23/11/2014

Traffic Shaping Guide - PFSenseDocs

Search

Personaltools

Login

TrafficShapingGuide
FromPFSenseDocs

Contents
1PFSense1.2.xTrafficShapingGuide
1.1Limitations
1.2Wizards
1.3ACKQueuesizing
2PFSense2.0TrafficShapingGuide(WorkInprogress)
2.1WhatistrafficShaping?
2.2Wizards
2.2.1SingleLanmultiWan
2.2.2SingleWanmultiLan
2.2.3MultipleLan/Wan
2.2.4DedicatedLinks
2.2.5CreatingnewWizardtemplates
2.3QueuingSchedulers
2.3.1PriorityQueueing(PRIQ)
2.3.2ClassBasedQueueing(CBQ)
2.3.3HierarchicalFairServiceCurve(HFSC)
2.4ACKQueueSize
2.5FloatingRules
2.5.1Tips
2.6TroubleshootingTrafficShaping
2.6.1ViewQueueswithpfTop
2.6.2ViewStateTablewithQueueinfo
2.6.3QueueNumbers
2.7Limiter
2.7.1SetupLimiters
2.7.1.1Dynamicqueuecreation
2.7.2AssignTraffic
2.7.3Limiterstatus
2.7.4CaptivePortalNotes
2.7.5UsingLimitersforBandwidthGuarantees
2.7.6LimitersonBridges
2.7.7Troubleshooting
2.7.7.1DisplayPipes
2.7.8DummynetDocumentation
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

1/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

2.8Layer7
2.8.1PFSenseimplementation
2.8.2DefiningProtocolPatterns
2.8.3UsingLayer7withabridgingfirewall
2.9ExampleScenarios
2.9.1Example1
2.10OtherDocumentation

PFSense1.2.xTrafficShapingGuide
Limitations
The1.2.xtrafficshaperwillnotworkformorethanoneWANandoneLANinterface.Pleaselookat
version2.0.xforthatfunctionality.

Wizards
ItisrecommenedthatyouusetheTrafficShapingWizardtocreateadefaultsetofrulesfromwhichto
start.TherulesthewizardcreatescansometimescopewellwithVOIPtraffic,butneedtweakingto
accomodateothertraffic.
Asanexample,let'slookatshapingP2Ptraffic.Assumingyouusedthewizard,therewillbeqP2Pup
andqP2Pdowncreatedalready.WhenyoulaunchaP2Papp,youshouldseetrafficinthesequeues.
TheyaredesignedtocarrythebulkP2Ptraffic,whichnormallyslowsyourconnectiondown.Other
generictraffic,likewebpages(HTTP),email,IM,VOIPetcwillgointootherqueues.
Initially,thewizardsetsallqueuesto1%bandwidth.Thisisnotenough.Inparticular,thequeue
qwanackscertainlyneedsmorebandwidthifyoudoalotofdownloading.First,aquicknoteaboutACK
packets.

ACKQueuesizing
Whenyoudownload,yourcomputerneedstosend(upload)ACKpackets.Thesearebasicallysaying
"yep,IgotthatpartofthedownloadOK".Ifthecomputeryouaredownloadingfromdetectsthatan
ACKhasnotbeenreceived,itassumesthatthedatawasnotreceivedandsendsitagain.Therateat
whichACKsaresentbackisalsousedtohelpdeterminethemaximumspeedthatyoucandownload
dataat,soit'simportantthatACKsgetsentassoonaspossibleanddon'tgetdroppedinordertokeep
yourdownloadsflowingfast.Also,repeatedlydroppedACKscanresultindroppedconnections,web
pagetimeoutsetc.
Whenyoudownload,qwanacksiswheretheACKpacketsyourcomputersendsoutgo.Youneedto
makesurethisqueuehasenoughbandwidthtomaintainyourdownloads.Toworkouthowmuch
bandwidthyouneed,therearetwooptions.Youcouldsimplyexperiment,keepinganeyeonthequeue
whiledownloadingasfastasyourconnectionwillallow,oryoucouldtryandworkitout.Asarough
startingpoint,anNTL10Mb/512Kbcableconnectionneedsabout260270Kb/secofACKpacketsto
downloadatfullspeed.

https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

2/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

Takingtheaboveexample,wecanseethatACKscanconsume60%oftheavailableuploadbandwidth.
Thus,qwanacksshouldhaveatleast60%bandwidthavailable(Iuse65%fortheabove).Ifyouset
qwanackslikethis,youshouldnotseeanydropsinthatqueue.However,youwillseealotinqP2Pup,
butthat'sOK.P2Puploadpacketsarejustbulktraffic,notreallyimportantsoitdoesn'tmatterifthey
dropabit.qP2Pupwillnowbeusingwhatisleftoftheavailableuploadbandwidth,afterqwanackshas
usedupto65%ofit.Youwillprobablywanttoincreasethebandwidthallowanceforqwandefaswell,
sincethisiswhereHTTPrequestsandothergeneraluploadsgo,whichchancesareyouwanttobe
higherprioritythanqP2Pup.Bandwidthpercentagesneednotaddupto100%,butunlessyouhavea
veryslowconnectionyoudon'tneedtoomuchforqwandefsinceitismainlysmallrequestsortheodd
fewkbofemail.

PFSense2.0TrafficShapingGuide(WorkIn
progress)
AccesstothePFSenseTrafficShapingsettingsisthroughtheTrafficShaperoptionintheFirewall
dropdowninthewebgui.

WhatistrafficShaping?
Trafficshaping(alsoknownas"packetshaping")isthecontrolofcomputernetworktraffic
inordertooptimizeorguaranteeperformance,lowerlatency,and/orincreaseusable
bandwidthbydelayingpacketsthatmeetcertaincriteria.Morespecifically,trafficshaping
isanyactiononasetofpackets(oftencalledastreamoraflow)whichimposesadditional
delayonthosepacketssuchthattheyconformtosomepredeterminedconstraint(acontract
ortrafficprofile).
FromTrafficShapingWikipediaarticle(http://en.wikipedia.org/wiki/Traffic_shaping).

Wizards
PFSense2.0includesmultiplewizardsthatsetupthetrafficshapingforvarioususagescenarios.Itis
recommendtostartoutwithoneoftheWizardssincehavingaknownstartingpointmakessupport
easier.

SingleLanmultiWan
ThiswillsetupthetrafficshapingforthecasewhereyouhaveonelocalnetworkandmultipleWAN
networks.YouwouldalsousethisinthecasewhereyouonlyhaveoneWANandoneLAN.Just
specify1forthenumberofWANlinkswhengoingthroughthewizard.
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

3/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

SingleWanmultiLan
ThiswillsetupthetrafficshapingforthecasewhereyouhavemultiplelocalnetworksandoneWAN
network.

MultipleLan/Wan
Thiswillsetupthetrafficshapingforthecasewhereyouhavebothmultiplelocalnetworksandmultiple
WANnetworks.

DedicatedLinks
Dedicatedlinksisforwhenyouwanttomanagemorethan1linkwhichgetroutedtoaseparate
differentLANinthesamebox.Soasinglefirewallmanagesseveral'virtual'linksthroughit.For
example,sayyouwereprovidingservicesto4differentcustomersinonebuilding,andtheyeachhad
theirownseparateinternetconnections.Youcouldrunall4internetconnectionsthroughonepfsense
boxtoeachofthecustomersLANnetworksandprovideseparatetrafficshapingconfigurationstoeach
one.

CreatingnewWizardtemplates
Wizardconfigurationfilesarelocatedunder/usr/local/www/wizards.

QueuingSchedulers
PriorityQueueing(PRIQ)
Priorityqueuingisthesimplestformoftrafficshapingyoucanselect.Youcreateaflathierarchyof
prioritylevels,allpacketsatthehighestprioritylevelarealwaysprocessedfirst.
Pros
Easytoconfigureandunderstand.
Cons
Lowerpriorityqueuescanbecompletelystarvedforbandwidtheasily.
Afternamingyourqueueandassigningapriority,youmustassociatesometrafficwiththequeuein
Firewall/Rules/AdvancedFeatures/Ackqueue/Queue.Aftersave,thequeuenamewillappearintherules
listinthequeuecolumn.YoucanmonitorrealtimetrafficflowsinyourqueueswithStatus/Queues.
YoucanseequeuetraffictrendsinStatus/RRDgraphs/Queues.

ClassBasedQueueing(CBQ)
CBQisthenextstepupfrompriorityqueuing.Youcreateatreehierarchyofclasseseachwithan
assignedpriorityandbandwidthlimit.PriorityworksmuchinthesamewaythatitdoesinthePRIQ
however,insteadofprocessingallpacketsfromtheclass,itwillonlyprocessenoughpacketsuntilthe
bandwidthlimitisreached.

HierarchicalFairServiceCurve(HFSC)
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

4/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

ACKQueueSize
ThesizeoftheACKQueueoftenneedstobeadjustedwithasymmetricallinkssincebydefaultthesize
isbasedonbothupanddownspeedbeingequal.

FloatingRules
Floatingrulesallowyoutotosetshapingrulesforallinterfacesatonce.Theyareevaluatedbeforethe
interfacerules,andarenonterminating.Thelastfloatingrulethatmatchesastreamwillbetheonethat
applies.

Tips
Whenmodifyingfloatingrules,remembertoclearthefirewallstatesbeforeyoustarttestingyour
changes.Ifyoudonotdothis,youmanynotgettheresultsyouexpect.

TroubleshootingTrafficShaping
ViewQueueswithpfTop
Toviewlivestatsontrafficshaping(altq)fromthecommandlineusethefollowingcommand.
pftop -s1 -v queue

ViewStateTablewithQueueinfo
Toviewthecurrentstatetablewithwhichqueueeachflowisassociatedwithusethefollowing
command.
pfctl -s state -vv

ThiswillshowyoutheAckqueue(priqueue)andthequeueforeachflow.Ifnoqueueislistedthenthe
flowismatchedbythedefault.
Rememberthatanychangestorulesmadewhileyouaretroubleshooting,won'tbeappliedtocurrent
states,soyouhavetoclearstatestogetacompletepicture.

QueueNumbers
Thestatetableidentifiesqueuesbynumber.Numbersstartat1andcountupforeachnewqueue
defined.Lookatyourrules.debugtoseewhatorderqueuesarecreated.

Limiter
ThelimiterfeatureallowsyoutosetupDummynetpipes.Dummynetwasdesignedtobeabletosimulate
anykindofnetworkconnection.Youcansimulateadialupconnection,aT1,aT1runthrougha
microwaveoven,orasatelliteconnectiontotheMoon.Asideeffectofbeingabletosimulateanytype
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

5/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

ofnetworkconnectionisthatyoucanusethemtolimittheamountofbandwidthahostorgroupofhosts
haveaccessto.
Boththepacketshaperandlimiterscanbeusedatthesametimesoyoucanshapeyourtrafficasa
whole,andalsolimitcertaintraffictoacertainamountofbandwidth.
Thereare2basicstepstosettingupalimitertocontrolbandwidth.
1. Setupthelimitersyouwillbeusing.
2. Assigntraffictothoselimiters.

SetupLimiters
LimitersaresetupbycreatingthemunderFirewall>TrafficShaper,ontheLimiterstab.
Youcanusejustonepipeforbothinboundandoutboundtraffic,butthatwouldmeanyouare
simulatingahalfduplexconnection(http://en.wikipedia.org/wiki/Half_duplex#Halfduplex).
Therecommendedmethodistocreate2pipes,oneforinboundtrafficandoneforoutboundtraffic.The
directionisfromtheperspectiveoftheinterface.IfusinglimitersonLAN,theinboundqueueisyour
uploadandtheoutboundqueueisyourdownload.Youshouldnamethepipessothatyouwilleasily
rememberwhichoneiswhich,suchasInLimitLanandOutLimitLan.
Dynamicqueuecreation
Dummynetpipeshaveafeaturecalleddynamicqueuecreationwhichallowsyoutohaveauniquequeue
basedontheuniquenessofaconnectionssourceprotocol,ip,sourceport,destinationipordestination
port.Theycanalsobeusedincombination.pfSensecurrentlyonlyallowssettingthesourceaddressor
thedestinationaddressasthemask,meaningthatyoucangiveeachhostbehindyourfirewallitsownset
ofpipessothateachnodeisrestrictedtousingacertainamountofbandwidth.Todothisyouwould
giveyourInpipeaSourceAddressmask,sothateachhostsendingpacketsgetsit'sowndynamicpipe
foruploading.YouwouldgiveyourOutpipeadestinationaddressmask,sothateachhostreceiving
packetsgetsit'sowndynamicpipefordownloading.

AssignTraffic
Onceyousetupalimiterpipe,thenextstepistoassigntraffictoitbysettingthe"in/out"optionina
firewallrule.Rememberthatinandoutarefromtheperspectiveofthatinterfaceonthefirewall.If
you'rechoosinglimitersontheLANinterface,"out"isdownloadspeed(trafficfromtheLANNICinto
theLAN)and"in"isuploadspeed(trafficfromtheLANintotheLANNIC).
Simplycreatingthelimitersdoesnotdoanything,youmustassignthemonafirewallruleforthemto
beused.

Limiterstatus
ThebandwidthusageandotherlimiterinformationisavailableunderDiagnostics>LimiterInfo.

CaptivePortalNotes

https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

6/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

Captiveportalcanautomaticallysetupitsownpipesforeachloggedinuser,noneedtosetthisup
manually.Takealookatthecaptiveportalsetuppagetosetthisup.

UsingLimitersforBandwidthGuarantees
Ifyouwanttouselimiterstoguaranteeacertainamountofbandwidthinsteadoflimit,youcandosoby
makingfourlimiters.
1. Bandwidthtoguaranteeupload
2. Bandwidthtoguaranteedownload
3. Totalbandwidthupload(lessguaranteedabove)
4. Totalbandwidthdownload(lessguaranteedabove)
EnsurethatyoudonotsettheMasktoanythingotherthan"none".Itmustbe"none"forthesetowork
properly.
Soifyouhave8Mbdownand2Mbup,andyouwanttoguarantee512Kb/sforserviceX,you'dhave
queuessizedlikeso:
1. 512Kb/s
2. 512Kb/s
3. 1536Kb/s
4. 7680Kb/s
Thendirecttheguaranteedservicetrafficintothefirsttwolimiters,andeverythingelseintothe"total"
limiters.

LimitersonBridges
Whenusinglimitersonbridges,youneedtoassignthebridgeinterfaceandputtheIPaddressforthe
bridgethere,andplacethelimitersonthememberinterfaces.

Troubleshooting
DisplayPipes
VisitDiagnostics>LimiterInfointheGUI,anditwillshowyoutheoutputof:
ipfw pipe show

Whichlistsallofthepipescurrentlyconfiguredonyoursystem,andrelatedinformationabouttheir
status.

DummynetDocumentation
DummyNetdocumentation:http://www.dummynet.com/

Layer7

https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

7/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

Layer7filteringorshapingisidentifyingtrafficatlayer7(ApplicationLayer)oftheOSImodel
(http://en.wikipedia.org/wiki/OSI_model).Insteadofshaping/filteringbasedontheportand
source/destination,youareidentifyingastreambasedonitscontents.Thisisalsosometimescalleddeep
packetinspection(http://en.wikipedia.org/wiki/Deep_packet_inspection)sinceitworksbylookinginto
thecontentsofthepacketsnotjusttheheaders.
Youmightwanttouselayer7ifyouneedtodealwithpacketsthatusedynamicsourceanddestination
ports,oriffiltering/shapingbasedonportsisnotfinegrainedenough.

PFSenseimplementation
PFSenseisusingtheipfwclassifydapplicationtoprovideLayer7filteringcapabilities.
* Initial Post announcing project. http://lists.freebsd.org/pipermail/freebsd-net/2008-July/019086.html
* Research Paper by Andre Ribeiro, and Helder Pereira. http://www.di.uminho.pt/~prh/uce15-0809/g13.pdf

TheprotocolpatternsarefromtheL7filterproject.

DefiningProtocolPatterns
FornowtakealookattheL7filterPatternWritingHowto.http://l7filter.sourceforge.net/Pattern
HOWTO
Patternsarestoredunder/usr/local/share/protocols.

UsingLayer7withabridgingfirewall
Ifyouwanttouselayer7withabridgingfirewallyouwillneedtomakethefollowingchangetoasysctl
undersystem>advanced.
net.link.bridge.pfil_member = 0
net.link.bridge.pfil_bridge = 1

Afterthatchangeyoucanusethefloatingrulestoassigntrafficinabridgingenvironment.
Ifyoudon'tmakethatchangeyouwouldneedtoduplicatetheassignmentrulesoneachbridgemember
interface.(Ithinkthisiscorrect,butnotsure).

ExampleScenarios
Example1

OtherDocumentation
Linkstootherusefuldocumentation.
PFpacketflowdiagram.(http://homepage.mac.com/quension/pf/flow.png)NoticehowAltqis
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

8/9

23/11/2014

Traffic Shaping Guide - PFSenseDocs

thelastitemtogetprocessed.
Shaper2.0bountythread.(http://forum.pfsense.org/index.php/topic,2718.0.html)
ACKqueuesizingthread.(http://forum.pfsense.org/index.php/topic,2484.0.html)
QoS/TrafficShapinginformationandtips.
(http://forum.pfsense.org/index.php/topic,11986.0.html)
TipsandTricksthread.(http://forum.pfsense.org/index.php/topic,1384.0.html)
P2Pqueuesizingdiscussion.(http://forum.pfsense.org/index.php/topic,9129.0.html)
P2Pqueuesizingpost.(http://forum.pfsense.org/index.php/topic,9427.0.html)
MonitoringPFarticle.(http://prefetch.net/articles/monitoringpf.html)
PF:PacketQueueingandPrioritization(OpenBSDnotFreeBSD)
(http://www.openbsd.org/faq/pf/queueing.html)
HFSChowtoonCalomel.org.(https://calomel.org/pf_hfsc.html)
PaperonHFSCdesign.(http://www.cs.cmu.edu/~hzhang/HFSC/main.html)
LinuxHFSCdescription,goodconceptualexamples.(http://linuxip.net/articles/hfsc.en/)
ThisarticleispartoftheHOWTOseries.

Retrievedfrom"https://doc.pfsense.org/index.php?title=Traffic_Shaping_Guide&oldid=6180"
Categories: Howto MovedFromDevWiki TrafficShaping
PrivacypolicyAboutPFSenseDocsDisclaimers
Thispagewaslastmodifiedon19November2014,at12:38.Thispagehasbeenaccessed
357,453times.

https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

9/9