pfSense Bandwidth Management: Configure the Traffic Shaper

pfSense Bandwidth Manager: Setup and Management

Effective bandwidth management is critical to the performance of any network. In most networks many users share a single internet connection.

The biggest problem on a shared network is that one user could potentially consume all of the available internet bandwidth and slow down the connections for all of the other users as a result. High-bandwidth users can create an even bigger problem if your network has critical traffic such as VOIP that depends on having enough bandwidth to function.

The solution to problems like this is to implement a traffic shaping system. Traffic shaping can prioritize your important or time critical network traffic to guarantee performance and at the same time throttle less important traffic.

In this hub I will show you how to use pfSense, an open source firewall, to configure traffic shaping to manage your networks bandwidth.

If you are unfamiliar with pfSense you might want read through an Introduction to pfSense first.

How to Find High Bandwith Users

In order to properly manage bandwidth usage, you need to determine who is using the most bandwidth and why.

PfSense offers a package called Darkstat that can quickly give you a view of what is taking place on your network.

Darkstat creates a list of hosts sorted by total upload and download traffic usage. You can also drill down on this report to see which TCP or UDP ports make up that usage. This information can be used to determine whether a traffic shaper will help your network, and if so which ports you should be shaping.

How to Set Up and Configure pfSense Bandwith Traffic Shaper

The instructions in this hub were created for pfSense version 2.0, if you haven't upgraded to the latest version I would recommend doing so first. The traffic shaper in version 2.0 has many improvements over the previous version.

In the sections below I have included a screenshot of each step of the set up process and a description about each page. After completing these steps you will have a fully functional traffic shaper for your home or corporate network.

Step 1: Run the Shaper Wizard

Traffic Shaper Wizard
Traffic Shaper Wizard

To get started, log in to your pfSense system using the web interface. Next open up the traffic shaper menu found under the firewall tab.

PfSense allows you to manually configure the traffic shaper although I would recommend using the traffic shaper wizard and then tweaking things if needed.

Click on the "wizards" tab then select the wizard link that matches your current setup. My pfSense system is set up as a dual wan router so I will be using the Single LAN multi Wan wizard. If you only have a single WAN and LAN connection you should also use this wizard.

Step 2: Specify Wan Connection

Enter the number of WAN connections
Enter the number of WAN connections

On the next step you need to enter the number of WAN connections on your router. If you have a single WAN router just enter "1." If you have a dual WAN router you would enter "2." If you are not sure how many interfaces are configured click on the status tab, then select interfaces.

Step 3: Shaper Configuration

Shaper configuration
Shaper configuration

On the shaper config page the first thing you need to do is select the LAN scheduler.

I would recommend using the default which is HFSC (Hierarchical Fair Service Curve). If you need only very basic shaping you could use PRIQ (Priority Queuing) which is simple to modify but not as efficient.

In the connection upload box, I recommend entering "97%" of the connection's maximum bandwidth. For example if your ISP provides you with a 1Mbps (1000Kbps) upstream then you would multiply 1000 x 97% to get 970Kbps. This will ensure that packets are queued on your pfSense system instead of an upstream router which you have no control over.

In the connection download box, enter the maximum downspeed of the connection.

If you are unsure of your connection speed, contact your ISP or use an online speed test to get an estimate. You may need to slightly tweak these settings to find the optimal configuration for your connection.

Step 4: Voice Over IP Settings

VOIP Settings
VOIP Settings

If you are using VOIP phones, you will probably want to prioritize the traffic sent by the phones. Click the check box to enable this setting. Then select your VOIP provider from the list.

If your provider is not listed choose 'generic', then enter the IP of your VOIP phone. If you have multiple VOIP phones on your network, you can create an alias (Firewall\aliases) that consists of multiple hosts.

If you are not using VOIP leave this setting disabled and click next.

Step 5: Penalty Box

Penalize Specific IP Addresses
Penalize Specific IP Addresses

If you have one or more hosts on your network that are using most of the bandwidth, you can place them in a "penalty box" to limit their usage to a certain percentage of available bandwidth. As in the previous setting if you need to list more than one host you will need to create an alias.

Step 6: Peer-to-Peer Networking

Peer to Peer Network Settings
Peer to Peer Network Settings

In this section of the wizard, you can specify whether to de-prioritize peer-to-peer networking traffic. Almost everyone will want to enable this setting since P2P traffic is often the largest user of internet bandwidth on a network. Enable the check boxes next to each application that you want the traffic shaper to look for on your network.

You can also enable the P2P catch-all setting to penalize uncategorized traffic. If this setting is enabled, any traffic not specifically classified in the traffic shaper will be considered P2P traffic. Generally I don't like to use this setting because I feel that it is too broad, but if you want to take an aggressive approach to packet shaping you can enable this setting.

If the there is a specific protocol you need to block that isn't listed I'll show you how to manually create a rule later in this guide.

Step 7: Prioritize Game Traffic

Network Games Settings
Network Games Settings

On the network games page, you can grant game traffic priority on the network. This is very useful for lowering the latency of game traffic which is very time sensitive.

With this setting enabled users on the network can still be uploading/downloading files without impacting users playing games. For example players of MMORPG games like World Of Warcraft can improve their ping times by enabling this option.

Step 8: Other Applications

Raise or lower other Applications
Raise or lower other Applications

You can also raise or lower the priority assigned to different applications on an individual basis. Most of the options on this page depend on the applications in use on your network. Most users will probably want to raise the priority of HTTP, DNS, and ICMP. Depending on how important email is to your network, you could raise or lower its place in the queue.

If the wizard does not list all of the applications that you need then you can create your own custom traffic shaping rules.

Step 9: Customizing the Rules

Editing the Traffic Shaper Rules
Editing the Traffic Shaper Rules

If the wizard did not list an application or protocol that you want to traffic shape you can add or edit the rules created by the wizard as needed. The rules created by the shaper are found on the Firewall\Rules page. Click on the tab labeled 'floating' and you should see a list of rules generated by the wizard.

If you don't see the rules, run the wizard again and make sure the applications were enabled. Sometimes you need to deselect/select the checkbox. If the options are grayed out, then they are not enabled.

You can adjust the ports of existing rules or create entirely new rules if you want. The easiest way to do so is to create a rule based on an existing rule that is similar to what you are trying to accomplish. To do this click the plus symbol next to the rule you want to copy. The queue names are fairly self explanatory as to what their purpose is.

For a list of of all the queues and their current settings, open the traffic shaper page found in the firewall menu.

pfSense Bandwidth Management: Monitoring the Queue Status

Queue Status
Queue Status

After you have finished setting up the shaper, I recommend monitoring the status of the queues. It's a good idea to check the queues during times of heavy bandwidth usage to make sure everything works as intended. You may find that you need to make small tweaks over time to improve the system.

The queue status page is found under the diagnostics menu. If a queue is showing drops, then traffic exceeds the amount of bandwidth allocated to that queue. It's normal to have drops on the P2P queue or other low priority queues: that means the traffic shaper is doing its job.

If you are seeing drops on the ack or default queues then you may need to grant more bandwidth to them. This can be done in the traffic shaper settings page by clicking on the queue you want to adjust.

Acknowledgments (acks) can consume a very large portion of your total bandwidth during heavy downloads. The faster a computer can acknowledge the receipt of a packet the sooner the sending computer will send the next piece of the file so you want these packets to leave your network quickly.

Deep Packet Inspection

Deep packet inspection, also known as layer 7 shaping, identifies traffic based on the content of the packets instead of just the source or destination ports. If you are trying to manage traffic that uses many different port numbers, you should use deep packet inspection.

This feature is only found in pfSense version 2.0 and newer.

To create rules for this type of traffic click on the layer 7 tab found under Firewall\Traffic Shaper. You can create rules to either block certain protocols or route it to one of the queues.

More by this Author

Comments 17 comments

zephxiii 5 years ago

Oh my god you should highlight the part about custom ports in traffic shaping. I swear i've been searching all over the place (even in their forums) to figure out how to do it. thhhhanx!!!!

skear profile image

skear 5 years ago from Kansas City Author


Great suggestion, I will have to do that. I'm glad you found it useful!

skear profile image

skear 5 years ago from Kansas City Author


Check out, there are some basic troubleshooting steps at the bottom.

Make sure your clients are set to DHCP so they can obtain an ip address from pfSense. Try pinging the LAN of pfSense from your clients.

Markus 4 years ago

Hi, thanks for your useful guide. Is it also possible when using a captive authorizing portal to give all users a minimum bandwidth (which would be wan-Bandwidth/county of users).

maxravi profile image

maxravi 4 years ago from India

Thanks for the topic.I would love it if you would have added a video.voted up!

skear profile image

skear 4 years ago from Kansas City Author

@maxravi - Thanks! The video is a great suggestion, I'll work on that.

happyturtle profile image

happyturtle 4 years ago from UK

Thanks Skear. Do you have any plans post a video?

skear profile image

skear 4 years ago from Kansas City Author

@happyturtle - Thanks for commenting. I do plan to add some videos in the future. You are not the first person to request one :)

Anon 4 years ago

I tried your guide, but I can't seem to limit my bandwidth usage. I also tried the limiters, and they also don't seem to work. On a 5MB connection, even if I set the limiters to 1MB, it maxes out my connection

Doug 4 years ago

For what it is worth, the Traffic Shaper Queue seems to have moved from Diagnostic menu. It is now found under Status-Queues.

Leptirela profile image

Leptirela 19 months ago from I don't know half the time

Great hub

Johncin 12 months ago

Great tuts skear its very useful .

thanks 11 months ago

very good tutorial.

mark 11 months ago

nice tutorial.. may i ask a favor? i have 2 ISP and i want to separate gaming ang Browsing on my network. ISP-A = Browsing and ISP-B=Online games. This is to avoid LAGG to my online games.. do you have an idea for this

sunnynanade 10 months ago

Hi, how can i give priority to web traffic ? There are many sites which the Admin department in out college uses frequently. How can i make setting so that the sites open fast. And how do i block torrent download completely and also i DONT want to give priority to direct download.

The tutorial i great, complete in itself. Thanks a lot. :)

sunnynanade 10 months ago

Another help i need in configuring Lightsquid. How do i get the real names of IP ? How can i group IP so that when i need i can disable net for some specific group only.

jianyue profile image

jianyue 8 months ago

Thanks for this tutorial, I will look into it and read in detail when I really need it!

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.

    Click to Rate This Article