PfSense Bandwidth Management - How to Configure the Traffic Shaper

pfSense Bandwid B andwidth th Management How to Configure the Traffic Shaper By Sam Kear 

Effective bandwidth management is critical to the performance of any network. Most networks share a single internet connection between many users. The biggest problem prob lem on a shared network network is that one user could potentially consume all of the available internet bandwidth and slow down the connections for  all of the other users as a r esult. High High bandwidth bandwidth users can create crea te an even bigger  issue if your network has critical traffic such as VOIP that depends on having enough bandw bandwidth idth to function. The solution to problems like this is to implement a traffic shaping system. Traffic shaping can prioritize your important or time critical network traffic to guarantee performance and at the same time throttle less important traffic. In this hub I will show you how to use pfSense, an open source firewall, to configure traffic shaping to manage your networks bandwidth. bandwidth. If you are unfamiliar with pfSense you might want read through an Introduction to pfSense pfSe nse first.  first.

Finding High Bandwith Users In order to properly proper ly manage manage bandw ban dwidth idth usage with with traffic shaping you need to determine who is using the most bandwidth,and what it is being used for. PfSense offers a package called Darkstat that can quickly give you a view at what is taking place on your network. Darkstat creates a list of hosts sorted by total upload and download traffic usage. You can also drill down on this report to see which TCP or UDP ports make up the usage. This information can be used to determine whether a traffic shaper will help your network, and if so which which ports you should b e shaping.

Configuration Confi guration Steps St eps The instructions in this hub were created for pfSense version 2.0, if you haven't upgraded to the latest version I would would recommend recommend doing do ing so first. The traffic shaper  in version 2.0 has many improvements improvements over the pr evious version. In the sections below I have included a screenshot of each step of the set up process and a description about each page. After completing completing these steps you will have a fully functional traffic shaper for your home or corporate corpora te network.

Run the shaper wizzard To get started log in to your pfSense system using the web interface. Next open up the traffic shaper menu found under the firew firewall all tab.

PfSense allows you to manually configure the traffic shaper although I would recommend using the traffic shaper wizzard and then tweaking things if needed. Click on the wizards tab then select the wizard link that matches your  current setup. My pfSense system is set up as a dual wan router so I will be using the Single LAN multi Wan

Traffic Shaper Wizard

wizard. If you only have a single WAN and LAN connection you should also use this wizard.

Specify WAN Connections On the next step you need to enter the number of WAN connections on your  router. If you have a single WAN router just enter 1. If you have a dual WAN router  you would enter 2. If you are not sure how many interfaces are configured click on the status tab, then select interfaces.

Enter the number of WAN connections

Shaper Configuration On the shaper config page the first thing you need to do is select the LAN scheduler. I would recommend using the default which is HFSC (Hierarchical F air  Service Curve). If you need only very basic shaping you could use PRIQ (Priority Queuing) which is simple to modify but not as effecient. In the connection upload box it is generally recommended to enter 

Shaper configuration

97% of the connections maximum bandwidth. For example if your ISP provides you with a 1Mbps (1000Kbps) upstream then you would multiply 1000 x 97% to get

970Kbps. This will ensure that packets are qu eued on your pfSense system instead of an upstream router which you have no control over. In the connection download box enter the maximum downspeed of the connection. If you are unsure what your connection speed is contact your ISP or use an online speed test to get an estimate. You may need to slightly tweak these settings to find the optimal configuration for your connection.

Voice Over IP Settings If you are using VOIP phones you will probably want to prioritize the traffic sent by the phones. Click the check box to enable this setting, then select your VOIP provider from the list. If your provider is not listed choose 'generic', then enter the IP of your  VOIP phone. If you have multiple VOIP phones on your network you can create an alias (Firewall\aliases) that consists of multiple hosts.

VOIP Settings

If you are not using VOIP leave this setting disabled and click next.

Penalty Box If you have one or more hosts on your network that are using most of  the bandwidth you can place them in a "penalty box" to limit their usage to a certain percentage of available bandwidth. As in the previous setting if you need to list more than one host you will need to create an alias.

Penalize Specific IP Address es

Peer to Peer Networking In this section of the wizard you can specify whether or not you want peer  to peer networking traffic to be g iven a lower priority. Almost everyone will want to enable this setting since P2P traffic is often the largest user of  internet bandwidth on a network. Enable the check boxes next to each application that you want the traffic shaper to look for o n your network.

Peer to Peer Network Settings

You can also enable the P2P catch all setting to penalize uncategorized traffic. If  this setting is enabled any traffic not specifically classified in the traffic shaper will

be considered P2P traffic. Generally I don't like to use this setting because I feel that it is too broad, but if you want to take an aggressive approach to packet shaping you can enable this setting. If the there is a specific protocol you need to block that isn't listed I'll show you how to manually create a rule later in this guide.

Prioritize Game Traffic On the network games page you can grant game traffic priority on the network. This is very useful for  lowering the latency of game traffic which is very time sensitive. With this setting enabled users on the network can still be uploading/downloading files without impacting users playing games. For  Network Games Settings

example players of MMORPG games like World Of Warcraft can improve their ping times by enabling this option.

Other Applications You can also raise or lower the priority assigned to different applications on an individual basis. Most of the options on this page depend on the applications in use on your network. Most users will probably want to raise the priority of  HTTP, DNS, and ICMP. Depending

Rais e or lower other Applications

on how important email is to your  network you could raise or lower its status in the queue.

Customizing the Rules

If the wizard does not list all of the

If the wizard did not list an application

applications that you need the n you

or protocol that you want to traffic

can create your own custom traffic

shape you can add or edit the rules

shaping rules.

created by the wizzard as needed. The rules created by the shaper are found on the Firewall \ Rules page. Click on the tab labeled 'floating' and you should see a list of rules generated by the wizard. If you don't see the rules run the wizzard again and make sure the applications were enabled, sometimes you need to deselect/select the checkbox. If the options are grayed out then they are not enabled. You can adjust the ports of existing rules or create entirely new rules if you want. The easiest way to do this is to create a r ule based on an existing rule that is

similar to what you are trying to accomplish. To do this click the plus symbol next to the rule you want to copy. The queue names are fairly self explanatory as to what their purpose is. For a list of of all the queues and their current settings open the traffic shaper  page found in the firewall menu.

Queue Status

Editing the Traffic Shaper R ules

Montioring the Queue Status  After you have finished setting up the shaper I recommend that you monitor the status of the queues. It's a good idea to check the queues during times of heavy bandwidth usage to make sure everything is functioning as intended. You may find that you need to make small tweaks over time to improve the system. The queue status page is found under the diagnostics menu. If a queue is showing drops it means that the traffic is exceeding the amount of bandwidth allocated to the queue resulting in drops. It's normal to have drops on the P2P que or o ther low priority queues, this means the traffic shaper is doing its job. If you are seeing dr ops on the ack or default queues then you may need to gran t more bandwidth to them. This can be do ne in the traffic shaper settings page by clicking on the queue you want to adjust.  Acknowledgments (acks) can consume a very large portion of your total bandwidth during heavy downloads. The faster a computer can acknowledge the receipt of a packet the sooner the sending computer will send the next piece of the file so you want these packets to leave your network quickly.

Deep Packet Inspection Deep packet inspection, also known as layer 7 shaping identifies traffic based on

the content of the packets instead of just the source o r destination ports. If you are trying to manage tr affic which uses many different port numbers you should use deep packet inspection. This feature is only found in pfSense version 2.0 and newer. To create r ules for this type of traffic click on the layer 7 tab found under Firewall \ Traffic Shaper. You can create rules to either block certain protocols or route it to one of the queues.