Traffic Shapιng (QoS)
Traffic Shaping Types
There are two types of QoS available in pfSense software: ALTQ and Limiters.
The
ALTQ framework is handled through
pf and is closely tied to network card drivers. ALTQ can handle several types of schedulers and queue layouts. The traffic shaper wizard configures ALTQ and gives firewall administrators the ability to quickly configure QoS for common scenarios, and it allows custom rules for more complex tasks. ALTQ is inefficient, however, so the maximum potential throughput of a firewall is lowered significantly when it is active.
pfSense software also supports a separate shaper concept called
Limiters. Limiters enforce hard bandwidth limits for a group or on a per-IP address or network basis. Inside of those bandwidth limits, limiters can also manage traffic priorities.
Traffic Shaping Basics
For administrators who are unfamiliar with traffic shaping, it is like a bouncer at an exclusive club. The VIPs (Very Important Packets) always make it in first and without waiting. The regular packets have to wait their turn in line, and “undesirable” packets can be kept out until after the real party is over. All the while, the club is kept at capacity and never overloaded. If more VIPs come along later, regular packets may need to be tossed out to keep the place from getting too crowded.
ALTQ shaping concepts can be counter-intuitive at first because the traffic has to be queued in a place where the operating system can control the flow of packets. Incoming traffic from the Internet going to a host on the LAN (downloading) is shaped
leaving the LAN interface from the firewall. In the same manner, traffic going from the LAN to the Internet (uploading) is shaped when leaving the WAN.
For ALTQ, there are traffic shaping queues, and traffic shaping rules. The queues allocate bandwidth and priorities. Traffic shaping rules control how traffic is assigned into those queues. Rules for the shaper work the same as firewall rules, and allow the same matching characteristics. If a packet matches a shaper rule, it will be assigned into the queues specified by that rule. In pfSense software, shaper rules are mostly handled on the
Floating tab using the
Match action that assigns the traffic into queues, but rules on any interface can assign traffic into queues using the
Pass action.
Limiter rules are handled differently. Limiters apply on regular pass rules and enforce their limits on the traffic as it enters and leaves an interface. Limiters almost always exist in pairs: One for the “download” direction traffic and one for the “upload” direction traffic.
Configuring the ALTQ Traffic Shaper With the Wizard
We recommend configuring the traffic shaper using the wizard for the first time, which guides administrators through the shaper configuration process.
Tip
Due to the complexity of the shaper queues and rules, starting from scratch is quite complicated. If a firewall needs custom rules, step through the wizard and approximate the requirements, then make custom rules afterward.
Each step of the wizard sets up unique queues and rules that control what traffic is assigned into those queues. To configure everything manually, specify the WAN speed at the first screen, then click
Next through all the remaining steps. The wizard requires options to be enabled on at least one step, but it does not matter which step.
Note
Completing the wizard and clicking
Finish at the end will replace
all existing shaper queues and floating rules created by the wizard, including those cloned from wizard rules, with the queues and rules from the new wizard configuration.
Choosing a Wizard
To get started with the Traffic Shaping Wizard, navigate to
Firewall > Traffic Shaper and click the
Wizards tab. This page displays a list of available traffic shaper wizards, including:
| Multiple LAN/WAN: |
|---|
| | Used when the firewall has one or more WANs and one or more LANs. This is the most common wizard and it covers most every scenario. |
| Dedicated Links: |
|---|
| | Used when specific LAN+WAN pairings should be accounted for in the shaper configuration. |
Starting the Wizard
Each wizard name is followed by the filename of the wizard, which is a link. Click the link to start the wizard. This example uses the
Multiple LAN/WAN wizard, so click
traffic_shaper_wizard_multi_all.xml.
Next, the wizard starts and the first step prompts for the number of WAN and LAN type connections on the firewall, as in Figure
Entering the Interface Count.
- Enter the number of WAN-type connections on the firewall. These are connections with a gateway configured on the interface, or dynamic WAN type interfaces such as DHCP or PPPoE
- Enter the number of LAN type connections. These are local network interfaces without a gateway on the interface
- Click Next to proceed with the next step
In this example the firewall only has one WAN and one LAN interface.
Entering the Interface Count
Networks and Speeds
This step, shown in Figure
Shaper Configuration, defines the network interfaces that will be the inside and outside from the point of view of the shaper, along with the
Download and
Upload speeds for a given WAN. When the firewall has more than one interface of a given type, the wizard displays multiple sections on the page to handle each one individually.
In addition to the interfaces and their speeds, select an ALTQ
Scheduler (
ALTQ Scheduler Types) for the WAN(s) and LAN(s). Use the same scheduler on every interface.
Depending on the connection type, the true link speed may not be the actual usable speed. In the case of PPPoE, the circuit has not only PPPoE overhead, but also overhead from the underlying ATM network link being used in most PPPoE deployments. By some calculations, between the overhead from ATM, PPPoE, IP, and TCP, the circuit may lose as much as 13% of the advertised link speed. When in doubt of what to set the speed to, be conservative. Reduce by 10-13% and work it back up to larger values. If the firewall has a 3Mbit/s line, set it for about
2.7 Mbit/s and then test. The speed on the resulting parent queue can be edited later to adjust the bandwidth. If it has a low value, the connection will be maxed out at exactly the defined speed. Nudge it up higher until the firewall no longer sees any performance gains.
Interface speeds can be specified in
Kbit/s ,
Mbit/s , or
Gbit/s but use the same units on every page.
- Choose an Interface and Scheduler for each LAN-type interface (e.g. LAN, PRIQ)
- Choose an Interface and Scheduler for each WAN-type interface (e.g. WAN, PRIQ)
- Define the Upload speed and units for each WAN-type interface (e.g.
1, Mbit/s)
- Define the Download speed and units for each WAN-type interface (e.g.
10, Mbit/s)
- Click Next to proceed with the next step
Shaper Configuration
Voice over IP
The wizard contains several options for handling VoIP call traffic, shown in Figure
Voice over IP. Prioritizing Voice over IP traffic sets up queues and rules to give priority to VoIP calls and related traffic. This behavior can be fine-tuned by the other settings on this step of the wizard.
| Enable: |
A checkbox to enable the VoIP settings on this step. When unchecked, the options are disabled and these queues and rules will not be added by the wizard.
|
|---|
| Provider: |
There are a few well-known providers including Vonage, Voicepulse, PanasonicTDA, and Asterisk servers. If the VoIP provider for this site is not in the list, choose Generic. This choice sets up rules based on the ports and protocols known to be used by these providers, rather than matching by address.
Note
This choice matches based on SIP and RTP ports, among others, therefore it can match traffic from other sources as well if they use the same ports as the selected service.
|
|---|
| Upstream SIP Server: |
|---|
| |
The IP of the upstream PBX or SIP trunk, or an alias containing the IP addresses or networks for the SIP trunk(s). When set, this overrides the Provider field and will instead match traffic based on these addresses.
Note
This choice matches all UDP traffic to and from the specified address(es). In most cases this is OK, but if there are other Non-VoIP UDP-based services on the same remote address, it could match that traffic as well. Such cases are rare, however, so this option tends to be more reliable than matching by port.
|
| WAN Connection Upload: |
|---|
| |
The amount of upload bandwidth to guarantee for VoIP devices. This will vary based on how many VoIP devices are on the network and how much bandwidth each session requires. This setting is used by HFSC and CBQ, and should be left blank for PRIQ.
Note
The bandwidth reservation for a service such as VoIP cannot exceed 30% of the available bandwidth on the link. For example, on a 10Mbit/s link, the shaper cannot reserve more than 3Mbit/s.
|
| LAN Connection Download: |
|---|
| |
The amount of download bandwidth to guarantee for VoIP devices. This setting is used by HFSC and CBQ, and should be left blank for PRIQ. |
Note
The best practice is to use the
remote SIP trunk or PBX address because otherwise the shaper may not be able to match traffic properly. For example, using the IP addresses of phones the shaper may only match traffic in one direction, or not at all. This is due to the way the shaper matches traffic with floating rules in an outbound direction. NAT applies before traffic is matched when exiting a WAN, so the shaper rules cannot match outbound connections based on local private IP addresses.
To use these options:
- Check Prioritize Voice over IP traffic
- Pick ONE of the following:
- Choose a Provider from the list OR
- Enter an Upstream SIP Server address or alias containing a remote SIP trunk or PBX
- Leave Upload and Download blank if using PRIQ, otherwise enter an appropriate Upload or Download value for each connection
- Click Next to proceed with the next step
Voice over IP
Penalty Box
The penalty box, depicted in Figure
Penalty Box, is a place to relegate misbehaving users or devices that would otherwise consume undesirable amounts of bandwidth. These devices are assigned a hard bandwidth cap which they cannot exceed.
| Enable: | A checkbox to enable the Penalty Box settings on this step. When unchecked, the options are disabled and these queues and rules will not be added by the wizard. |
|---|
| Address: | The IP address to penalize, or an alias containing multiple addresses to penalize. |
|---|
| Bandwidth: | The amount of bandwidth that Address can consume, at most. |
|---|
To use these options:
- Check Penalize IP or Alias
- Enter an IP address or Alias in the Address box
- Enter the Bandwidth limit
- Choose the correct units for the Bandwidth limit
- Click Next to proceed with the next step
Penalty Box
Peer-to-Peer Networking
The next step, shown in Figure
Peer-to-Peer Networking, sets controls for many Peer-to-Peer (P2P) networking protocols. By design, P2P protocols will utilize all available bandwidth unless limits are put in place. If P2P traffic will be present on a network, the best practice is to ensure it will not degrade other traffic.
Note
P2P protocols deliberately attempt to avoid detection. Bittorrent is especially guilty of this behavior. It often utilizes non-standard or random ports, or ports associated with other protocols. Identifying all P2P traffic can be difficult or impossible.
| Enable: |
A checkbox to enable the P2P traffic settings on this step. When unchecked, the options are disabled and these queues and rules will not be added by the wizard.
|
|---|
| Peer-to-Peer Catch All: |
|---|
| |
Causes any unrecognized traffic to be assumed as P2P traffic, and such traffic will have its priority lowered accordingly. | Bandwidth: | The amount of bandwidth that unclassified traffic can consume, at most, when P2P Catch All is active. |
|---|
Warning
This option effectively takes over the Default traffic shaping queue and lowers its priority. When this option is active, it is critical for all legitimate traffic to be matched by rules that set a priority higher than the priority of the P2P catch all queue.
The Raise / Lower Other Applications step of the wizard can help here, but ultimately accomplishing this task frequently requires additional manual rules.
|
| Enable/Disable specific P2P protocols: |
|---|
| |
These options identify various known P2P protocols. The firewall will assign ports and protocols associated with each enabled option as P2P traffic.
|
To use the options in this step:
- Check Lower priority of Peer-to-Peer traffic
- Optionally enable the p2p Catch All feature
- Enter the Bandwidth limit for p2p Catch all, if enabled
- Choose the correct units for the Bandwidth limit
- Select protocols for the firewall to classify as P2P traffic
- Click Next to proceed with the next step
Peer-to-Peer Networking
Network Games
Online games typically rely on low latency for acceptable player experiences. If a user on the network attempts to download large files or game patches while playing, that traffic can easily drown out the packets associated with the game itself and cause lag or disconnections. If the firewall gives gaming traffic priority, it can ensure that traffic will be delivered first and fastest.
| Enable: | A checkbox to enable the gaming traffic settings on this step. When unchecked, the options are disabled and these queues and rules will not be added by the wizard. |
|---|
| Enable/Disable specific game consoles and services: |
|---|
| | These options match traffic for entire game consoles or online services which use common ports and protocols across all, or at least a majority, of their games. |
| Enable/Disable specific games: |
|---|
| | These options match traffic for specific games which deviate from the general categories in the previous section. |
Tip
To prioritize a game that is not listed, check any other game from the list so that the wizard will create the queues and rules to use as a reference base. After completing the wizard, edit the resulting rules to match the unlisted game.
To use the options in this step:
- Check Prioritize network gaming traffic
- Select any games consoles on the network from the list in Enable/Disable specific game consoles and services
- Select any games on the network from the list in Enable/Disable specific games
- Click Next to proceed with the next step
Network Games
Raising or Lowering Other Applications
The last configuration screen of the shaper wizard, seen in Figure
Raise or Lower Other Applications, lists a number of other commonly available applications and protocols.
The needs of a particular network dictate how the firewall should handle each protocol. For example, in a corporate environment management may want to lower the priority of non-interactive traffic such as e-mail where a reduction in speed is not usually noticed by users, and they may also want to raise the priority of interactive services like RDP where poor performance is an impediment for employees. In a home, multimedia streaming may be more important, and other services can have their priority lowered by the shaper.
Tip
As with other steps of this shaper wizard, if a protocol is not listed, select a similar protocol and then adjust the rules after completing the wizard.
| Enable: |
A checkbox to enable the settings on this step. When unchecked, the options are disabled and these queues and rules will not be added by the wizard.
|
|---|
| Protocol Categories: |
|---|
| |
Each section contains well-known protocols, grouped by their general function.
There are more than 40 protocols to choose from, and each can be given a Higher priority, Lower priority, or left at the Default priority.
Tip
If p2pCatchAll is active, we strongly recommend using this step to ensure that these other protocols are recognized and treated normally, rather than penalized by the default p2pCatchAll rule.
|
To use the options in this step:
- Check Other networking protocols
- Locate specific protocols in the list to alter priority.
- For each protocol, choose one of Higher priority, Lower priority, or leave it at the Default priority.
- Click Next to proceed with the next step
Raise or Lower Other Applications
Finishing the Wizard
Click
Finish to complete the wizard. The firewall will then create all of the rules and queues for enabled options, and then it will reload the ruleset to activate the new traffic shaper settings.
Due to the firewall operating in a stateful manner, the firewall can only apply changes in traffic shaping to new connections. In order for the new traffic shaping settings to be fully active on all connections, clear the states.
To reset the state table contents:
- Navigate to Diagnostics > States
- Click the Reset States tab
- Check Reset the firewall state table
- Click Reset
Monitoring the Queues
Monitor the shaper using
Status > Queues to ensure that traffic shaping is working as intended. As can be seen in Figure
Basic WAN Queues, this screen shows each queue listed by name, its current usage, and other related statistics.
Basic WAN Queues
| Queue: | The name of the traffic shaper queue. |
|---|
| Statistics: | A graphical bar which shows how “full” this queue is. |
|---|
| PPS: | The rate of queued data in packets per second (PPS) |
|---|
| Bandwidth: | The rate of queued data in bits per second (e.g. Mbps, Kbps, bps). |
|---|
| Borrows: | Borrows happen when a neighboring queue is not full and capacity is borrowed from there. |
|---|
| Suspends: | The suspends counter indicates when a delay action happens. The suspends counter is only used with the CBQ scheduler and should be zero when other schedulers are in use. |
|---|
| Drops: | Drops happen when traffic in a queue is dropped in favor of higher priority traffic. Drops are normal and this does not mean that a full connection is dropped, only a packet. Usually, one side of the connection will see that a packet was missed and then resend, often slowing down in the process to avoid future drops. |
|---|
| Length: |
The number of packets in the queue waiting to be transmitted, over the total size of the queue.
|
|---|
Advanced Customization
The rules and queues generated by the shaper wizard may not be an exact fit for a network. Network devices may use services that need shaped which are not listed in the wizard, games that use different ports, or other protocols that need limiting.
After the basic rules have been created by the wizard, it is relatively easy to edit or copy those rules to make adjustments for other protocols.
Editing Shaper Queues
Queues are where bandwidth and priorities are allocated by the shaper. Each queue has settings specific to the scheduler that was chosen in the wizard (
ALTQ Scheduler Types). Queues can also be assigned other attributes that control how they behave. Queues may be managed at
Firewall > Traffic Shaper. Click on a queue name in the list or tree shown on the
By Interface or
By Queue tabs, as seen in Figure
Traffic Shaper Queues List
Warning
Creating or editing queues is for advanced users only. It is a complex task with powerful results, but without thorough understanding of the settings involved the best practice is to stick with queues generated by the wizard rather than trying to make new queues.
To edit a queue, click its name in the list/tree.
To delete a queue, click it once to edit the queue, then click
Delete This Queue. Do not delete a queue if it is still being referenced by a firewall rule.
To add a new queue, click the interface or parent queue under which the new queue will be placed, and then click
Add New Queue.
Traffic Shaper Queues List
When editing a queue, each of the options must be carefully considered. For more information about these settings than is mentioned here, visit the
PF Packet Queuing and Prioritization FAQ or read
The OpenBSD PF Packet Filter book.
| Name: |
The queue name must be between 1-15 characters and cannot contain spaces. The most common convention is to start the name of a queue with the letter “q” so that it may be more readily identified in the ruleset.
|
|---|
| Priority: |
The priority of the queue. Can be any number from 0-7 for CBQ and 0-15 for PRIQ. Though HFSC can support priorities, the current code does not honor them when performing shaping. Queues with higher numbers are preferred by the shaper when there is an overload, so situate queues accordingly. For example, VoIP traffic is the highest priority, so it would be set to a 7 on CBQ or 15 on PRIQ. Peer-to-peer network traffic, which can be delayed in favor of other protocols, would be set at 1.
|
|---|
| Bandwidth (root queues): |
|---|
| |
The amount of bandwidth available on this interface in the outbound direction. For example, WAN-type interface root queues list upload speed. LAN-type interfaces list the sum total of all WAN interface download bandwidth.
|
| Queue Limit: |
The number of packets that can be held in a queue waiting to be transmitted by the shaper. The default size is 50.
|
|---|
| Scheduler Options: |
|---|
| |
There are five different Scheduler Options that may be set for a given queue:
| Default Queue: | Selects this queue as the default, the one which will handle all unmatched packets on an interface. Each interface must have one and only one default queue. |
|---|
| Random Early Detection (RED): |
|---|
| | A method to avoid congestion on a link. When set, the shaper will actively attempt to ensure that the queue does not get full. If the bandwidth is above the maximum given for the queue, drops will occur. Also, drops may occur if the average queue size approaches the maximum. Dropped packets are chosen at random, so connections using more bandwidth are more likely to see drops. The net effect is that the bandwidth is limited in a fair way, encouraging a balance. RED should only be used with TCP connections since TCP is capable of handling lost packets, and hosts can resend TCP packets when needed. | | Random Early Detection In and Out (RIO): |
|---|
| | Enables RED with in/out, which results in having queue averages being maintained and checked against incoming and outgoing packets. | | Explicit Congestion Notification (ECN): |
|---|
| | Along with RED, it allows sending of control messages that will throttle connections if both ends support ECN. Instead of dropping the packets as RED will normally do, it will set a flag in the packet indicating network congestion. If the other side sees and obeys the flag, the speed of the ongoing transfer will be reduced. | | Codel Active Queue: |
|---|
| | A flag to mark this queue as being the active queue for the Codel shaper discipline. | |
| Description: |
Optional text describing the purpose of the queue.
|
|---|
| Bandwidth (Service Curve/Scheduler): |
|---|
| |
The Bandwidth setting should be a fraction of the available bandwidth in the parent queue, but it must also be set with an awareness of the other neighboring queues. When using percentages, the total of all queues under a given parent cannot exceed 100%. When using absolute limits, the totals cannot exceed the bandwidth available in the parent queue.
|
| Scheduler-specific Options: |
|---|
| |
Next are scheduler-specific options. They change depending on whether a queue is using HFSC, CBQ, or PRIQ. They are all described in ALTQ Scheduler Types.
|
Click
Save to save the queue settings and return to the queue list, then click
Apply Changes to reload the queues and activate the changes.
Editing Shaper Rules
Traffic shaping rules control how traffic is assigned into queues. If a new connection matches a traffic shaper rule, the firewall will assign packets for that connection into the queue specified by that rule.
Packet matching is handled by firewall rules, notably on the
Floating tab. To edit the shaper rules:
- Navigate to Firewall > Rules
- Click the Floating Tab
- Find the rule to edit in the list, as shown in Figure Traffic Shaper Rules List
- Click
to edit an existing rule or 
to create a copy of a rule
- Make any required adjustments to match different connections
- Save and Apply Changes as usual when editing firewall rules
Queues may be applied using
pass rules on interface tabs, but the wizard only creates rules on the
Floating tab using the
match action that does not affect whether or not a connection is passed or blocked; it only queues traffic. Because these rules operate the same as any other rules, any criteria used to match connections may be used to queue.
See also
For more information on floating rules, see
Floating Rules and
Configuring firewall rules for information on firewall rules in general.
Traffic Shaper Rules List
Shaper Rule Matching Tips
Connections can be tricky to match properly due to several factors, including:
- NAT applies before outbound firewall rules can match connections, so for connections that have outbound NAT applies as they leave a WAN-type interface, the private IP address source is hidden by NAT and cannot be matched by a rule.
- Some protocols such as Bittorrent will use random ports or the same ports as other services.
- Multiple protocols using the same port cannot be distinguished by the firewall.
- A protocol may use a range of ports so wide that it cannot be distinguished from other traffic.
While many of these cannot be solved by the firewall directly, there are ways to work around these limitations in a few cases.
To match by a private address source outbound in WAN floating rules, first tag the traffic as it passes in on a local interface. For example, match inbound on LAN and use the advanced
Tag field to set a value, and then use the
Tagged field on the WAN-side floating rule to match the same connection as it exits the firewall. Alternately, queue the traffic as it enters the LAN with a pass rule instead of when it exits a WAN.
Match by address instead of port/protocol where possible to sort out ambiguous protocols. In these cases, either the local source or the remote destination may be a single address or a small set of addresses. For example, matching VoIP traffic is much simpler if the firewall can match the remote SIP trunk or PBX rather than attempting to match a wide range of ports for RTP (e.g. 10000- 20000).
If bittorrent is allowed on a network but must be shaped, then dedicate a specific local device that is allowed to use bittorrent and then shape all connections to/from that device as Peer-to-Peer traffic.
Removing Traffic Shaper Settings
To remove all traffic shaper queues and rules created by the wizard:
- Navigate to Firewall > Traffic Shaper
- Click the By Interface tab
- Click Remove Shaper
- Click OK on the confirmation prompt
Traffic Shaping and VPNs
The following discussions pertain primarily to ALTQ shaping. Limiters will work fine with VPNs as they would with any other interface and rules. Only the ALTQ shaper requires special consideration.
Traffic shaping with VPNs is a tricky topic because VPN traffic is considered separate from, but also a part of, the WAN traffic through which it also flows. If WAN is 10 Mbit/s, then the VPN can also use 10Mbit/s, but there is not actually 20Mbit/s of bandwidth to consider, only 10Mbit/s. As such, methods of shaping that focus more on prioritization than bandwidth are more reliable, such as PRIQ or in some cases, CBQ.
If all traffic inside the VPN must be prioritized by the firewall, then it is enough to consider only the VPN traffic itself directly on WAN, rather than attempting to queue traffic on the VPN separately. In these cases, use a floating rule on WAN to match the VPN traffic itself. The exact type of traffic varies depending on the type of VPN. IPsec and PPTP traffic on WAN can both be prioritized by the shaper wizard, and these rules can be used as an example to match other protocols.
OpenVPN
With OpenVPN, multiple interfaces exist on the operating system, one per VPN. This can make shaping easier in some cases. Features of OpenVPN can also make it easier to shape traffic on WAN and ignore the tunnel itself.
Shaping inside the tunnel
If multiple classes of traffic are carried on the tunnel, then prioritization must be done to the traffic inside the tunnel. In order for the wizard to consider the traffic in this way, the VPN must be assigned as its own interface in the GUI. To accomplish this, assign it as described in
Interface assignment and configuration, and then use the shaper wizard as if it were a separate WAN interface, and classify the traffic as usual.
Shaping outside the tunnel (passtos)
If the primary concern is shaping VoIP traffic over a VPN, another choice to consider is the
passtos option in OpenVPN, called
Type-of-Service in the OpenVPN client or server options. This option copies the TOS bit from the inner packet to the outer packet of the VPN. Thus, if the VoIP traffic has the TOS (DSCP) portion of the packet header set, then the OpenVPN packets will also have the same value.
This option is more useful for signaling intermediate routers about the QoS needs, however. Though the DSCP option on firewall rules can match based on TOS bits, as described in
Diffserv Code Point, such matching would have to occur in the packet creating a firewall state, and not on specific packets flowing through that state.
Note
Because this option tells OpenVPN to copy data from the inner packet to the outer packet, it does expose a little information about the type of traffic crossing the VPN. Whether or not the information disclosure, though minor, is worth the risk for the gains offered by proper packet prioritization depends on the needs of the network environment.
IPsec
IPsec is presented to the operating system on a single interface no matter how many tunnels are configured and no matter which WANs are used by the tunnels. This makes shaping IPsec traffic difficult, especially when trying to shape traffic inside one particular IPsec tunnel.
The IPsec interface is also not possible to use on its own as an interface with the wizard. Floating rules can match and queue traffic on the IPsec interface, but in most cases only inbound traffic will be queued as expected. Actual results may vary.
Troubleshooting Shaper Issues
Traffic Shaping/QoS is a tricky topic, and can prove difficult to get right the first time. This section covers several common pitfalls.
Bittorrent traffic not using the P2P queue
Bittorrent is known for not using standard ports. Clients are allowed to declare which port other clients use to reach them, which means chaos for network administrators trying to track the traffic based on port alone. Clients can also choose to encrypt their traffic. Regular shaper rules don’t have any way to examine the packets to tell what program the traffic appears to be, so it is forced to rely on ports. This is why it may be a good idea to use the P2P Catchall rule, and/or make rules for each type of desirable traffic and treat the default queue as low priority.
UPnP traffic shaping
Out of the box, traffic allowed in by the UPnP daemon will end up in the default queue. This happens because the rules generated dynamically by the UPnP daemon do not have any knowledge of queues unless UPnP is configured to send traffic into a specific queue.
Depending on what the client devices utilizing UPnP on a network, this may be low priority traffic like Bittorrent, or high priority traffic like game consoles or voice chat programs like Skype.
To configure UPnP to use a specific ALTQ queue:
- Setup ALTQ shaping and decide which queue to use for UPnP & NAT-PMP
- Navigate to Services > UPnP & NAT-PMP
- Enter the chosen ALTQ queue name into the Traffic Shaping field
- Click Save
This trick only works with the ALTQ shaper. At this time, the firewall is not capable of assigning UPnP traffic to a limiter.
ACK queue bandwidth calculations
This is a complex topic and most users gloss over it and guess a sufficiently high value. For more detailed explanations with mathematical formulas, check the
Traffic Shaping section of the pfSense forums. There is a sticky post in that board which describes the process in great detail, and there is also a downloadable spreadsheet which can be used to help ease the process.
Why is <x> not properly shaped?
The reason is nearly always one of these choices:
- The traffic matched a different rule than expected
- The traffic did not match any rule
As with other questions in this section, this tends to happen because of rules entered either internally or by other packages that do not have knowledge of queues. Since no queue is specified for a rule, it ends up in the default or root queue, and not shaped.
Working around the limitation may require altering the rules to better match the traffic, or disabling internal rules that are matching the traffic in unexpected ways. Another tactic is to identify all other traffic and then use different shaping options on the default queue.
In rare cases, such as bittorrent, it may be impossible to accurately identify all traffic of a given type. One workaround is to isolate the traffic to one specific device on the network and then match based on that client device address.
WAN connection speed changes
To update the speed of a WAN if it changes, edit the appropriate queues under
Firewall > Traffic Shaper to reflect the new speed.
The queues that need updating are:
- The root queue for each WAN interface for the upload speed
- The root queue for each LAN interface for the download speed
- qInternet queue for each LAN interface for the download speed
If this firewall has multiple WANs, the LAN root and qInternet queue must use the total download speed of
all WANs.
Alternately, if the wizard created all of the queues and rules and these have not been changed, then complete the wizard again and update the speed using the wizard.
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
KnowledgeBase