as P2p traffic and its priority lowered accordingly. You can set hard bandwidth limits for this traffic in the edit box underneath the catch-all rule. The upload and download bandwidth limits can be set in percentages, or bits/kilobits/megabits/gigabits per second.

The remaining options consist of various known P2P protocols/applications. There are more than 20 in all. Check each one that you would like to be recognized. When you are done, press the Next button.

The next page covers network games settings. Many games rely on low latency to deliver a good online gaming experience. If someone tries to download large files or game patches while playing, then that traffic can easily swallow up the packets associated with the game itself and cause lags or disconnection. By checking the check box for prioritizing network gaming traffic (the first check box on the page), you can raise the priority of game traffic so that it will be transferred first and given a guaranteed chunk of bandwidth. There are many games listed here. Check all those which should be prioritized. Even if your game is not listed, you may still want to check a similar game (if there is one on the list) so that you will have a reference rule that you can alter later. When you are done configuring network gaming settings, press the Next button.

Free pfSense Resource Guide

I’m currently giving away a free pfSense resource guide explaining how to set up your own pfSense firewall in 3 easy steps to anyone who signs up for my (low-traffic) mailing list. See this page for more information.

Traffic Shaping in pfSense: Part Four

Traffic shaping in pfSense

Configuring VoIP settings in pfSense 2.2.4. Note that you can guarantee upload and download bandwidth with the traffic shaper wizard.

Once you enter the queuing disciples and connection speeds in the traffic shaper wizard, there are a number of other options to configure. The next is Voice over IP, and there are several options available for handing VoIP traffic. The first choice, the Prioritize Voice over IP traffic check box, is self-explanatory. It will enable the prioritization of VoIP traffic, and this behavior can be fine-tuned by the other settings on the same page. First, you can chose your VoIP provider:


    • VoicePulse: A U.S.-based VoIP provider founded in 2003. VoicePulse provides not only home phone services, but also business PBX services and enterprise-level SIP trunking.


  • Vonage: Another U.S.-based VoIP provider founded in 2001. Their most popular plan, Vonage World, offers unlimited international calling to over 60 countries for a flat monthly rate. Vonage supplies an analog telephone adapter with which the customer can connect standard analog telephones to the Internet.



  • Panasonic TDA: Panasonic’s VoIP PBX solution, done via a T1 or E1, and which provides mobile phone integration and BRI or PRI ISDN capability.



  • Asterisk: Open-source VoIP software which includes many features available in proprietary PBX systems: voice mail, conference calling, interactive voice response, and automatic call distribution. Although initially developed in the United States, it has become popular worldwide because it is freely available under open-source licensing and has a modular, extensible design.



If you have a different provider, you can choose Generic, or override this setting with the Address field by entering the IP of your VoIP phone or an alias containing the IPs of all your phones.

There is also an edit box in which you can enter the IP address of the upstream SIP server. If you do, the information in the Provider field will be overridden. You can also use a firewall alias in this field.

You may also choose the amount of upload and download bandwidth to guarantee for your VoIP phones. This will vary based on how many phones you have, and how much bandwidth each session will utilize. When you have finished entering the provider information and upload/download bandwidth, you can press the Next button.

The next page allows you to configure settings for the penalty box. This is a place to which you can relegate misbehaving users or devices that would otherwise consume more bandwith than desired. These users are assigned a hard bandwidth cap which they cannot exceed. Check the check box at the top of the page to enable this feature, enter an IP or alias in the address box, and then enter upload and download limits in kilobits per second in the appropriate edit boxes. It does not appear that you can type multiple IP addresses in the Address edit box, so if you want to penalize multiple hosts, you will have to create an alias.

Once you are finished configuring penalty box settings, you can press the Next button and move on to configuring settings for peer-to-peer networking, which will be covered in the next article.

External Links:

Traffic Shaping at Wikipedia
Voice over IP at Wikipedia

Traffic Shaping in pfSense: Part Three

Traffic shaping in pfSense

Entering information in the pfSense traffic shaper wizard.

If you want to invoke traffic shaping in pfSense, you can write your own rule set in PF, but in most cases, it’s easier to use the traffic shaper wizard. To get started with the traffic shaper wizard, navigate to Firewall -> Traffic Shaper in the pfSense web GUI and click on the Wizards tab. There are two options on the Wizards page: Mutliple LAN/WAN and Dedicated Links. Even if you only have a single LAN-type interface, you should select Multiple LAN/WAN in most cases.

On the first page of the traffic shaper wizard, you will be prompted to enter the number of WAN and LAN-type connections. LAN-type connections are generally any non-WAN connections. For example, if we have a WAN, LAN and DMZ interface, then we have 1 WAN connection and 2 LAN connections. Once you have entered these, press the Next button.

Traffic Shaping in pfSense: Queueing Disciplines

The next page is where we set up the queueing disciplines for each local interface, as well as the upload and download bandwidths for each WAN connection. There are three options for queueing disciplines:


  • Priority Queueing (PRIQ): With priority queueing, your bandwidth is divided into separate queues. Each queue is assigned a priority level. A packet that has a higher priority level is always processed before a packet with a lower priority level. This makes priority queueing easy to understand, but it also means that lower priority traffic can be starved for bandwidth.
  • Class Based Queueing (CBQ): Class Based Queueing introduces the concept of a hierarchy of queues. As with PRIQ, your bandwidth is divided into separate queues, and each queue can be assigned a priority level. CBQ, however, differs from PRIQ in several significant ways. First, each top-level (parent) queue can be subdivided into child queues. These child queues can also be assigned priority levels. Second, each parent queue is assigned a bandwidth limit which it cannot exceed. Third, although child queues are also assigned bandwidth limits, they can borrow bandwidth from the parent queue if the bandwidth limit for the parent has not been reached. As a result, CBQ is a good option in cases where we want to ensure that lower priority traffic gets some bandwidth.
  • Hierarchical Fair Service Curve (HFSC): HFSC is the most sophisticated of the three queueing disciplines used by the pfSense traffic shaper. It provides a more granular means of bandwidth management than either PRIQ or CBQ on several counts. First, it can be set up so certain queues get a specified minimum slice of bandwidth. Second, priority levels can be set for handling excess bandwidth. For example, if we have queues 1 and 2 and queue 1 is divided into queues 1A and 1B, with 1A guaranteed 25 Mbps of bandwidth, we can set it up so the excess bandwidth from 1A goes first to 1B, and if 1B does not require the bandwidth, to 2. Third, HFSC uses a two-piece linear curve to reduce latency without over-reserving bandwidth, which makes HFSC a good option for applications that are both require generous amounts of bandwitth and low latency, like VoIP and video conferencing.


Once we have set the queueing disciplines, we need to enter the upload and download bandwidth for each WAN interface and press the Next button.

We will continue our look at the pfSense traffic shaper wizard in the next article.

External Links:

PF: Packet Queueing and Prioritization at

© 2013 David Zientara. All rights reserved. Privacy Policy