Traffic Shaping in pfSense: Part Five

Traffic shaping in pfSense

Configuring peer-to-peer networking settings in the pfSense traffic shaping wizard.

The next screen, “Peer-to-Peer Networking”, will let you set controls over many peer-to-peer (P2P) networking protocols. By design, P2P protocols will utilize all available bandwidth unless limits are put in place. If you expect P2P traffic on your network, it is a good practice to ensure that other traffic will not be degraded due to its use. To penalize P2P traffic in pfSense, first check the first check box at the top of the page.

Many P2P technologies will deliberately try to avoid detection. Bittorrent is especially guilty of this. It will often use non-standard or random ports, or even ports associated with other protocols. You can check the p2pCatchAll check box (the second check box on the page) which will cause any unrecognized traffic to be assumed as P2p traffic and its priority lowered accordingly. You can set hard bandwidth limits for this traffic in the edit box underneath the catch-all rule. The upload and download bandwidth limits can be set in percentages, or bits/kilobits/megabits/gigabits per second.

The remaining options consist of various known P2P protocols/applications. There are more than 20 in all. Check each one that you would like to be recognized. When you are done, press the Next button.

The next page covers network games settings. Many games rely on low latency to deliver a good online gaming experience. If someone tries to download large files or game patches while playing, then that traffic can easily swallow up the packets associated with the game itself and cause lags or disconnection. By checking the check box for prioritizing network gaming traffic (the first check box on the page), you can raise the priority of game traffic so that it will be transferred first and given a guaranteed chunk of bandwidth. There are many games listed here. Check all those which should be prioritized. Even if your game is not listed, you may still want to check a similar game (if there is one on the list) so that you will have a reference rule that you can alter later. When you are done configuring network gaming settings, press the Next button.

Free pfSense Resource Guide

I’m currently giving away a free pfSense resource guide explaining how to set up your own pfSense firewall in 3 easy steps to anyone who signs up for my (low-traffic) mailing list. See this page for more information.

pfSense Multi-WAN Configuration: Part Five

pfSense multi-WAN

Viewing the load balancer status in pfSense 2.2.4.

Once you have configured your multi-WAN setup, you will want to verify its functionality. In this article, we will cover how to test each component of your multi-WAN setup.

If you have configured failover, you will want to test it after completing your configuration to ensure it functions as you desire, otherwise you might be in for an unpleasant surprise when one of your Internet connections fail. Navigate to Status -> Load Balancer and ensure all your WAN connections show as “Online“ under Status. If they do not, verify your monitoring IP configuration as discussed in previous articles on this site.


pfSense Multi-WAN: Simulating a Failure

There are a number of ways you can simulate a WAN failure, depending on the type of Internet connection being used. In most cases, the easiest way to simulate it is to unplug the target WAN interface’s Ethernet cable from the firewall.

For cable and DSL connections, you will also want to try powering off your modem, and unplugging the coax or phone line from the modem. For T1 and other types of connections with a router outside of pfSense, try unplugging the Internet connection from the router and also turning off the router itself.

All of the abovementioned testing scenarios will likely end with the same result, but there are some circumstances where trying all these things individually will find a fault you might not have otherwise noticed until an actual failure. For example, assume you are using a monitor IP assigned to your DLS or cable modem. Thus when the coax or phone line is disconnected, simulating a provider failure rather than an Ethernet or modem failure, the monitor ping still succeeds since it is pinging the modem. As far as pfSense is concerned, the connection is still up, so it will not fail over even if the connection is actually down. There are other types of failure that can similarly only be detected by testing all the individual cases where failure is possible. After creating a WAN failure, refresh the Status -> Load Balancer screen to check the current status.

The easiest way to verify a HTTP load balancing configuration is to visit one of the websites that displays the public IP address from which you are coming. There is a page on the pfSense website for this purpose, and there are other sites that serve the same function. Search for “what is my IP address” and you will find numerous websites that will show you what public IP address from which the HTTP request is coming.

If you load one of these pages, and refresh your browser a number of times, you should see your IP address changing if your load balancing configuration is correct. Note if you have any other traffic on your network, you probably will not see your IP address change on every page refresh. Refresh the page 20-30 times and you should see the IP change at least a few times. if the IP never changes, try several different sites, and make sure your browser is really requesting the page again,and not returning something from its cache or using a persistent connection to the server. Manually deleting the cache and trying multiple web browsers are good things to try before troubleshooting your load balancer configuration further.

You can use traceroute to test load balancing (or tracert in Windows). Traceroute allows you to see the network path taken to a given destination.

The real time traffic graphs under Status -> Traffic Graph are useful for showing the real time throughput on your WAN interfaces. You can only show one graph at a time per browser window, but you can open additional windows or tabs in your browser and show all your WAN interfaces simultaneously. The Dashboard widget enables the simultaneous display of multiple traffic graphs on a single page. The RRD traffic graphs accessible under Status -> RRD Graphs are useful for longer-term and historical evaluation of your individual WAN utilization.


External Links:

Network Load Balancing on Wikipedia

Video: Configuring Dynamic DNS with pfSense

You may want to set up a domain name for your home or SOHO WAN IP. This video demonstrates how to do this. In this video I cover:

  • What DDNS is, why you might want to use it, and different methods of implementing DDNS
  • Configuring Duck DNS on the Duck DNS web site; downloading and installing the Duck DNS client
  • Configuring DDNS in pfSense and setting up NAT so we can access an Apache web server behind the firewall
  • Accessing a web site using the domain name I set up in the previous steps

Video: Upgrading a pfSense Firewall

This week, I upgraded my pfSense firewall from version 2.2.3 to 2.2.4. This video documents the process. If you’re running an old version of pfSense and want to bring it up-to-date, all that is required is a few mouse clicks and some time.

Video: Configuring a Second WAN Gateway in pfSense

This video describes how to configure a second WAN gateway for a multi-WAN setup in pfSense. [Hint: It doesn’t take long.]

Video: Setting Up VLANs in pfSense

A single layer 2 network can be partitioned into two or more broadcast domains so we don’t have to add switches every time we want to add another network. This video shows how to set up 802.1Q VLANs with pfSense.

Video: Demonstration of Squid Overriding Firewall Rules in pfSense

One phenomenon I initially didn’t understand is the fact that once Squid is enabled in an interface, it overrides any firewall rules you might have for ports that are controlled by Squid (80 and, if you enable the SSL proxy, 443). This is important to understand if you already have firewall rules in place. This video demonstrates this in practice.

Breaking News: pfSense 2.2.4 Released

pfSensepfSense 2.2.4 has been released, which incorporates multiple security and bug fixes. Some things you probably should know about this upgrade:

  • You can upgrade from any previous version straight to 2.2.4.
  • It is considered a low risk upgrade.
  • It is considered a high priority upgrade for users of IPsec 2.2x.
  • For users of 2.1.x and earlier versions, there are a number of significant changes which may impact you.
  • You can read all about it at the official pfSense blog. I will update the download links on the download page ASAP.

Video: Installing and Configuring Squid3 in pfSense

In this video, I demonstrate how to install and configure the Squid3 package in pfSense. Although the older version of Squid is generally considered more stable, Squid 3.0 incorporates a number of features not included in the older Squid, including the ability to act as a proxy for SSL traffic. See the release notes for more information. As demonstrated in this video, installation and configuration of Squid3 is almost as easy as it is for the original Squid.

© 2013 David Zientara. All rights reserved. Privacy Policy