Traffic Shaping Rules in pfSense 2.1

Creating traffic shaping rules in pfSense 2.x is handled a bit differently than in previous versions of pfSense. In the old pfSense, traffic shaping rules were controlled by navigating to Firewall -> Traffic Shaper, clicking on the “Rules” tab, and then adding or editing rules as needed. Now, all rules, whether they invoke traffic shaping queues or not, are controlled by navigating to Firewall -> Rules.

An Example: Creating Traffic Shaping Rules for BitTorrent

Traffic Shaping Rules

Adding a traffic shaping rule to put BitTorrent traffic into the P2P queue in pfSense 2.1.

The option to place traffic into a queue can be found by scrolling down to “Advanced Features“, and pressing the “Advanced” button next to Ackqueue/Queue. To illustrate the process, let’s create traffic shaping rules to explicitly direct BitTorrent traffic coming in and out of a specific port into the P2P queue. Although we’re doing it here just to illustrate the process, if you are using BitTorrent, there may be a legitimate reason to make a special rule for this traffic. pfSense relies primarily on ports to tell what program the traffic appears to be rather than examining the packets. Since BitTorrent relies on non-standard ports, it is quite possible that such traffic will not automatically go into the P2P queue. There is a way of identifying traffic based on the content of the packets instead of just the source or destination ports known as layer 7 shaping (deep packet inspection). This feature is only found in pfSense version 2.0 and newer. Layer 7 shaping will be the subject of a future article, but for purposes of this exercise, we will assume that this is not an option. Therefore, we endeavor to take the following measures: [1] use the P2P Catchall rule; [2] treat the default queue as low priority, and [3] make rules for each type of traffic you want.

Traffic Shaping Rules

Configuring the queues under Advanced Settings at Firewall -> Rules.

The P2P Catchall rule is added by using the traffic shaper wizard, which was covered in a previous article, and editing queue settings was also covered in a previous article, so I will focus on making rules to cover BitTorrent traffic. To begin, we will go to Firewall -> Rules and click on “plus” to add a firewall rule. We want to leave the “Action” as Pass, and choose WAN as the “Interface“. For “TCP/IP Version“, we will select IPv4+IPv6. We’ll leave the “Protocol” as TCP and leave “Source” unchanged. For “Destination“, we’ll select “Single host or alias” and type in the address of the target computer (in this case, 192.168.1.10). For “Destination port range“, we will put our BitTorrent port (22453). We will not log packets, but we will enter a brief “Description“. Scrolling down to “Advanced Features“, press the “Advanced” button next to “Ackqueue/Queue“. Select “qACK” for the Ackqueue and “qP2P” for the queue. [This assumes we set up a P2P queue earlier.] Then press the “Save” button to save the rule and press “Apply changes” on the next page.


Now we have a rule to handle incoming BitTorrent traffic, but there is also outgoing traffic, and we want to set up a rule to handle that as well. To do so, click on the “plus” button. We will keep most of the settings for the previous rule, but we will change “Interface” to LAN and “Destination” to WAN subnet. We will again specify 22453 for the “Destination port range” and “qACK” and “qP2P” for the queues. Again, press “Save” to save the rule and “Apply changes” on the next page.

Now, we have traffic shaping rules for both incoming and outgoing BitTorrent traffic on port 22453 configured, thus ensuring that traffic on that port will go into the P2P queue. You’ll want to enable the P2P Catchall queue if you didn’t already, and limit the bandwidth used by the default queue, but otherwise, we should be set up to handle BitTorrent on our chosen port.


Other Articles in This Series:

Traffic Shaping in pfSense: What it Does
Traffic Shaping Wizard: Introduction
QoS Management Using the Traffic Shaper Wizard
Queue Configuration in pfSense 2.1
Layer 7 Groups in pfSense 2.1
Bandwidth Limiting with the pfSense Limiter
Deep Packet Inspection Using Layer 7 Traffic Shaping

External Links:

pfSense Bandwidth Management – How to Configure the Traffic Shaper at hubpages.com

Link Ads:


Be Sociable, Share!

Comments

  1. Bjarte Odin Kvamme says:

    Hi,

    I am having some trouble having my traffic recognized correctly.

    I am using a online backup service that sends all their traffic over port 443, which by puts it into the OthersHigh queue in pfSense. Obviously, this is not ideal, as the bulk upload significantly reduces my secure site browsing. I have now limited the upload speed in the program, but ideally I would would want it to run at full speed whenever there is no traffic, and that is not possible in the backup software.

    Current Setup:
    alias: jotta – with three confirmed server IPs
    Protocol source port destination port gateway queue
    WAN Rule: IPv4 TCP jotta * 192.168.4.8 * * qACK/qP2P
    LAN Rule: IPv4 TCP 192.168.4.8 * jotta * * qACK/qP2P

    But this is not working, as the traffic is still being queued in qOthersHigh. I have placed the rules at the top of the floating rules section

    Any advice would be greatly appreciated!

  2. Do you mind if I quote a few of your articles as long as I provide credit and sources back to your
    weblog? My blog site is in the very same area of interest as yours and my users would really benefit
    from a lot of the information you provide here. Please let me know if this ok with you.

    Thanks a lot!

Trackbacks

  1. […] the previous article, I described how to create a traffic shaping rule to place BitTorrent traffic into the P2P queue. Another way of directing traffic into queues is to create a layer 7 rules group. In this article, […]

  2. […] in pfSense: What it Does Traffic Shaping Wizard: An Introduction Queue Configuration in pfSense 2.1 Traffic Shaping Rules in pfSense 2.1 Layer 7 Groups in pfSense 2.1 Bandwidth Limiting with the pfSense Limiter Deep Packet Inspection […]

  3. […] in pfSense: What it Does Traffic Shaping Wizard: Introduction Queue Configuration in pfSense 2.1 Traffic Shaping Rules in pfSense 2.1 Traffic Shaping Rules in pfSense 2.1 Layer 7 Rules Groups in pfSense 2.1 […]

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy