Traffic Shaping in pfSense: Part Four

Traffic shaping in pfSense

Configuring VoIP settings in pfSense 2.2.4. Note that you can guarantee upload and download bandwidth with the traffic shaper wizard.

Once you enter the queuing disciples and connection speeds in the traffic shaper wizard, there are a number of other options to configure. The next is Voice over IP, and there are several options available for handing VoIP traffic. The first choice, the Prioritize Voice over IP traffic check box, is self-explanatory. It will enable the prioritization of VoIP traffic, and this behavior can be fine-tuned by the other settings on the same page. First, you can chose your VoIP provider:

 

    • VoicePulse: A U.S.-based VoIP provider founded in 2003. VoicePulse provides not only home phone services, but also business PBX services and enterprise-level SIP trunking.

 

  • Vonage: Another U.S.-based VoIP provider founded in 2001. Their most popular plan, Vonage World, offers unlimited international calling to over 60 countries for a flat monthly rate. Vonage supplies an analog telephone adapter with which the customer can connect standard analog telephones to the Internet.

 

 

  • Panasonic TDA: Panasonic’s VoIP PBX solution, done via a T1 or E1, and which provides mobile phone integration and BRI or PRI ISDN capability.

 

 

  • Asterisk: Open-source VoIP software which includes many features available in proprietary PBX systems: voice mail, conference calling, interactive voice response, and automatic call distribution. Although initially developed in the United States, it has become popular worldwide because it is freely available under open-source licensing and has a modular, extensible design.

 

 

If you have a different provider, you can choose Generic, or override this setting with the Address field by entering the IP of your VoIP phone or an alias containing the IPs of all your phones.

There is also an edit box in which you can enter the IP address of the upstream SIP server. If you do, the information in the Provider field will be overridden. You can also use a firewall alias in this field.

You may also choose the amount of upload and download bandwidth to guarantee for your VoIP phones. This will vary based on how many phones you have, and how much bandwidth each session will utilize. When you have finished entering the provider information and upload/download bandwidth, you can press the Next button.

The next page allows you to configure settings for the penalty box. This is a place to which you can relegate misbehaving users or devices that would otherwise consume more bandwith than desired. These users are assigned a hard bandwidth cap which they cannot exceed. Check the check box at the top of the page to enable this feature, enter an IP or alias in the address box, and then enter upload and download limits in kilobits per second in the appropriate edit boxes. It does not appear that you can type multiple IP addresses in the Address edit box, so if you want to penalize multiple hosts, you will have to create an alias.

Once you are finished configuring penalty box settings, you can press the Next button and move on to configuring settings for peer-to-peer networking, which will be covered in the next article.

External Links:

Traffic Shaping at Wikipedia
Voice over IP at Wikipedia

Traffic Shaping in pfSense: Part One

Traffic Shaping with pfSense

Using the traffic shaping wizard in pfSense 2.2.4.

Traffic shaping, otherwise known as network Quality of Service (QoS), is a means of prioritizing the network traffic crossing your firewall. Without traffic shaping, all packets are processed on a first in/first out basis by your firewall. QoS offers a means of prioritizing different types of traffic, ensuring that high priority services receive the bandwidth they need before lesser piroity services. The traffic shaper wizard in pfSense gives you the ability to quickly configure QoS for common scenarios, and custom rules may also be created for more complex tasks.

Traffic shaping is essentially like a gatekeeper in which important packets are prioritized, while regular packets have to wait, and low-priority packets are kept out until there is not enough higher-priority traffic to use up the bandwidth.

There are traffic shaping queues and traffic shaping rules. The queues are where bandwidth and priorities are actually allocated. Traffic shaping rules control how traffic is assigned into those queues. Rules for the shaper work in a similar way to firewall rules, and allow similar matching characteristics. If a packet matches a shaper rule, it will be assigned into the queues specified by that rule.

The idea of raising or lowering the priority of packets is a simple one, but one which has many possible applications. Here are a few ways in which traffic shaping can be used.

Traffic Shaping in pfSense: Prioritizing ACK Packets

Asymmetric Internet connections (where the download speed differs from the upload speed, usually in such a way that download speed > upload speed) are commonplace, especially with DSL. Some links are so out of balance that the maximum download speed is almost unattainable because it is difficult for the client to send back enough ACK packets to keep traffic flowing. ACK packets are transmitted back to the sender by the receiver to indicate that data has been successfully received, and to signal that it is OK to send more. If the sender does not receive ACKs in a timely manner, TCP’s congestion control will be invoked and it will slow down the connection.

This can happen if you are uploading and downloading simultaneously over an asymmetric connection. The uploading part of the circuit is full from the file upload, and there is little room to send ACK packets which allow downloads to keep flowing. By using the shaper to prioritize ACK packets, you can achieve faster, more stable download speeds on asymmetic links. [This is not as important on symmetric links, but it may still be desirable if the available outgoing bandwidth is heavily utilized.]

Traffic Shaping in pfSense: VoIP, Online Gaming and Peer-to-Peer Traffic

If your VoIP calls use the same circuit as data, then uploads and downloads may degrade your call quality. pfSense can prioritize the call traffic above other protocols and ensure that the calls make it through clearly without breaking up. If there are other transfers occurring simultaneously when the VoIP call is in progress, the speed of the other transfers will be reduced to leave room for the calls.

There are also options in pfSense to give priority to the traffic associated with network gaming. Similar to prioritizing VoIP calls, the effect is that even if you are downloading while playing, the response time of the game should be nearly as fast as if the rest of your connection were idle.

In addition, by lowering the priority of traffic associated with known peer-to-peer ports, you will have the assurance that even if these programs are in use, they won’t hinder other traffic on your network. Due to peer-to-peer traffic’s lower priority, other protocols will be favored over P2P traffic, which will be limited when any other services need the bandwidth.

In the next article, we will discuss some of the limitations of pfSense’s traffic shaper.

External Links:

Traffic Shaping at Wikipedia

QoS Management Using the Traffic Shaper Wizard

In this article, we will go through the pfSense traffic shaper wizard to achieve quality of service (QoS) goals and cover some of the options which are configurable through the wizard.

QoS Management: Queueing Disciplines and Bandwidth

QoS

Specifying the number of WAN connections in the wizard.

In the wizard, you first have to specify the number of WAN connections, and if you selected multi LAN, the number of LAN connections. On the next screen, there are several more options. At “Download Scheduler“, there are three options for queueing discipline: HFSC (Hierarchical Fair Sharing Curve), which is designed to ensure that link delay is low while bandwidth is not over-reserved. CBQ (Class-Based Queueing) allows for bandwidth to be shared equally among different classes, while PRIQ (Priority Queueing) allows for different priority levels to be assigned to classes. Under “Setup connection speed and scheduler information for WAN #n“, at “Interface” you select a valid interface. At “Upload Scheduler“, you chose a queueing discipline (again, the options are HFSC, CBQ and PRIQ). Finally, the “Connection Upload” and “Connection Download” speed must be entered.

QoS Management: VoIP, P2P, and Network Games

QoS

Configuring VoIP traffic with the wizard in pfSense 2.1.

On the next screen, there are various QoS options for VoIP traffic. The first checkbox, “Prioritize Voice over IP traffic“, is self-explanatory. The “Provider” drop-down box allows you to specify your VoIP provider. There are a few well-known providers, including Vonage, Voicepulse, and PanasonicTDA, and there’s Asterisk as well, in case you connect to an Asterisk server. If you have a different provider, you can choose “Generic“, or override this setting with the “Upstream SIP Server” field by entering the IP of your VoIP phone or an Alias containing the IPs of all your phones. With the next two fields, “Upload bandwidth for each WAN” and “Download bandwidth (speed) for Voice over IP phones“, you can choose the amount of bandwidth to guarantee to your VoIP phones. The amount of bandwidth you actually use will vary based on how many phones you have and how much each session will use.


The next screen contains options for the “Penalty Box“. The penalty box is a place where you can relegate misbehaving users or devices that would otherwise consume more bandwidth than desired. Click on the “Enable” checkbox to enable this feature, and enter the IP address of the computer to penalize at “Address“. At the “Bandwidth” field, enter the limit you wish to apply.

QoS

Configuring P2P options in the wizard.

The next screen covers “Peer to Peer networking“. Click on the “Enable” checkbox to lower the priority of P2P traffic below all other traffic. By design, P2P protocols and software will utilize all available bandwidth unless limits are put in place. If you expect P2P traffic on your network, it is a good idea to ensure that other traffic will not suffer degradation of QoS due to its use.

Many P2P technologies will deliberately try to avoid detection; Bittorrent is a good example of this. It often utilizes non-standard or random ports, or ports associated with other protocols. You can check the “p2pCatchAll” checkbox which will cause any unrecognized traffic to be assumed as P2P traffic and its priority lowered accordingly. You can also set hard bandwidth limits for this traffic in the “Bandwidth” field underneath the “p2pCatchAll” checkbox. Below this is the “Enable/Disable specific P2P protocols” section. Here you can enable or disable specific services; there are about 20 listed, including BitTorrect, DCC, Gnutella, and others.

The next page covers network games. Many games require on low latency to deliver a good online gaming experience and good QoS. Other traffic, such as downloading large files, can easily swallow up the packets associated with the game itself and cause lag or disconnections. By checking the “Enable” checkbox at the top of the page, you can raise the priority of game traffic so that it will be transferred first and given a guaranteed chunk of bandwidth. Beneath that is a section called “Enable/Disable specific games“. There are many games listed here, including Call of Duty, Doom 3, Halo 2, Quake 3 and 4, and World of Warcraft. Even if your game is not listed, you may want to check a similar game so that you have a reference rule you can modify later.


QoS Management: Everything Else

Next is the “Raise or lower other Applications” page, which lists many other commonly available applications and protocols. How these protocols should be handled will depend on the environment that your pfSense box will be protecting. Applications such as VNC, PCAnywhere (both popular remote access programs), IRC, Teamspeak (popular messenger programs) are can be raised or lowered in priority (or kept at the default level), as well as protocols such as PPTP, IPsec, HTTP, SMTP, POP3 and IMAP. If you enabled p2pCatchAll, you will want to use these options to ensure that these other protocols are recognized and treated normally, rather than being penalized by the default p2pCatchAll rule.

Once you finish configuration on the “Raise of lower other Applications” screen and press the “Next” button, all the rules and queues will now be created, but not yet in use. By pressing the “Finish” button on the final screen, the rules will be loaded and active. Shaping will now be activated for all new connections. Due to the stateful nature of the shaper, however, only new connections will have the new rules applied. In order for the new configuration to be fully active on all connections, you must clear the states. To do this, navigate to Diagnostics -> States, click the “Reset States” tab, check, Firewall state table, then press the “Reset” button.

Now that you have enabled the traffic shaper, you can view the rules and queues defined when you invoked the wizard by navigating to Firewall -> Traffic Shaper and clicking on the different tabs. There should be a tree on the left side of the page; clicking on different parts of the tree should show different relevant QoS settings. For example, clicking on “qVoIP” will show the settings for the VoIP queue. But there will be more about this in a future blog posting.

Other Articles in This Series:

Traffic Shaping in pfSense: What it Does
Traffic Shaping Wizard: Introduction
Queue Configuration in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Layer 7 Groups in pfSense 2.1
Bandwidth Limiting with the pfSense Limiter
Deep Packet Inspection Using Layer 7 Traffic Shaping

External Links:

Traffic Shaping Guide at doc.pfsense.org

Link Ads:


Traffic Shaping in pfSense: What it Does

traffic shapingTraffic shaping is a computer network traffic management technique designed to delay some or all datagrams to bring them into compliance with a traffic profile. Without traffic shaping, packets are processed on a first in/first out basis by the firewall. Traffic shaping, or Quality of Service (QoS) offers a means of prioritizing different types of traffic. This ensures that higher priority services receive the bandwidth they need before lesser priority services. This helps to optimize or guarantee performance, improve latency, and/or increase usable bandwidth for some kinds of packets by delaying other kinds.

Another way of managing computer traffic is traffic policing. The difference between policing and shaping is that traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate, excess traffic is dropped or remarked. The result is an output rate that appears on a graph as a saw-tooth with crests and troughs. In contrast to policing, traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time. The result of traffic shaping is a smoothed packet output rate.


For purposes of this discussion, we are concerned mainly with traffic shaping in pf (and therefore pfSense). The way traffic shaping is accomplished in pf is that incoming traffic from the Internet going to a host on the LAN is actually shaped coming out of the LAN interface from the pfSense system. In the same manner, traffic going from the LAN to the Internet is shaped when leaving the WAN. This is because traffic has to be limited in a place where pf/pfSense can actually control the flow of data.

There are two means by which traffic shaping is accomplished: traffic shaping queues and traffic shaping rules. The queues are where bandwidth and priorities are actually allocated, while traffic shaping rules control how traffic is assigned into those queues. If a packet matches a shaper rule, it will be assigned into the queues specified by that rule. In that manner, traffic shaping rules are similar to firewall rules, with matching criteria and with outcomes dictated based on whether a packet matches the criteria.

Traffic Shaping: Reasons

The primary reasons you would use traffic shaping are to control access to available bandwidth, to ensure that traffic conforms to the policies established for it, and to regulate the flow of traffic in order to avoid congestion that can occur when the sent traffic exceeds the access speed of its target (remote) interface. Here are some examples why you might want to use traffic shaping:

  • Control access to bandwidth when policy dictates that the rate of a given interface should not on the average exceed a certain rate even though the access rate exceeds the speed.
  • If the network has differing access rates. Suppose that one end of the link in a Frame Relay network runs at 256 kbps and the other end of the link runs at 128 kbps. Sending packets at 256 kbps could cause failure of the applications using the link.
  • If you offer a subrate service. In this case, traffic shaping enables you to use the router to partition your T1 or T3 links into smaller channels.
  • Smoothing out asymmetric links, where the download speed differs from the upload speed (such as DSL connections). Some links are so out of balance that the maximum download speed is unattainable because it is difficult to send out enough ACK packets to keep traffic flowing. By using the traffic shaper to prioritize ACK packets you can achieve faster and more stable download speeds on asymmetric links.
  • Prioritizing VoIP calls. If your VoIP calls use the same circuit as data, then uploads and downloads may degrade your call quality. pf/pfSense can prioritize the call traffic above other protocols and ensure the calls make it through without breaking up.
  • Network gaming. There are also options to give priority to the traffic associating with networking gaming, even if you are downloading while playing.
  • P2P applications. By lowering the priority of traffic associated with known peer-to-peer ports, pf/pfSense ensures that P2P applications will not interfere with other traffic on your network.


Other Articles in This Series:

Traffic Shaping Wizard: An Introduction
QoS Management Using the Traffic Shaper Wizard
Queue Configuration in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Layer 7 Groups in pfSense 2.1
Bandwidth Limiting with the pfSense Limiter
Deep Packet Inspection Using Layer 7 Traffic Shaping

External Links:

Traffic shaping at Wikipedia

Comparing Traffic Policing and Traffic Shaping for Bandwidth Limiting [QoS Policing] at www.cisco.com

Ad Links:


pfSense Traffic Shaping: Part One

pfSense Traffic Shaping

The traffic shaping wizard page in the pfSense web GUI.

Traffic shaping (also known as “packet shaping”, or “Quality of Service” [QoS]) is a computer network traffic management technique which prioritizes some datagrams while delaying other datagrams to bring them into compliance with a desired traffic profile. It is a form of rate limiting (a method of controlling traffic by which traffic that exceeds a specified rate is dropped or delayed) and is used to optimize or guarantee performance, improve latency, and/or increase usable bandwidth for some kinds of packets by delaying other kinds. It is widely used for network traffic engineering, and often appears in ISPs’ networks as one of several Internet Traffic Management Practices (ITMPs).

pfSense Traffic Shaping: An Example

pfSense Traffic Shaping

Configuring VoIP settings in the pfSense traffic shaping wizard.

In the following example, we will use pfSense traffic shaping to limit VoIP throughput to 125 kbps. First, navigate to Firewall -> Traffic Shaper. Select the “Wizards” tab. From the Wizards table, click on “Single WAN multi LAN“. [Assume we have a LAN and a DMZ.] On the next page, at “Enter number of LAN type connections“, enter “2”. At “Link Upload“, type the upload bandwidth (remembering to select either Kbit/s, Mbit/s, or Gbit/s in the drop-down boxes), and at “Link Download“, type the download bandwidth. Leave the other settings unchanged and click the “Next” button.

The next page deals with VoIP settings. At “Enable“, click on the check box to prioritize VOIP traffic. Under “VOIP specific settings“, assume we’re using Asterisk for VoIP and at “Provider” select “Asterisk/Vonage“. Set “Upload Speed” to 125 Kilobit/s, and set “Download Speed” to 125 Kilobit/s. Leave the other settings unchanged and click the “Next” button.


The next page, “PenaltyBox“, allows us to reduce the priority of an IP address or alias. We will assume that we have no use for this feature right now and click on the “Next” button.

pfSense Traffic Shaping

The final page in the pfSense traffic shaping wizard

The next page is for peer-to-peer networking and allows you to lower the priority and/or disable about 20 different specific P2P protocols. There is also a “P2P Catch all” queue which allows us to place all uncategorized traffic into the P2P queue. Again, we will assume that we have no use for this feature now and click on the “Next” button.

The next page is for network games, and allows us to raise the priority of gaming traffic and/or enable/disable specific games (e.g. Call of Duty, Unreal Tournament, World of Warcraft, and several others). Again we will click the “Next” button.

The final page, “Other Applications“, allows us to shape other common types of traffic. These include remote access programs like PC Anywhere, messaging programs like IRC and Teamspeak, VPN traffic, and other programs. Click on the “Next” button. On the next page, click the “Finish” button to apply the new settings.

We now have used pfSense traffic shaping to prioritize VoIP traffic while also limiting the amount of VoIP throughput to 125 Kbit/s. In part two of this series on traffic shaping, I will cover the Hierarchical Fair Service Curve, one of several traffic shaping algorithms supported by pfSense. In part three, I will cover class based queuing and priority queuing.


External Links:

Traffic Shaping Guide at doc.pfsense.org (with links)

© 2013 David Zientara. All rights reserved. Privacy Policy