pfSense Bandwidth Management: Configure the Traffic Shaper

Updated on March 4, 2020
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

pfSense Bandwidth Manager: Setup and Management

Effective bandwidth management is critical to the performance of any network. In most networks many users share a single internet connection.

The biggest problem on a shared network is that one user could potentially consume all of the available internet bandwidth and slow down the connections for all of the other users as a result. High-bandwidth users can create an even bigger problem if your network has critical traffic such as VOIP that depends on having enough bandwidth to function.

The solution to problems like this is to implement a traffic shaping system. Traffic shaping can prioritize your important or time-critical network traffic to guarantee performance and at the same time throttle less important traffic.

In this hub I will show you how to use pfSense, an open-source firewall, to configure traffic shaping to manage your network's bandwidth.

If you are unfamiliar with pfSense you might want to read through an Introduction to pfSense first.

How to Find High Bandwith Users

In order to properly manage bandwidth usage, you need to determine who is using the most bandwidth and why.

PfSense offers a package called Darkstat that can quickly give you a view of what is taking place on your network.

Darkstat creates a list of hosts sorted by total upload and download traffic usage. You can also drill down on this report to see which TCP or UDP ports make up that usage. This information can be used to determine whether a traffic shaper will help your network, and if so which ports you should be shaping.

How to Set Up and Configure pfSense Bandwith Traffic Shaper

The instructions in this hub were created for pfSense version 2.0, if you haven't upgraded to the latest version I would recommend doing so first. The traffic shaper in version 2.0 has many improvements over the previous version.

In the sections below I have included a screenshot of each step of the set up process and a description about each page. After completing these steps you will have a fully functional traffic shaper for your home or corporate network.

Step 1: Run the Shaper Wizard

Traffic Shaper Wizard
Traffic Shaper Wizard

To get started, log in to your pfSense system using the web interface. Next open up the traffic shaper menu found under the firewall tab.

PfSense allows you to manually configure the traffic shaper although I would recommend using the traffic shaper wizard and then tweaking things if needed.

Click on the "wizards" tab then select the wizard link that matches your current setup. My pfSense system is set up as a dual wan router so I will be using the Single LAN multi Wan wizard. If you only have a single WAN and LAN connection you should also use this wizard.

Step 2: Specify Wan Connection

Enter the number of WAN connections
Enter the number of WAN connections

On the next step you need to enter the number of WAN connections on your router. If you have a single WAN router just enter "1." If you have a dual WAN router you would enter "2." If you are not sure how many interfaces are configured click on the status tab, then select interfaces.

Step 3: Shaper Configuration

Shaper configuration
Shaper configuration

On the shaper config page the first thing you need to do is select the LAN scheduler.

I would recommend using the default which is HFSC (Hierarchical Fair Service Curve). If you need only very basic shaping you could use PRIQ (Priority Queuing) which is simple to modify but not as efficient.

In the connection upload box, I recommend entering "97%" of the connection's maximum bandwidth. For example if your ISP provides you with a 1Mbps (1000Kbps) upstream then you would multiply 1000 x 97% to get 970Kbps. This will ensure that packets are queued on your pfSense system instead of an upstream router which you have no control over.

In the connection download box, enter the maximum downspeed of the connection.

If you are unsure of your connection speed, contact your ISP or use an online speed test to get an estimate. You may need to slightly tweak these settings to find the optimal configuration for your connection.

Step 4: Voice Over IP Settings

VOIP Settings
VOIP Settings

If you are using VOIP phones, you will probably want to prioritize the traffic sent by the phones. Click the check box to enable this setting. Then select your VOIP provider from the list.

If your provider is not listed choose 'generic', then enter the IP of your VOIP phone. If you have multiple VOIP phones on your network, you can create an alias (Firewall\aliases) that consists of multiple hosts.

If you are not using VOIP leave this setting disabled and click next.

Step 5: Penalty Box

Penalize Specific IP Addresses
Penalize Specific IP Addresses

If you have one or more hosts on your network that are using most of the bandwidth, you can place them in a "penalty box" to limit their usage to a certain percentage of available bandwidth. As in the previous setting if you need to list more than one host you will need to create an alias.

Step 6: Peer-to-Peer Networking

Peer to Peer Network Settings
Peer to Peer Network Settings

In this section of the wizard, you can specify whether to de-prioritize peer-to-peer networking traffic. Almost everyone will want to enable this setting since P2P traffic is often the largest user of internet bandwidth on a network. Enable the check boxes next to each application that you want the traffic shaper to look for on your network.

You can also enable the P2P catch-all setting to penalize uncategorized traffic. If this setting is enabled, any traffic not specifically classified in the traffic shaper will be considered P2P traffic. Generally I don't like to use this setting because I feel that it is too broad, but if you want to take an aggressive approach to packet shaping you can enable this setting.

If the there is a specific protocol you need to block that isn't listed I'll show you how to manually create a rule later in this guide.

Step 7: Prioritize Game Traffic

Network Games Settings
Network Games Settings

On the network games page, you can grant game traffic priority on the network. This is very useful for lowering the latency of game traffic which is very time sensitive.

With this setting enabled users on the network can still be uploading/downloading files without impacting users playing games. For example players of MMORPG games like World Of Warcraft can improve their ping times by enabling this option.

Step 8: Other Applications

Raise or lower other Applications
Raise or lower other Applications

You can also raise or lower the priority assigned to different applications on an individual basis. Most of the options on this page depend on the applications in use on your network. Most users will probably want to raise the priority of HTTP, DNS, and ICMP. Depending on how important email is to your network, you could raise or lower its place in the queue.

If the wizard does not list all of the applications that you need then you can create your own custom traffic shaping rules.

Step 9: Customizing the Rules

Editing the Traffic Shaper Rules
Editing the Traffic Shaper Rules

If the wizard did not list an application or protocol that you want to traffic shape you can add or edit the rules created by the wizard as needed. The rules created by the shaper are found on the Firewall\Rules page. Click on the tab labeled 'floating' and you should see a list of rules generated by the wizard.

If you don't see the rules, run the wizard again and make sure the applications were enabled. Sometimes you need to deselect/select the checkbox. If the options are grayed out, then they are not enabled.

You can adjust the ports of existing rules or create entirely new rules if you want. The easiest way to do so is to create a rule based on an existing rule that is similar to what you are trying to accomplish. To do this click the plus symbol next to the rule you want to copy. The queue names are fairly self explanatory as to what their purpose is.

For a list of of all the queues and their current settings, open the traffic shaper page found in the firewall menu.

pfSense Bandwidth Management: Monitoring the Queue Status

Queue Status
Queue Status

After you have finished setting up the shaper, I recommend monitoring the status of the queues. It's a good idea to check the queues during times of heavy bandwidth usage to make sure everything works as intended. You may find that you need to make small tweaks over time to improve the system.

The queue status page is found under the diagnostics menu. If a queue is showing drops, then traffic exceeds the amount of bandwidth allocated to that queue. It's normal to have drops on the P2P queue or other low priority queues: that means the traffic shaper is doing its job.

If you are seeing drops on the ack or default queues then you may need to grant more bandwidth to them. This can be done in the traffic shaper settings page by clicking on the queue you want to adjust.

Acknowledgments (acks) can consume a very large portion of your total bandwidth during heavy downloads. The faster a computer can acknowledge the receipt of a packet the sooner the sending computer will send the next piece of the file so you want these packets to leave your network quickly.

Deep Packet Inspection

Deep packet inspection, also known as layer 7 shaping, identifies traffic based on the content of the packets instead of just the source or destination ports. If you are trying to manage traffic that uses many different port numbers, you should use deep packet inspection.

This feature is only found in pfSense version 2.0 and newer.

To create rules for this type of traffic click on the layer 7 tab found under Firewall\Traffic Shaper. You can create rules to either block certain protocols or route it to one of the queues.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.


    0 of 8192 characters used
    Post Comment
    • profile image

      Jack Wang 

      3 years ago


    • profile image

      Great tutorial! 

      3 years ago

      Thank you so much for this!

    • profile image


      3 years ago

      hello how can i setup that one user don't use all the Bandwidth and rest of user cant get access to internet?

    • jianyue profile image

      Chew Jian Yue 

      4 years ago

      Thanks for this tutorial, I will look into it and read in detail when I really need it!

    • profile image


      4 years ago

      Another help i need in configuring Lightsquid. How do i get the real names of IP ? How can i group IP so that when i need i can disable net for some specific group only.

    • profile image


      4 years ago

      Hi, how can i give priority to web traffic ? There are many sites which the Admin department in out college uses frequently. How can i make setting so that the sites open fast. And how do i block torrent download completely and also i DONT want to give priority to direct download.

      The tutorial i great, complete in itself. Thanks a lot. :)

    • profile image


      4 years ago

      nice tutorial.. may i ask a favor? i have 2 ISP and i want to separate gaming ang Browsing on my network. ISP-A = Browsing and ISP-B=Online games. This is to avoid LAGG to my online games.. do you have an idea for this

    • profile image


      4 years ago

      very good tutorial.

    • profile image


      4 years ago

      Great tuts skear its very useful .

    • Leptirela profile image


      5 years ago from I don't know half the time

      Great hub

    • profile image


      8 years ago

      For what it is worth, the Traffic Shaper Queue seems to have moved from Diagnostic menu. It is now found under Status-Queues.

    • profile image


      8 years ago

      I tried your guide, but I can't seem to limit my bandwidth usage. I also tried the limiters, and they also don't seem to work. On a 5MB connection, even if I set the limiters to 1MB, it maxes out my connection

    • skear profile imageAUTHOR

      Sam Kear 

      8 years ago from Kansas City

      @happyturtle - Thanks for commenting. I do plan to add some videos in the future. You are not the first person to request one :)

    • happyturtle profile image


      8 years ago from UK

      Thanks Skear. Do you have any plans post a video?

    • skear profile imageAUTHOR

      Sam Kear 

      8 years ago from Kansas City

      @maxravi - Thanks! The video is a great suggestion, I'll work on that.

    • maxravi profile image

      Ravi Singh 

      8 years ago from India

      Thanks for the topic.I would love it if you would have added a video.voted up!

    • profile image


      8 years ago

      Hi, thanks for your useful guide. Is it also possible when using a captive authorizing portal to give all users a minimum bandwidth (which would be wan-Bandwidth/county of users).

    • skear profile imageAUTHOR

      Sam Kear 

      9 years ago from Kansas City


      Check out, there are some basic troubleshooting steps at the bottom.

      Make sure your clients are set to DHCP so they can obtain an ip address from pfSense. Try pinging the LAN of pfSense from your clients.

    • skear profile imageAUTHOR

      Sam Kear 

      9 years ago from Kansas City


      Great suggestion, I will have to do that. I'm glad you found it useful!

    • profile image


      9 years ago

      Oh my god you should highlight the part about custom ports in traffic shaping. I swear i've been searching all over the place (even in their forums) to figure out how to do it. thhhhanx!!!!


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)