Video: pfSense Boot Camp, Part 1

In the first of a 12-part series, I cover:

  • Deployment scenarios
  • Hardware requirements
  • Installation and configuration at the console

pfSense 2.3.3 Released

pfSensepfSense 2.3.3, which incorporates several stability and bug fixes, as well as fixes for a handful of security issues, and some new features, has been released. Among the new features are:

  • Several new packages:  tinc, cellular, LCDproc, TFTP Server
  • Improved input validation for several functions

You can read about the latest release at the official pfSense blog. You can read the full list of features and changes at the official pfSense documentation site.

pfSense 2.3.2 is Available

pfSensepfSense 2.3.2, with 60 bug fixes, has been released. You can read more about this latest release at the official pfSense blog. I will update the download links ASAP.

pfSense 2.3.1 Update 5 Available

pfSense 2.3.1 update 5 is now available. This version incorporates 2 security fixes and 7 bug fixes.

pfSense multi-WANTimeline for recent pfSense updates:

  • 4-12-2016: pfSense 2.3 released. This incorporated several changes, including a new user interface, the deletion of several packages, the removal of deep packet inspection from the traffic shaper, and the elimination of the live CD (pfSense cannot be run from a CD or USB drive anymore).
  • 5-2-2016: pfSense 2.3 update 1 released.
  • 5-18-2016: pfSense 2.3.1 released, with a total of 103 bug fixes.
  • 5-25-2016: pfSense 2.3.1 update 1 released.
  • 6-16-2016: pfSense 2.3.1 update 5 released.

I will update the download links as soon as possible.


Breaking News: pfSense 2.2.6 Available

pfSenseYou may have seen this already, but pfSense 2.2.6 is now available, with a few bug fixes and upgrades. For those already running any 2.2.x version, this is a low risk upgrade, but those on 2.1.x and earlier may have issues. I upgraded from 2.2.5 to 2.2.6 this morning, and it took about 10 minutes. You can read more about this upgrade at the official pfSense blog. I will update the download links ASAP.

Breaking News: pfSense 2.2.5 Now Available

pfSense pfSense 2.2.5 is now available, with a number of bug fixes and some security updates. It is considered a low risk upgrade for those running 2.2.x. For those running 2.1.x and older versions, there are a number of significant changes which may impact you. You can read all about it at the official pfSense blog. I will upload the download links ASAP.

And while I’m writing this, I might as well take the opportunity to promote’s official mailing list. A few dozen readers have already subscribed. I don’t share our mailing list with anyone else, and traffic on the list is limited to one e-newsletter a week summarizing the latest pfSense news. And I’m even sending you a brief pfSense resource guide as an incentive to sign up.

This is also the eleventh anniversary of the pfSense project, so I want to take this opportunity to thank everyone who has worked on the project and who has helped ensure its success. You have made our lives immeasurably better.

I also want to thank everyone who has made purchases through’s Amazon affiliate link. Your purchases help keep the lights on at

UPDATE: I updated the download page to link to version 2.2.5.

Traffic Shaping in pfSense: Part Seven

Editing traffic shaping settings in pfSense.

Editing traffic shaping settings in pfSense.

After using the shaper wizard, you might find that the rules it generates do not fit your requirements. Fortunately, once the basic rules have been created by the wizard, it should be relatively easy to edit or copy those rules and create custom ones of your own.
The queues are where bandwidth and priorities are actually allocated. Each queue is assigned a priority from 0 to 7. When there is an overload of traffic, the higher-numbered queues are preferred over the lower-numbered queues. Each queue is assigned either a hard bandwidth limit, or a percantage of the total link speed. The queues can also be assigned other attributes that control how they behave. For example, they can be set up so they have low latency or they might have certain congestion avoidance algorithms applied. Queues may be changed by navigating to Firewall -> Traffic Shaper and clicking on the By Queues tab. A list of rules will apeear.

Editing queues can be a complex tast with powerful results. Still, without a thorough understanding of the settings involved, it is probably best to stick with the queues generated by the wizard and alter their settings.

The queue listings have changed somewhat in pfSense 2.2. Each queue is listed on the left side of the tab. Clicking on one of the queues will bring up a listing for each of that queues subordinate queues (one for each interface). Clicking on any of these subordinate queues will allow you to edit the settings for it. The screen capture at the top of this article shows the settings for one such queue. At the top of the page, there’s a check box which allows you to enable/disable the queue and its children. There are settings for the queue name, the queue priority (0-7), the queue limit in packets, and various scheduler options. There is also a field in which you can enter an optional description. At the bottom of the page, there are two buttons: a “Save“ button to save the queue and a “Delete this queue“ button to delete it. You should not attempt to delete a queue if it is being referenced by a rule.

External Links:

PF: Packet Queueing and Prioritization at

Traffic Shaping in pfSense: Part Six

Traffic shaping in pfSense

The screen for raising or lowering priority levels of protocols in the pfSense traffic shaping wizard.

Traffic Shaping in pfSense: Raising and Lowering Protocols

The last configuration screen of the pfSense traffic shaper wizard lists many other commonly available applications and protocols. How you chose to handle these protocols are handled will depend on the environment that your pfSense router will be protecting. Mail protocols such as SMTP, POP and IMAP could be de-prioritized, and the end users might not even know the difference. Protocols that require low latency, on the other hand, like Remote Desktop Protocol, might have their priority raised, esepcially in a corporate environment. At home, you may consider multimedia streaming more important. Check the check box for other networking protocols, and then pick and choose from the list of protocols.

Each of the protocols listed can be given a higher priority, lower priority, or left at the default priority. if you enabled p2pCatchAll earlier, you will want to use these settings to ensure that these other protocols are recognized and treated normally, rather than penalized by the default p2pCatchAll rule. Press the Next button when you are done.

Now, all the rules and queues will have been created, but are not yet in use. By pressing the Finish button on the final page, the rules will be loaded and active. [NOTE: If you have problems getting traffic shaping to work, you might consider changing the queueing discipline. PRIQ seems to be the safest bet; I had problems getting CBQ to work using the wizard.]

Traffic shaping in pfSense

Displaying queue status in pfSense 2.2.4.

Traffic shaping should now be activated for all new conections. However, existing connections will not have traffic shaping applied to them, only new connections. In order for traffic shaping to be fully active on all connections, you must clear the states. In order to do this, navigate to Diagnostics -> States. Then click the Reset States tab, check the Firewall state table check box (if it is not already checked), and press the Reset button.

In order to be sure that traffic shaping is working as it should, you may monitor it by navigating to Status -> Queues. This screen will show each queue listedby name, its current usage, and some other statistics. The graphical bar on this page will show you how full a queue is. The rate of data in the queue is shown in both packets per second and bits per second. Borrows happen when a neighboring queue is not full and capacity is borrowed from there when needed.

External Links:

PF: Packet Queueing and Prioritization at

pfSense Setup HQ Mailing List Launched

In the first two days since I launched the official pfSense mailing list, several readers have already signed up. If you sign up for our mailing list, I’ll send you a brief pfSense resource guide that contains all the essentials on how to get up and running with pfSense.

Also, I want to thank everyone who has made a purchase through this site’s Amazon affiliate link. Your purchases on Amazon (which come from Amazon’s end of the sale and don’t cost you a cent) help keep the lights on here at

Traffic Shaping in pfSense: Part Four

Traffic shaping in pfSense

Configuring VoIP settings in pfSense 2.2.4. Note that you can guarantee upload and download bandwidth with the traffic shaper wizard.

Once you enter the queuing disciples and connection speeds in the traffic shaper wizard, there are a number of other options to configure. The next is Voice over IP, and there are several options available for handing VoIP traffic. The first choice, the Prioritize Voice over IP traffic check box, is self-explanatory. It will enable the prioritization of VoIP traffic, and this behavior can be fine-tuned by the other settings on the same page. First, you can chose your VoIP provider:


    • VoicePulse: A U.S.-based VoIP provider founded in 2003. VoicePulse provides not only home phone services, but also business PBX services and enterprise-level SIP trunking.


  • Vonage: Another U.S.-based VoIP provider founded in 2001. Their most popular plan, Vonage World, offers unlimited international calling to over 60 countries for a flat monthly rate. Vonage supplies an analog telephone adapter with which the customer can connect standard analog telephones to the Internet.



  • Panasonic TDA: Panasonic’s VoIP PBX solution, done via a T1 or E1, and which provides mobile phone integration and BRI or PRI ISDN capability.



  • Asterisk: Open-source VoIP software which includes many features available in proprietary PBX systems: voice mail, conference calling, interactive voice response, and automatic call distribution. Although initially developed in the United States, it has become popular worldwide because it is freely available under open-source licensing and has a modular, extensible design.



If you have a different provider, you can choose Generic, or override this setting with the Address field by entering the IP of your VoIP phone or an alias containing the IPs of all your phones.

There is also an edit box in which you can enter the IP address of the upstream SIP server. If you do, the information in the Provider field will be overridden. You can also use a firewall alias in this field.

You may also choose the amount of upload and download bandwidth to guarantee for your VoIP phones. This will vary based on how many phones you have, and how much bandwidth each session will utilize. When you have finished entering the provider information and upload/download bandwidth, you can press the Next button.

The next page allows you to configure settings for the penalty box. This is a place to which you can relegate misbehaving users or devices that would otherwise consume more bandwith than desired. These users are assigned a hard bandwidth cap which they cannot exceed. Check the check box at the top of the page to enable this feature, enter an IP or alias in the address box, and then enter upload and download limits in kilobits per second in the appropriate edit boxes. It does not appear that you can type multiple IP addresses in the Address edit box, so if you want to penalize multiple hosts, you will have to create an alias.

Once you are finished configuring penalty box settings, you can press the Next button and move on to configuring settings for peer-to-peer networking, which will be covered in the next article.

External Links:

Traffic Shaping at Wikipedia
Voice over IP at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy