Video: pfSense Boot Camp, Part 1

In the first of a 12-part series, I cover:

  • Deployment scenarios
  • Hardware requirements
  • Installation and configuration at the console

Traffic Shaping in pfSense: Part Six

Traffic shaping in pfSense

The screen for raising or lowering priority levels of protocols in the pfSense traffic shaping wizard.

Traffic Shaping in pfSense: Raising and Lowering Protocols

The last configuration screen of the pfSense traffic shaper wizard lists many other commonly available applications and protocols. How you chose to handle these protocols are handled will depend on the environment that your pfSense router will be protecting. Mail protocols such as SMTP, POP and IMAP could be de-prioritized, and the end users might not even know the difference. Protocols that require low latency, on the other hand, like Remote Desktop Protocol, might have their priority raised, esepcially in a corporate environment. At home, you may consider multimedia streaming more important. Check the check box for other networking protocols, and then pick and choose from the list of protocols.

Each of the protocols listed can be given a higher priority, lower priority, or left at the default priority. if you enabled p2pCatchAll earlier, you will want to use these settings to ensure that these other protocols are recognized and treated normally, rather than penalized by the default p2pCatchAll rule. Press the Next button when you are done.

Now, all the rules and queues will have been created, but are not yet in use. By pressing the Finish button on the final page, the rules will be loaded and active. [NOTE: If you have problems getting traffic shaping to work, you might consider changing the queueing discipline. PRIQ seems to be the safest bet; I had problems getting CBQ to work using the wizard.]

Traffic shaping in pfSense

Displaying queue status in pfSense 2.2.4.

Traffic shaping should now be activated for all new conections. However, existing connections will not have traffic shaping applied to them, only new connections. In order for traffic shaping to be fully active on all connections, you must clear the states. In order to do this, navigate to Diagnostics -> States. Then click the Reset States tab, check the Firewall state table check box (if it is not already checked), and press the Reset button.

In order to be sure that traffic shaping is working as it should, you may monitor it by navigating to Status -> Queues. This screen will show each queue listedby name, its current usage, and some other statistics. The graphical bar on this page will show you how full a queue is. The rate of data in the queue is shown in both packets per second and bits per second. Borrows happen when a neighboring queue is not full and capacity is borrowed from there when needed.

External Links:

PF: Packet Queueing and Prioritization at openbsd.org

Traffic Shaping in pfSense: Part Five

Traffic shaping in pfSense

Configuring peer-to-peer networking settings in the pfSense traffic shaping wizard.

The next screen, “Peer-to-Peer Networking”, will let you set controls over many peer-to-peer (P2P) networking protocols. By design, P2P protocols will utilize all available bandwidth unless limits are put in place. If you expect P2P traffic on your network, it is a good practice to ensure that other traffic will not be degraded due to its use. To penalize P2P traffic in pfSense, first check the first check box at the top of the page.

Many P2P technologies will deliberately try to avoid detection. Bittorrent is especially guilty of this. It will often use non-standard or random ports, or even ports associated with other protocols. You can check the p2pCatchAll check box (the second check box on the page) which will cause any unrecognized traffic to be assumed as P2p traffic and its priority lowered accordingly. You can set hard bandwidth limits for this traffic in the edit box underneath the catch-all rule. The upload and download bandwidth limits can be set in percentages, or bits/kilobits/megabits/gigabits per second.

The remaining options consist of various known P2P protocols/applications. There are more than 20 in all. Check each one that you would like to be recognized. When you are done, press the Next button.

The next page covers network games settings. Many games rely on low latency to deliver a good online gaming experience. If someone tries to download large files or game patches while playing, then that traffic can easily swallow up the packets associated with the game itself and cause lags or disconnection. By checking the check box for prioritizing network gaming traffic (the first check box on the page), you can raise the priority of game traffic so that it will be transferred first and given a guaranteed chunk of bandwidth. There are many games listed here. Check all those which should be prioritized. Even if your game is not listed, you may still want to check a similar game (if there is one on the list) so that you will have a reference rule that you can alter later. When you are done configuring network gaming settings, press the Next button.

Traffic Shaping in pfSense: Part Four

Traffic shaping in pfSense

Configuring VoIP settings in pfSense 2.2.4. Note that you can guarantee upload and download bandwidth with the traffic shaper wizard.

Once you enter the queuing disciples and connection speeds in the traffic shaper wizard, there are a number of other options to configure. The next is Voice over IP, and there are several options available for handing VoIP traffic. The first choice, the Prioritize Voice over IP traffic check box, is self-explanatory. It will enable the prioritization of VoIP traffic, and this behavior can be fine-tuned by the other settings on the same page. First, you can chose your VoIP provider:

 

    • VoicePulse: A U.S.-based VoIP provider founded in 2003. VoicePulse provides not only home phone services, but also business PBX services and enterprise-level SIP trunking.

 

  • Vonage: Another U.S.-based VoIP provider founded in 2001. Their most popular plan, Vonage World, offers unlimited international calling to over 60 countries for a flat monthly rate. Vonage supplies an analog telephone adapter with which the customer can connect standard analog telephones to the Internet.

 

 

  • Panasonic TDA: Panasonic’s VoIP PBX solution, done via a T1 or E1, and which provides mobile phone integration and BRI or PRI ISDN capability.

 

 

  • Asterisk: Open-source VoIP software which includes many features available in proprietary PBX systems: voice mail, conference calling, interactive voice response, and automatic call distribution. Although initially developed in the United States, it has become popular worldwide because it is freely available under open-source licensing and has a modular, extensible design.

 

 

If you have a different provider, you can choose Generic, or override this setting with the Address field by entering the IP of your VoIP phone or an alias containing the IPs of all your phones.

There is also an edit box in which you can enter the IP address of the upstream SIP server. If you do, the information in the Provider field will be overridden. You can also use a firewall alias in this field.

You may also choose the amount of upload and download bandwidth to guarantee for your VoIP phones. This will vary based on how many phones you have, and how much bandwidth each session will utilize. When you have finished entering the provider information and upload/download bandwidth, you can press the Next button.

The next page allows you to configure settings for the penalty box. This is a place to which you can relegate misbehaving users or devices that would otherwise consume more bandwith than desired. These users are assigned a hard bandwidth cap which they cannot exceed. Check the check box at the top of the page to enable this feature, enter an IP or alias in the address box, and then enter upload and download limits in kilobits per second in the appropriate edit boxes. It does not appear that you can type multiple IP addresses in the Address edit box, so if you want to penalize multiple hosts, you will have to create an alias.

Once you are finished configuring penalty box settings, you can press the Next button and move on to configuring settings for peer-to-peer networking, which will be covered in the next article.

External Links:

Traffic Shaping at Wikipedia
Voice over IP at Wikipedia

Traffic Shaping in pfSense: Part Three

Traffic shaping in pfSense

Entering information in the pfSense traffic shaper wizard.

If you want to invoke traffic shaping in pfSense, you can write your own rule set in PF, but in most cases, it’s easier to use the traffic shaper wizard. To get started with the traffic shaper wizard, navigate to Firewall -> Traffic Shaper in the pfSense web GUI and click on the Wizards tab. There are two options on the Wizards page: Mutliple LAN/WAN and Dedicated Links. Even if you only have a single LAN-type interface, you should select Multiple LAN/WAN in most cases.

On the first page of the traffic shaper wizard, you will be prompted to enter the number of WAN and LAN-type connections. LAN-type connections are generally any non-WAN connections. For example, if we have a WAN, LAN and DMZ interface, then we have 1 WAN connection and 2 LAN connections. Once you have entered these, press the Next button.

Traffic Shaping in pfSense: Queueing Disciplines

The next page is where we set up the queueing disciplines for each local interface, as well as the upload and download bandwidths for each WAN connection. There are three options for queueing disciplines:

 

  • Priority Queueing (PRIQ): With priority queueing, your bandwidth is divided into separate queues. Each queue is assigned a priority level. A packet that has a higher priority level is always processed before a packet with a lower priority level. This makes priority queueing easy to understand, but it also means that lower priority traffic can be starved for bandwidth.
  • Class Based Queueing (CBQ): Class Based Queueing introduces the concept of a hierarchy of queues. As with PRIQ, your bandwidth is divided into separate queues, and each queue can be assigned a priority level. CBQ, however, differs from PRIQ in several significant ways. First, each top-level (parent) queue can be subdivided into child queues. These child queues can also be assigned priority levels. Second, each parent queue is assigned a bandwidth limit which it cannot exceed. Third, although child queues are also assigned bandwidth limits, they can borrow bandwidth from the parent queue if the bandwidth limit for the parent has not been reached. As a result, CBQ is a good option in cases where we want to ensure that lower priority traffic gets some bandwidth.
  • Hierarchical Fair Service Curve (HFSC): HFSC is the most sophisticated of the three queueing disciplines used by the pfSense traffic shaper. It provides a more granular means of bandwidth management than either PRIQ or CBQ on several counts. First, it can be set up so certain queues get a specified minimum slice of bandwidth. Second, priority levels can be set for handling excess bandwidth. For example, if we have queues 1 and 2 and queue 1 is divided into queues 1A and 1B, with 1A guaranteed 25 Mbps of bandwidth, we can set it up so the excess bandwidth from 1A goes first to 1B, and if 1B does not require the bandwidth, to 2. Third, HFSC uses a two-piece linear curve to reduce latency without over-reserving bandwidth, which makes HFSC a good option for applications that are both require generous amounts of bandwitth and low latency, like VoIP and video conferencing.

 

Once we have set the queueing disciplines, we need to enter the upload and download bandwidth for each WAN interface and press the Next button.

We will continue our look at the pfSense traffic shaper wizard in the next article.

External Links:

PF: Packet Queueing and Prioritization at openbsd.org

Traffic Shaping in pfSense: Part Two

Traffic shaping in pfSense

Configuring interfaces in the pfSense traffic shaper wizard.

Wrapping a GUI around the underlying traffic shaping components in pfSense proved to be difficult. Lacking functionality in the underlying system in some areas also limits its capabilities. The traffic shaper was rewritten for pfSense 2.0 and accommodates multiple interfaces.

Traffic to the LAN IP is queued in the same manner as traffic traversing the firewall. If your web interface uses HTTPS, and your traffic shaper queue for HTTPS is filled, it will delay your traffic to the management interface the same as if your HTTPS request were going out to the Internet. If you use pings to the LAN IP from a monitoring system, you may see significant delay for the same reason.


In addition, the shaper is not capable of truly differentiating between protocols. Traffic using TCP port 80 is considered as HTTP, whether it’s really HTTP or it’s P2P application using port 80; traffic using port 443 is considered as HTTPS, and so on. This can be a significant problem in some cases.

Traffic Shaping in pfSense: A Brief Look at PF Rules

Traffic shaping functionality, as with everything else in pfSense, is provided by PF. If you’re willing to write your own rules, this gives you considerable flexibility in configuring traffic shaping. For example, consider the hypothetical from the first article in which there is a backlog of ACK packets on an asymmetric Internet connection. We want to alter the rule set so ACK packets have a higher priority than other packets, so we set up two separate data queues. The result might look something like this:

ext_if="kue0"

altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
    queue q_pri priority 7
    queue q_def priority 1 priq(default)

pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
    keep state queue (q_def, q_pri)

pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
    keep state queue (q_def, q_pri)

Here, a priority-based queue is set up on the external interface ($ext_if) with two subordinate queues. On subqueue has a high priority value of 7 (q_pri), while the other has a low priority value of 1 (q_def). Once a connection is assigned to the main queue, ALTQ inspects each packet’s type of service (ToS) field. ACK packets have the ToS Delay bit set to low, indicating that the sender wanted the speediest delivery possible. When ALTQ sees a low-delay packet and queues of differing priority are available, it will assign the packet to the higher-priority queue.

For those of us who don’t want to be bothered manually rewriting the rules, there’s the traffic shaper wizard. You can access the traffic shaper wizard from the pfSense web interface by navigating to Firewall -> Traffic Shaper and clicking on the Wizard tab. It is generally a good idea to configure traffic for the first time using the wizard. If you need custom rules, you can always step through the wizard, approximate what you need, then make the custom rules afterward. Each screen will setup unique queues, and rules that will control what traffic is assigned into those queues. Should you want to configure everything manually, simply specify your WAN speed at the first screen, then click Next through all the remaining screens without configuring anything.

In the next article, we’ll step though the pfSense traffic shaper wizard.


External Links:

Traffic Shaping Guide at doc.pfsense.org

Traffic Shaping in pfSense: Part One

Traffic Shaping with pfSense

Using the traffic shaping wizard in pfSense 2.2.4.

Traffic shaping, otherwise known as network Quality of Service (QoS), is a means of prioritizing the network traffic crossing your firewall. Without traffic shaping, all packets are processed on a first in/first out basis by your firewall. QoS offers a means of prioritizing different types of traffic, ensuring that high priority services receive the bandwidth they need before lesser piroity services. The traffic shaper wizard in pfSense gives you the ability to quickly configure QoS for common scenarios, and custom rules may also be created for more complex tasks.

Traffic shaping is essentially like a gatekeeper in which important packets are prioritized, while regular packets have to wait, and low-priority packets are kept out until there is not enough higher-priority traffic to use up the bandwidth.

There are traffic shaping queues and traffic shaping rules. The queues are where bandwidth and priorities are actually allocated. Traffic shaping rules control how traffic is assigned into those queues. Rules for the shaper work in a similar way to firewall rules, and allow similar matching characteristics. If a packet matches a shaper rule, it will be assigned into the queues specified by that rule.

The idea of raising or lowering the priority of packets is a simple one, but one which has many possible applications. Here are a few ways in which traffic shaping can be used.

Traffic Shaping in pfSense: Prioritizing ACK Packets

Asymmetric Internet connections (where the download speed differs from the upload speed, usually in such a way that download speed > upload speed) are commonplace, especially with DSL. Some links are so out of balance that the maximum download speed is almost unattainable because it is difficult for the client to send back enough ACK packets to keep traffic flowing. ACK packets are transmitted back to the sender by the receiver to indicate that data has been successfully received, and to signal that it is OK to send more. If the sender does not receive ACKs in a timely manner, TCP’s congestion control will be invoked and it will slow down the connection.

This can happen if you are uploading and downloading simultaneously over an asymmetric connection. The uploading part of the circuit is full from the file upload, and there is little room to send ACK packets which allow downloads to keep flowing. By using the shaper to prioritize ACK packets, you can achieve faster, more stable download speeds on asymmetic links. [This is not as important on symmetric links, but it may still be desirable if the available outgoing bandwidth is heavily utilized.]

Traffic Shaping in pfSense: VoIP, Online Gaming and Peer-to-Peer Traffic

If your VoIP calls use the same circuit as data, then uploads and downloads may degrade your call quality. pfSense can prioritize the call traffic above other protocols and ensure that the calls make it through clearly without breaking up. If there are other transfers occurring simultaneously when the VoIP call is in progress, the speed of the other transfers will be reduced to leave room for the calls.

There are also options in pfSense to give priority to the traffic associated with network gaming. Similar to prioritizing VoIP calls, the effect is that even if you are downloading while playing, the response time of the game should be nearly as fast as if the rest of your connection were idle.

In addition, by lowering the priority of traffic associated with known peer-to-peer ports, you will have the assurance that even if these programs are in use, they won’t hinder other traffic on your network. Due to peer-to-peer traffic’s lower priority, other protocols will be favored over P2P traffic, which will be limited when any other services need the bandwidth.

In the next article, we will discuss some of the limitations of pfSense’s traffic shaper.

External Links:

Traffic Shaping at Wikipedia

pfSense Multi-WAN Configuration: Part Seven

pfSense multi-WAN

Changing the weight of a WAN gateway in pfSense 2.2.4.

There are some scenarios where you may want to only use failover. Some pfSense users have a secondary backup Internet connection with a low bandwidth limit, and only want to use that connection if their primary connection fails, and only while it is down. Failover pools allow you to do this. Another possible usage for failover pools is when you want to make sure a certain protocol or destination always uses only one WAN.

pfSense Multi-WANs: Configuring Weights

In pfSense 2.2, you can configure a weight/preference value to WANs. As described in an earlier article, you can set up a gateway group where the WAN interfaces have different priorities. In a gateway group, interfaces at the same tier have equal priority. Lower-numbered tiers have higher priority than higher-numbered tiers. For example, if we set WAN and WAN1 to Tier 1 and WAN2 to Tier 2, WAN and WAN1 will have equal priority. WAN2 will only come into use if both WAN and WAN1 are down. This is good, but what if WAN is our high-speed connection and WAN1 is a DSL connection, and therefore we want WAN to get the bulk of the traffic?

In this case, we can navigate to System -> Routing. The Gateway tab should be selected by default; if not, click on Gateway. Press the e button next to the entry for WAN. On the next page, press the Advanced button. The first entry in this section should be Weight. Using the dropdown box, change the weight to 2. The weight sets the ratio for use of a gateway. Once we change WAN’s weight to 2, there will be two Tier 1 gateways (WAN and WAN2) with weights of 2 and 1 respectively. Thus, out of 3 connections, 2 will use WAN, and 1 will use WAN1, so WAN should get two-thirds of the traffic. Similarly, we could change WAN’s weight to 3, so that WAN will get three-fourths of the traffic. When we are done changing the weight, we need to press Save at the bottom of the page and then press Apply Changes on the next page.

Note that this distribution is strictly balancing the number of connections. It does not take interface throughput into account. This means your bandwidth usage will not necessarily be distributed equally, though in most environments it works out to be roughly distributed as configured over time. This also means if an interface is loaded to its capacity with a single high throughput connection, additional connections will still be directed to that interface. Ideally you would want to distribute connections based on interface weights and the current throughput of the interface.

External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part Five

pfSense multi-WAN

Viewing the load balancer status in pfSense 2.2.4.

Once you have configured your multi-WAN setup, you will want to verify its functionality. In this article, we will cover how to test each component of your multi-WAN setup.

If you have configured failover, you will want to test it after completing your configuration to ensure it functions as you desire, otherwise you might be in for an unpleasant surprise when one of your Internet connections fail. Navigate to Status -> Load Balancer and ensure all your WAN connections show as “Online“ under Status. If they do not, verify your monitoring IP configuration as discussed in previous articles on this site.


pfSense Multi-WAN: Simulating a Failure

There are a number of ways you can simulate a WAN failure, depending on the type of Internet connection being used. In most cases, the easiest way to simulate it is to unplug the target WAN interface’s Ethernet cable from the firewall.

For cable and DSL connections, you will also want to try powering off your modem, and unplugging the coax or phone line from the modem. For T1 and other types of connections with a router outside of pfSense, try unplugging the Internet connection from the router and also turning off the router itself.

All of the abovementioned testing scenarios will likely end with the same result, but there are some circumstances where trying all these things individually will find a fault you might not have otherwise noticed until an actual failure. For example, assume you are using a monitor IP assigned to your DLS or cable modem. Thus when the coax or phone line is disconnected, simulating a provider failure rather than an Ethernet or modem failure, the monitor ping still succeeds since it is pinging the modem. As far as pfSense is concerned, the connection is still up, so it will not fail over even if the connection is actually down. There are other types of failure that can similarly only be detected by testing all the individual cases where failure is possible. After creating a WAN failure, refresh the Status -> Load Balancer screen to check the current status.

The easiest way to verify a HTTP load balancing configuration is to visit one of the websites that displays the public IP address from which you are coming. There is a page on the pfSense website for this purpose, and there are other sites that serve the same function. Search for “what is my IP address” and you will find numerous websites that will show you what public IP address from which the HTTP request is coming.

If you load one of these pages, and refresh your browser a number of times, you should see your IP address changing if your load balancing configuration is correct. Note if you have any other traffic on your network, you probably will not see your IP address change on every page refresh. Refresh the page 20-30 times and you should see the IP change at least a few times. if the IP never changes, try several different sites, and make sure your browser is really requesting the page again,and not returning something from its cache or using a persistent connection to the server. Manually deleting the cache and trying multiple web browsers are good things to try before troubleshooting your load balancer configuration further.

You can use traceroute to test load balancing (or tracert in Windows). Traceroute allows you to see the network path taken to a given destination.

The real time traffic graphs under Status -> Traffic Graph are useful for showing the real time throughput on your WAN interfaces. You can only show one graph at a time per browser window, but you can open additional windows or tabs in your browser and show all your WAN interfaces simultaneously. The Dashboard widget enables the simultaneous display of multiple traffic graphs on a single page. The RRD traffic graphs accessible under Status -> RRD Graphs are useful for longer-term and historical evaluation of your individual WAN utilization.


External Links:

Network Load Balancing on Wikipedia

pfSense Load Balancing

pfSense load balancing

Creating a load balancing pool in pfSense 2.2.4.

In the previous article, we covered how to set up load balancing for a multi-WAN configuration. In this article, we will cover load balancing and failover in cases that don’t involve multiple WAN interfaces.

pfSense Load Balancing

To configure a pfSense load balancing pool, log into the pfSense web GUI and navigate to Services -> Load Balancer. On the Pools tab, click the plus button. This will take you to the Load Balancer configuration page.

In the Name field, fill in a name for the failover pool up to 16 characters in length. This will be the name used to refer to this pool in the Gateway field in the firewall rules. In the Description field, you may enter a description for your own reference. The Description field is optional and does not affect functionality, while the Name field is required. For Mode, select either Load Balance to set up a load balancing pool. In Port, enter the port your servers are listening on, and in Retry specify how many times to check a server before declaring it to be down. In Monitor, select the protocol to be used for monitoring the servers (usually ICMP). In Server IP Address, you enter the IP address that will determine whether the chosen interface is available. If pings to this address fail, this interface is marked as down and is no longer used until it is accessible again.

After selecting an interface and choosing a monitor IP, you can press the Add to pool button to add the interface. After adding the first interface to the pool, select the second interface, sselect its monitor IP, and press Add to pool again. When finished adding interfaces to the pool, press save, and then press Apply changes on the next page.


Failover refers to the ability to use only one WAN connection, but switch to another WAN if the preferred connection fails. This is useful in situations where you want certain traffic, or all of your traffic to utilize one specific WAN connection unless it is unavailable.

To set up a failover group, navigate to Services -> Load Balancer, and click on the plus button, the same as you would when configuring a load balancing pool. In the Name field, fill in a name for the failover pool (again, up to 16 characters in length). In the Description field, you may enter a descripton for your reference.

For the Mode, select Failover. In Port, enter the port your servers are listening on, and in Retry, enter the number of times the server should be checked before being declared to be down. In the Monitor field, set a protocol for monitoring, and in Server IP Address, set the monitor IP. Once you have entered all this information, you can press the Add to pool button. You have added the first interface.

Since this is a failover pool, the first interface aded while be used as long as its monitor IP is responding to pings. If the first interface added to the pool fails, the second interface in the pool will be used. Make sure you add the interfaces to the pool in order of preference. The first in the list will always be used unless it fails, at which point the remaining interfaces in the list are fallen back on in top down order.

Additional interfaces can be added by entering the information for them and clicking Add to pool again. When finished adding interfaces to the pool, press Save, and then Apply Changes on the next page.


External Links:

Inbound Load Balancing on doc.pfsense.org
How to Use pfSense to Load Balance Your Servers on howtoforge.com

© 2013 David Zientara. All rights reserved. Privacy Policy