Traffic Shaping in pfSense: Part Five

Traffic shaping in pfSense

Configuring peer-to-peer networking settings in the pfSense traffic shaping wizard.

The next screen, “Peer-to-Peer Networking”, will let you set controls over many peer-to-peer (P2P) networking protocols. By design, P2P protocols will utilize all available bandwidth unless limits are put in place. If you expect P2P traffic on your network, it is a good practice to ensure that other traffic will not be degraded due to its use. To penalize P2P traffic in pfSense, first check the first check box at the top of the page.

Many P2P technologies will deliberately try to avoid detection. Bittorrent is especially guilty of this. It will often use non-standard or random ports, or even ports associated with other protocols. You can check the p2pCatchAll check box (the second check box on the page) which will cause any unrecognized traffic to be assumed as P2p traffic and its priority lowered accordingly. You can set hard bandwidth limits for this traffic in the edit box underneath the catch-all rule. The upload and download bandwidth limits can be set in percentages, or bits/kilobits/megabits/gigabits per second.

The remaining options consist of various known P2P protocols/applications. There are more than 20 in all. Check each one that you would like to be recognized. When you are done, press the Next button.

The next page covers network games settings. Many games rely on low latency to deliver a good online gaming experience. If someone tries to download large files or game patches while playing, then that traffic can easily swallow up the packets associated with the game itself and cause lags or disconnection. By checking the check box for prioritizing network gaming traffic (the first check box on the page), you can raise the priority of game traffic so that it will be transferred first and given a guaranteed chunk of bandwidth. There are many games listed here. Check all those which should be prioritized. Even if your game is not listed, you may still want to check a similar game (if there is one on the list) so that you will have a reference rule that you can alter later. When you are done configuring network gaming settings, press the Next button.

Traffic Shaping in pfSense: Part Three

Traffic shaping in pfSense

Entering information in the pfSense traffic shaper wizard.

If you want to invoke traffic shaping in pfSense, you can write your own rule set in PF, but in most cases, it’s easier to use the traffic shaper wizard. To get started with the traffic shaper wizard, navigate to Firewall -> Traffic Shaper in the pfSense web GUI and click on the Wizards tab. There are two options on the Wizards page: Mutliple LAN/WAN and Dedicated Links. Even if you only have a single LAN-type interface, you should select Multiple LAN/WAN in most cases.

On the first page of the traffic shaper wizard, you will be prompted to enter the number of WAN and LAN-type connections. LAN-type connections are generally any non-WAN connections. For example, if we have a WAN, LAN and DMZ interface, then we have 1 WAN connection and 2 LAN connections. Once you have entered these, press the Next button.

Traffic Shaping in pfSense: Queueing Disciplines

The next page is where we set up the queueing disciplines for each local interface, as well as the upload and download bandwidths for each WAN connection. There are three options for queueing disciplines:


  • Priority Queueing (PRIQ): With priority queueing, your bandwidth is divided into separate queues. Each queue is assigned a priority level. A packet that has a higher priority level is always processed before a packet with a lower priority level. This makes priority queueing easy to understand, but it also means that lower priority traffic can be starved for bandwidth.
  • Class Based Queueing (CBQ): Class Based Queueing introduces the concept of a hierarchy of queues. As with PRIQ, your bandwidth is divided into separate queues, and each queue can be assigned a priority level. CBQ, however, differs from PRIQ in several significant ways. First, each top-level (parent) queue can be subdivided into child queues. These child queues can also be assigned priority levels. Second, each parent queue is assigned a bandwidth limit which it cannot exceed. Third, although child queues are also assigned bandwidth limits, they can borrow bandwidth from the parent queue if the bandwidth limit for the parent has not been reached. As a result, CBQ is a good option in cases where we want to ensure that lower priority traffic gets some bandwidth.
  • Hierarchical Fair Service Curve (HFSC): HFSC is the most sophisticated of the three queueing disciplines used by the pfSense traffic shaper. It provides a more granular means of bandwidth management than either PRIQ or CBQ on several counts. First, it can be set up so certain queues get a specified minimum slice of bandwidth. Second, priority levels can be set for handling excess bandwidth. For example, if we have queues 1 and 2 and queue 1 is divided into queues 1A and 1B, with 1A guaranteed 25 Mbps of bandwidth, we can set it up so the excess bandwidth from 1A goes first to 1B, and if 1B does not require the bandwidth, to 2. Third, HFSC uses a two-piece linear curve to reduce latency without over-reserving bandwidth, which makes HFSC a good option for applications that are both require generous amounts of bandwitth and low latency, like VoIP and video conferencing.


Once we have set the queueing disciplines, we need to enter the upload and download bandwidth for each WAN interface and press the Next button.

We will continue our look at the pfSense traffic shaper wizard in the next article.

External Links:

PF: Packet Queueing and Prioritization at

Traffic Shaping in pfSense: Part Two

Traffic shaping in pfSense

Configuring interfaces in the pfSense traffic shaper wizard.

Wrapping a GUI around the underlying traffic shaping components in pfSense proved to be difficult. Lacking functionality in the underlying system in some areas also limits its capabilities. The traffic shaper was rewritten for pfSense 2.0 and accommodates multiple interfaces.

Traffic to the LAN IP is queued in the same manner as traffic traversing the firewall. If your web interface uses HTTPS, and your traffic shaper queue for HTTPS is filled, it will delay your traffic to the management interface the same as if your HTTPS request were going out to the Internet. If you use pings to the LAN IP from a monitoring system, you may see significant delay for the same reason.

In addition, the shaper is not capable of truly differentiating between protocols. Traffic using TCP port 80 is considered as HTTP, whether it’s really HTTP or it’s P2P application using port 80; traffic using port 443 is considered as HTTPS, and so on. This can be a significant problem in some cases.

Traffic Shaping in pfSense: A Brief Look at PF Rules

Traffic shaping functionality, as with everything else in pfSense, is provided by PF. If you’re willing to write your own rules, this gives you considerable flexibility in configuring traffic shaping. For example, consider the hypothetical from the first article in which there is a backlog of ACK packets on an asymmetric Internet connection. We want to alter the rule set so ACK packets have a higher priority than other packets, so we set up two separate data queues. The result might look something like this:


altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
    queue q_pri priority 7
    queue q_def priority 1 priq(default)

pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
    keep state queue (q_def, q_pri)

pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
    keep state queue (q_def, q_pri)

Here, a priority-based queue is set up on the external interface ($ext_if) with two subordinate queues. On subqueue has a high priority value of 7 (q_pri), while the other has a low priority value of 1 (q_def). Once a connection is assigned to the main queue, ALTQ inspects each packet’s type of service (ToS) field. ACK packets have the ToS Delay bit set to low, indicating that the sender wanted the speediest delivery possible. When ALTQ sees a low-delay packet and queues of differing priority are available, it will assign the packet to the higher-priority queue.

For those of us who don’t want to be bothered manually rewriting the rules, there’s the traffic shaper wizard. You can access the traffic shaper wizard from the pfSense web interface by navigating to Firewall -> Traffic Shaper and clicking on the Wizard tab. It is generally a good idea to configure traffic for the first time using the wizard. If you need custom rules, you can always step through the wizard, approximate what you need, then make the custom rules afterward. Each screen will setup unique queues, and rules that will control what traffic is assigned into those queues. Should you want to configure everything manually, simply specify your WAN speed at the first screen, then click Next through all the remaining screens without configuring anything.

In the next article, we’ll step though the pfSense traffic shaper wizard.

External Links:

Traffic Shaping Guide at

Bandwidth Limiting with the pfSense Limiter


Creating a limiter in pfSense 2.1

Although we have covered a number of powerful features that are part of pfSense’s traffic shaping capabilities, we haven’t yet covered one of the most interesting and useful features: the ability to limit users’ upload and download speed. In this article, I will describe how to use the pfSense bandwidth limiter.

Using the Bandwidth Limiter

To invoke the bandwidth limiter, first navigate to Firewall -> Traffic Shaper, and click on the “Limiter” tab. At this tab, click on “plus” to add a new limiter. Check the “Enable limiter and its children” checkbox, and for the “Name” field, enter a name for the new limiter. At “Bandwidth“, click on the “plus” button to add a bandwidth limit. There are four options: “Bandwidth“, “Burst“, “Bw type” and “Schedule“. “Bandwidth” is the maximum transfer rate, while “Burst” is the total amount of data that will be transferred at full speed after an idle period and is apparently a new setting under pfSense 2.1. “Bw type” allows you to select between Kbit/s, Mbit/s, Gbit/s, and bit/s. “Schedule” does not seem to have any options.

In the next nection, “Mask“, you can select “Source address” or “Destination address” in the drop down box. If either one is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size specified in the “Bandwidth” section will be created for each source or destination IP address encountered respectively. This makes it possible to easily specify bandwidth limits per host. In the next two fields, you can specify the IPv4 and IPv6 mask bits. At “Description“, you can enter a description, which will not be parsed.

Underneath “Description” is the “Show advanced options” button. Pressing this button reveals some additional settings. “Delay” allows you to specify a delay before packets are delivered to their destination (leaving it blank or entering 0 means there is no delay). “Packet loss rate” allows you to specify the rate at which packets are dropped (e.g. 0.001 means 1 packet per 1000 gets dropped). Again, you can leave this blank. “Queue size” allows you to specify a number of slots for the queue, and “Bucket size” allows you to set the hash size. Finally, press the “Save” button to save the limiter or “Delete virtual interface” to delete it. Press “Apply changes” on the next page to apply the changes.


Creating a firewall rule to limit upload bandwidth. Note that we are using the limiter created in the previous step.

Now, the limiter that we just created should be available when we go to make or edit firewall rules. As an example, we can use the limiter created in the previous step to limit the upload bandwidth to 1 GB. Navigate to Firewall -> Rules, and click on the “LAN” tab. Press the “plus” button to add a new rule. Leave the “Action” as Pass, the “Interface” as LAN, and the “TCP/IP Version” as IPv4. The “Source” should be set to “LAN subnet”, and the “Destination” should be left as Type: any. After entering a “Description“, scroll down to advanced features and press the “Advanced” button next to “In/Out“, and set the “In” queue to the limiter created in the previous step. Then press “Save” to save the rule and “Apply changes” on the next page.

Now, the upload bandwidth on the LAN interface should be limited to 1 Gb/sec. When you navigate to Firewall -> Rules and click on the “LAN” tab, you should see a small purple circle next to the newly-created rule, indicating that the rule invokes the limiter. If you wanted to limited the download bandwidth, this could easily be done; just create another limiter specifying the maximum download bandwidth, and set the “Out” queue in the rule to the new limiter (or if you just want to make the upload and download bandwidth the same, use the original limiter).

Other Articles in This Series:

Traffic Shaping in pfSense: What it Does
Traffic Shaping Wizard: Introduction
Queue Configuration in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Layer 7 Rules Groups in pfSense 2.1
Deep Packet Inspection Using Layer 7 Traffic Shaping

External Links:

PFSense 2.0 – Limiting users Upload and Download Speeds by Limiting Bandwidth at

pfSense 2.0 – Limit Download & Upload bandwidth per IP at YouTube

Ad Links:

© 2013 David Zientara. All rights reserved. Privacy Policy