Traffic Shaper¶

Traffic shaping, or network Quality of Service (QoS), is a means of prioritizing
network traffic. Without traffic shaping, packets are processed on a first
in/first out basis by the firewall. QoS offers a means of prioritizing different
types of traffic, ensuring that high priority services receive the bandwidth
they need before lesser priority services.

For simplicity, the traffic shaping system in pfSense® software may also be
referred to as the “shaper”, and the act of traffic shaping may be called
“shaping”.

Traffic Shaping Types¶

There are two types of QoS available in pfSense software: ALTQ and Limiters.

The ALTQ framework is handled through pf and is closely tied to network
card drivers. ALTQ can handle several types of schedulers and queue layouts. The
traffic shaper wizard configures ALTQ and gives firewall administrators the
ability to quickly configure QoS for common scenarios, and it allows custom
rules for more complex tasks. ALTQ is inefficient, however, so the maximum
potential throughput of a firewall is lowered significantly when it is active.

pfSense software also supports a separate shaper concept called Limiters.
Limiters enforce hard bandwidth limits for a group or on a per-IP address or
network basis. Inside of those bandwidth limits, limiters can also manage
traffic priorities.

Traffic Shaping Basics¶

For administrators who are unfamiliar with traffic shaping, it is like a bouncer
at an exclusive club. The VIPs (Very Important Packets) always make it in first
and without waiting. The regular packets have to wait their turn in line, and
“undesirable” packets can be kept out until after the real party is over. All
the while, the club is kept at capacity and never overloaded. If more VIPs come
along later, regular packets may need to be tossed out to keep the place from
getting too crowded.

ALTQ shaping concepts can be counter-intuitive at first because the traffic has
to be queued in a place where the operating system can control the flow of
packets. Incoming traffic from the Internet going to a host on the LAN
(downloading) is shaped leaving the LAN interface from the firewall. In the
same manner, traffic going from the LAN to the Internet (uploading) is shaped
when leaving the WAN.

For ALTQ, there are traffic shaping queues, and traffic shaping rules. The
queues allocate bandwidth and priorities. Traffic shaping rules control how
traffic is assigned into those queues. Rules for the shaper work the same as
firewall rules, and allow the same matching characteristics. If a packet matches
a shaper rule, it will be assigned into the queues specified by that rule. In
pfSense software, shaper rules are mostly handled on the Floating tab using
the Match action that assigns the traffic into queues, but rules on any
interface can assign traffic into queues using the Pass action.

Limiter rules are handled differently. Limiters apply on regular pass rules and
enforce their limits on the traffic as it enters and leaves an interface.
Limiters almost always exist in pairs: One for the “download” direction traffic
and one for the “upload” direction traffic.