Traffic Shaping in pfSense: Part Three

Traffic shaping in pfSense

Entering information in the pfSense traffic shaper wizard.

If you want to invoke traffic shaping in pfSense, you can write your own rule set in PF, but in most cases, it’s easier to use the traffic shaper wizard. To get started with the traffic shaper wizard, navigate to Firewall -> Traffic Shaper in the pfSense web GUI and click on the Wizards tab. There are two options on the Wizards page: Mutliple LAN/WAN and Dedicated Links. Even if you only have a single LAN-type interface, you should select Multiple LAN/WAN in most cases.

On the first page of the traffic shaper wizard, you will be prompted to enter the number of WAN and LAN-type connections. LAN-type connections are generally any non-WAN connections. For example, if we have a WAN, LAN and DMZ interface, then we have 1 WAN connection and 2 LAN connections. Once you have entered these, press the Next button.

Traffic Shaping in pfSense: Queueing Disciplines

The next page is where we set up the queueing disciplines for each local interface, as well as the upload and download bandwidths for each WAN connection. There are three options for queueing disciplines:


  • Priority Queueing (PRIQ): With priority queueing, your bandwidth is divided into separate queues. Each queue is assigned a priority level. A packet that has a higher priority level is always processed before a packet with a lower priority level. This makes priority queueing easy to understand, but it also means that lower priority traffic can be starved for bandwidth.
  • Class Based Queueing (CBQ): Class Based Queueing introduces the concept of a hierarchy of queues. As with PRIQ, your bandwidth is divided into separate queues, and each queue can be assigned a priority level. CBQ, however, differs from PRIQ in several significant ways. First, each top-level (parent) queue can be subdivided into child queues. These child queues can also be assigned priority levels. Second, each parent queue is assigned a bandwidth limit which it cannot exceed. Third, although child queues are also assigned bandwidth limits, they can borrow bandwidth from the parent queue if the bandwidth limit for the parent has not been reached. As a result, CBQ is a good option in cases where we want to ensure that lower priority traffic gets some bandwidth.
  • Hierarchical Fair Service Curve (HFSC): HFSC is the most sophisticated of the three queueing disciplines used by the pfSense traffic shaper. It provides a more granular means of bandwidth management than either PRIQ or CBQ on several counts. First, it can be set up so certain queues get a specified minimum slice of bandwidth. Second, priority levels can be set for handling excess bandwidth. For example, if we have queues 1 and 2 and queue 1 is divided into queues 1A and 1B, with 1A guaranteed 25 Mbps of bandwidth, we can set it up so the excess bandwidth from 1A goes first to 1B, and if 1B does not require the bandwidth, to 2. Third, HFSC uses a two-piece linear curve to reduce latency without over-reserving bandwidth, which makes HFSC a good option for applications that are both require generous amounts of bandwitth and low latency, like VoIP and video conferencing.


Once we have set the queueing disciplines, we need to enter the upload and download bandwidth for each WAN interface and press the Next button.

We will continue our look at the pfSense traffic shaper wizard in the next article.

External Links:

PF: Packet Queueing and Prioritization at

pfSense Traffic Shaping: Part Three (Class Based Queuing and Priority Queuing)

Class-Based QueuingIn the last article, I covered traffic shaping with Hierarchical Fair Service Curve (HFSC). In this article, I cover the other two algorithms implemented in pfSense 2.0: Class Based Queuing (CBQ) and Priority Queuing (PRIQ).

Class Based Queuing (CBQ)

Class based queuing is a network router queuing method that allows traffic to share bandwidth equally, after being grouped by classes. It was developed by the Network Research Group at Lawrence Berkeley National Laboratory as an alternative to traditional router-based technology. Class based queuing divides user traffic into a hierarchy of queues, or classes, based on any combination of IP addresses, protocols and application types. It provides a means of implementing guaranteed service on a network.

Class based queuing enables you to generate several classes, and even classes within classes. As an example, you may have a 10 Gbps connection to the internet which is to be shared by your customers and for your company’s needs. You cannot allow a few people at the office to steal away large amounts of bandwidth which you should sell to your customers. On the other hand, your customers should not be able to drown out the traffic from your field offices to the customer database.

One way of solving this problem was to either use frame relay/ATM and create virtual circuits. This works, but frame relays are not very fine-grained and ATM is inefficient at carrying IP traffic. Moreover, neither have standardized ways to segregate different types of traffic into different virtual circuits. If you use ATM with Linux, then Linux can do traffic classification, which would help. Another way is to order separate connections, but this is not very practical and does not solve all your problems.

One possible solution is class based queuing. Clearly, you have two main classes, which we can call “ISP” and “Office”. We could further subdivide these classes, but for the moment we won’t. You decide the customers should always be guaranteed 8 Gbps of downstream traffic, and your office 2 Gbps. With CBQ, you can simply set up a root class and two subclasses, ISP and Office. The upper bound on ISP’s bandwidth is 8 Gbps, and the upper bound on Office’s is 2 Gbps. This is not the most sophisticated form of bandwidth management, but it will work.

In this example, you may find that there are times when ISP customers are mostly offline, but your office only gets 2 Gbps. You could make the Office class unbounded, so the office class can borrow bandwidth from the ISP class.

You can also go further than this, introducing subclasses. If employees at the office start using peer-to-peer software, for example, the database may run out of bandwidth. Therefore, you create two subclasses: “Human” and “Database”. In this scenario, you allocate 500 Mbps to Database and allocate the rest (1.5 Gbps) to Human.

Class based queuing assigns each queue a priority level. Queues with a higher priority are preferred during congestion over queues with a lower priority as long as both queues share the same parent (in other words, as long as both queues are on the same branch in the hierarchy). Queues with the same priority are processed in a round-robin fashion. For example, we could assign priorities in the above example like this:

  • Office (priority 1)
    • Human (priority 2)
    • Database (priority 3)
  • ISP (priority 1)

In this example, Office and ISP traffic will be processed in a round-robin fashion – they have the same priority level. But within the Office class/queue, Database gets preferential treatment because it has a higher priority level than Human. Notice that Database is not compared to Office or ISP for priority levels because Office and ISP are not on the same level of the hierarchy.

Priority Queuing (PRIQ)

Priority Queuing assigns multiple queues to a network interface with each queue being given a priority level. A queue with a higher priority is always processed ahead of a queue with a lower priority. If two or more queues are assigned the same priority then those queues are processed in a round-robin fashion.

Unlike class based queuing, which has a hierarchical queue structure, the queuing structure in PRIQ is flat – you cannot define queues within queues. The root queue is defined, which sets the total amount of bandwidth that is available, and then sub queues are defined under the root. Consider the following example:

Root Queue (2 Mbps)

  • Queue A (priority 1)
  • Queue B (priority 2)
  • Queue C (priority 3)

The root queue is defined as having 2 Mbps of bandwidth available to it and three subqueues are defined. The queue with the highest priority (the highest priority number) is served first. Once all the packets in that queue are processed, or if the queue is found to be empty, PRIQ moves onto the next highest priority. Within a given queue, packets are processes in a first in first out (FIFO) manner.

One attribute of PRIQ that should be noted is that PRIQ always processes a higher priority queue before a lower priority one. Consequently, it is possible for a high priority queue to cause packets in a lower priority queue to be delayed or dropped if the high priority queue is receiving a constant stream of packets. Therefore, if you use PRIQ, you want to plan your queues carefully.

External Links:

Class based queuing on Wikipedia

Packet Queuing and Prioritization

© 2013 David Zientara. All rights reserved. Privacy Policy