Traffic Shaping in pfSense: Part Two

Traffic shaping in pfSense

Configuring interfaces in the pfSense traffic shaper wizard.

Wrapping a GUI around the underlying traffic shaping components in pfSense proved to be difficult. Lacking functionality in the underlying system in some areas also limits its capabilities. The traffic shaper was rewritten for pfSense 2.0 and accommodates multiple interfaces.

Traffic to the LAN IP is queued in the same manner as traffic traversing the firewall. If your web interface uses HTTPS, and your traffic shaper queue for HTTPS is filled, it will delay your traffic to the management interface the same as if your HTTPS request were going out to the Internet. If you use pings to the LAN IP from a monitoring system, you may see significant delay for the same reason.

In addition, the shaper is not capable of truly differentiating between protocols. Traffic using TCP port 80 is considered as HTTP, whether it’s really HTTP or it’s P2P application using port 80; traffic using port 443 is considered as HTTPS, and so on. This can be a significant problem in some cases.

Traffic Shaping in pfSense: A Brief Look at PF Rules

Traffic shaping functionality, as with everything else in pfSense, is provided by PF. If you’re willing to write your own rules, this gives you considerable flexibility in configuring traffic shaping. For example, consider the hypothetical from the first article in which there is a backlog of ACK packets on an asymmetric Internet connection. We want to alter the rule set so ACK packets have a higher priority than other packets, so we set up two separate data queues. The result might look something like this:


altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
    queue q_pri priority 7
    queue q_def priority 1 priq(default)

pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
    keep state queue (q_def, q_pri)

pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
    keep state queue (q_def, q_pri)

Here, a priority-based queue is set up on the external interface ($ext_if) with two subordinate queues. On subqueue has a high priority value of 7 (q_pri), while the other has a low priority value of 1 (q_def). Once a connection is assigned to the main queue, ALTQ inspects each packet’s type of service (ToS) field. ACK packets have the ToS Delay bit set to low, indicating that the sender wanted the speediest delivery possible. When ALTQ sees a low-delay packet and queues of differing priority are available, it will assign the packet to the higher-priority queue.

For those of us who don’t want to be bothered manually rewriting the rules, there’s the traffic shaper wizard. You can access the traffic shaper wizard from the pfSense web interface by navigating to Firewall -> Traffic Shaper and clicking on the Wizard tab. It is generally a good idea to configure traffic for the first time using the wizard. If you need custom rules, you can always step through the wizard, approximate what you need, then make the custom rules afterward. Each screen will setup unique queues, and rules that will control what traffic is assigned into those queues. Should you want to configure everything manually, simply specify your WAN speed at the first screen, then click Next through all the remaining screens without configuring anything.

In the next article, we’ll step though the pfSense traffic shaper wizard.

External Links:

Traffic Shaping Guide at

Traffic Shaping in pfSense: Part One

Traffic Shaping with pfSense

Using the traffic shaping wizard in pfSense 2.2.4.

Traffic shaping, otherwise known as network Quality of Service (QoS), is a means of prioritizing the network traffic crossing your firewall. Without traffic shaping, all packets are processed on a first in/first out basis by your firewall. QoS offers a means of prioritizing different types of traffic, ensuring that high priority services receive the bandwidth they need before lesser piroity services. The traffic shaper wizard in pfSense gives you the ability to quickly configure QoS for common scenarios, and custom rules may also be created for more complex tasks.

Traffic shaping is essentially like a gatekeeper in which important packets are prioritized, while regular packets have to wait, and low-priority packets are kept out until there is not enough higher-priority traffic to use up the bandwidth.

There are traffic shaping queues and traffic shaping rules. The queues are where bandwidth and priorities are actually allocated. Traffic shaping rules control how traffic is assigned into those queues. Rules for the shaper work in a similar way to firewall rules, and allow similar matching characteristics. If a packet matches a shaper rule, it will be assigned into the queues specified by that rule.

The idea of raising or lowering the priority of packets is a simple one, but one which has many possible applications. Here are a few ways in which traffic shaping can be used.

Traffic Shaping in pfSense: Prioritizing ACK Packets

Asymmetric Internet connections (where the download speed differs from the upload speed, usually in such a way that download speed > upload speed) are commonplace, especially with DSL. Some links are so out of balance that the maximum download speed is almost unattainable because it is difficult for the client to send back enough ACK packets to keep traffic flowing. ACK packets are transmitted back to the sender by the receiver to indicate that data has been successfully received, and to signal that it is OK to send more. If the sender does not receive ACKs in a timely manner, TCP’s congestion control will be invoked and it will slow down the connection.

This can happen if you are uploading and downloading simultaneously over an asymmetric connection. The uploading part of the circuit is full from the file upload, and there is little room to send ACK packets which allow downloads to keep flowing. By using the shaper to prioritize ACK packets, you can achieve faster, more stable download speeds on asymmetic links. [This is not as important on symmetric links, but it may still be desirable if the available outgoing bandwidth is heavily utilized.]

Traffic Shaping in pfSense: VoIP, Online Gaming and Peer-to-Peer Traffic

If your VoIP calls use the same circuit as data, then uploads and downloads may degrade your call quality. pfSense can prioritize the call traffic above other protocols and ensure that the calls make it through clearly without breaking up. If there are other transfers occurring simultaneously when the VoIP call is in progress, the speed of the other transfers will be reduced to leave room for the calls.

There are also options in pfSense to give priority to the traffic associated with network gaming. Similar to prioritizing VoIP calls, the effect is that even if you are downloading while playing, the response time of the game should be nearly as fast as if the rest of your connection were idle.

In addition, by lowering the priority of traffic associated with known peer-to-peer ports, you will have the assurance that even if these programs are in use, they won’t hinder other traffic on your network. Due to peer-to-peer traffic’s lower priority, other protocols will be favored over P2P traffic, which will be limited when any other services need the bandwidth.

In the next article, we will discuss some of the limitations of pfSense’s traffic shaper.

External Links:

Traffic Shaping at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy