Traffic Shaping in pfSense: Part Four

Traffic shaping in pfSense

Configuring VoIP settings in pfSense 2.2.4. Note that you can guarantee upload and download bandwidth with the traffic shaper wizard.

Once you enter the queuing disciples and connection speeds in the traffic shaper wizard, there are a number of other options to configure. The next is Voice over IP, and there are several options available for handing VoIP traffic. The first choice, the Prioritize Voice over IP traffic check box, is self-explanatory. It will enable the prioritization of VoIP traffic, and this behavior can be fine-tuned by the other settings on the same page. First, you can chose your VoIP provider:

 

    • VoicePulse: A U.S.-based VoIP provider founded in 2003. VoicePulse provides not only home phone services, but also business PBX services and enterprise-level SIP trunking.

 

  • Vonage: Another U.S.-based VoIP provider founded in 2001. Their most popular plan, Vonage World, offers unlimited international calling to over 60 countries for a flat monthly rate. Vonage supplies an analog telephone adapter with which the customer can connect standard analog telephones to the Internet.

 

 

  • Panasonic TDA: Panasonic’s VoIP PBX solution, done via a T1 or E1, and which provides mobile phone integration and BRI or PRI ISDN capability.

 

 

  • Asterisk: Open-source VoIP software which includes many features available in proprietary PBX systems: voice mail, conference calling, interactive voice response, and automatic call distribution. Although initially developed in the United States, it has become popular worldwide because it is freely available under open-source licensing and has a modular, extensible design.

 

 

If you have a different provider, you can choose Generic, or override this setting with the Address field by entering the IP of your VoIP phone or an alias containing the IPs of all your phones.

There is also an edit box in which you can enter the IP address of the upstream SIP server. If you do, the information in the Provider field will be overridden. You can also use a firewall alias in this field.

You may also choose the amount of upload and download bandwidth to guarantee for your VoIP phones. This will vary based on how many phones you have, and how much bandwidth each session will utilize. When you have finished entering the provider information and upload/download bandwidth, you can press the Next button.

The next page allows you to configure settings for the penalty box. This is a place to which you can relegate misbehaving users or devices that would otherwise consume more bandwith than desired. These users are assigned a hard bandwidth cap which they cannot exceed. Check the check box at the top of the page to enable this feature, enter an IP or alias in the address box, and then enter upload and download limits in kilobits per second in the appropriate edit boxes. It does not appear that you can type multiple IP addresses in the Address edit box, so if you want to penalize multiple hosts, you will have to create an alias.

Once you are finished configuring penalty box settings, you can press the Next button and move on to configuring settings for peer-to-peer networking, which will be covered in the next article.

External Links:

Traffic Shaping at Wikipedia
Voice over IP at Wikipedia

Firewall Configuration: Aliases

One of the main functions of any firewall is to carry out port forwarding and firewall security rules, and pfSense, like any firewall, is capable of performing these functions, which can be found on the “Firewall” menu of the pfSense web interface. In this article, the first in a series covering pfSense firewall configuration, I cover creating an alias in pfSense.

Firewall Configuration: Aliases

Firewall configuration

Firewall -> Aliases page in the pfSense web GUI.

A good description of aliases can be found from the pfSense web GUI page for Firewall -> Aliases:

Aliases act as placeholders for real hosts, networks or ports. They can be used to minimize the number of changes that have to be made if a host, network or port changes. You can enter the name of an alias instead of the host, network or port in all fields that have a red background. The alias will be resolved according to the list above. If an alias cannot be resolved (e.g. because you deleted it), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.

Firewall configuration

Here, I create a sub-alias called “allhosts”.

With this in mind, here is how you can set up an alias in pfSense. First, browse to Firewall -> Aliases. Click the “plus” button to add a new alias. The first field is “Name“. Here, you should type in a name for the alias. At “Description“, you can add an optional description. Next, select an alias type at “Type“. Depending on which type you choose (Host, Network, Ports, URL, or URL Table), you will have different fields which must be filled out to complete the configuration. Selecting “Host(s)” as an a type allows you to create an alias that holds one or more IP addresses. Selecting “Network” allows you to create an alias that holds one or more networks (i.e. ranges of IP addresses). Selecting “Ports” allows you to create an alias that holds one or more ports. Selecting “OpenVPN Users” allows you to create an alias that holds one or more OpenVPN usernames. Selecting “URL” allows you to create an alias that holds one or more URLs. And selecting “URL Table” allows you to create an alias that holds a single URL pointing to a large list of addresses. This can come in handy if you need to import a large list of IP addresses and/or subnets. When you are done entering the configuration data for whichever type you selected, press “Save” to save the changes, and if necessary, press “Apply changes” to apply the changes.


Firewall configuration

An example of using an alias in adding a NAT port forwarding rule.

It is also possible to set up sub-aliases, which potentially make firewall management even easier. For example, if we have three hosts – host1, host2, and host3 – all of which must connect to our FTP server. We could set up a sub-alias called allhosts composed of host1, host2, and host3.

Once you have added an alias, you can use it wherever there is a red text box in the pfSense GUI. Just type the name of the alias and it can be invoked.

That covers firewall configuration of aliases under pfSense. In a future installation, I will cover NAT and firewall rules.


External Links:

Aliases from the pfSense wiki at doc.pfsense.org

© 2013 David Zientara. All rights reserved. Privacy Policy