See also
Traffic shaping, or network Quality of Service (QoS), is a means of prioritizingnetwork traffic. Without traffic shaping, packets are processed on a firstin/first out basis by the firewall. QoS offers a means of prioritizing differenttypes of traffic, ensuring that high priority services receive the bandwidththey need before lesser priority services.
For simplicity, the traffic shaping system in pfSense® software may also bereferred to as the “shaper”, and the act of traffic shaping may be called“shaping”.
Traffic Shaping Types¶
There are two types of QoS available in pfSense software: ALTQ and Limiters.
The ALTQ framework is handled through pf and is closely tied to networkcard drivers. ALTQ can handle several types of schedulers and queue layouts. Thetraffic shaper wizard configures ALTQ and gives firewall administrators theability to quickly configure QoS for common scenarios, and it allows customrules for more complex tasks. ALTQ is inefficient, however, so the maximumpotential throughput of a firewall is lowered significantly when it is active.
pfSense software also supports a separate shaper concept called Limiters.Limiters enforce hard bandwidth limits for a group or on a per-IP address ornetwork basis. Inside of those bandwidth limits, limiters can also managetraffic priorities.
Traffic Shaping Basics¶
For administrators who are unfamiliar with traffic shaping, it is like a bouncerat an exclusive club. The VIPs (Very Important Packets) always make it in firstand without waiting. The regular packets have to wait their turn in line, and“undesirable” packets can be kept out until after the real party is over. Allthe while, the club is kept at capacity and never overloaded. If more VIPs comealong later, regular packets may need to be tossed out to keep the place fromgetting too crowded.
ALTQ shaping concepts can be counter-intuitive at first because the traffic hasto be queued in a place where the operating system can control the flow ofpackets. Incoming traffic from the Internet going to a host on the LAN(downloading) is shaped leaving the LAN interface from the firewall. In thesame manner, traffic going from the LAN to the Internet (uploading) is shapedwhen leaving the WAN.
For ALTQ, there are traffic shaping queues, and traffic shaping rules. Thequeues allocate bandwidth and priorities. Traffic shaping rules control howtraffic is assigned into those queues. Rules for the shaper work the same asfirewall rules, and allow the same matching characteristics. If a packet matchesa shaper rule, it will be assigned into the queues specified by that rule. InpfSense software, shaper rules are mostly handled on the Floating tab usingthe Match action that assigns the traffic into queues, but rules on anyinterface can assign traffic into queues using the Pass action.
Limiter rules are handled differently. Limiters apply on regular pass rules andenforce their limits on the traffic as it enters and leaves an interface.Limiters almost always exist in pairs: One for the “download” direction trafficand one for the “upload” direction traffic.
