https://mediawiki.comfac.net/index.php?action=history&feed=atom&title=Training_Lab_9%3A_Traffic_Shaping
Training Lab 9: Traffic Shaping - Revision history
2026-06-05T11:00:28Z
Revision history for this page on the wiki
MediaWiki 1.45.1
https://mediawiki.comfac.net/index.php?title=Training_Lab_9:_Traffic_Shaping&diff=244&oldid=prev
Justinaquino: Imported from FUND001-LIVE-Lab9-TrafficShaping.pdf
2026-04-23T07:10:26Z
<p>Imported from FUND001-LIVE-Lab9-TrafficShaping.pdf</p>
<p><b>New page</b></p><div>__NOTOC__<br />
<br />
<div style="background:#005500; color:white; padding:12px; border-radius:6px; margin-bottom:16px;"><br />
'''Netgate pfSense Plus Fundamentals — Lab 9: Traffic Shaping'''<br/><br />
<small>Training lab manual: FUND001-LIVE-Lab9-TrafficShaping.pdf</small><br />
</div><br />
<br />
== Overview ==<br />
<br />
This lab covers limiters and traffic shaping at an introductory level.<br />
<br />
We will configure limiters to restrict HQ LAN hosts to '''2 Mb down / 512 Kb up'''. The mask option of limiters is used to configure this limit on a '''per-IP basis''' — so each IP in the LAN gets its own 2 Mb down, 512 Kb up pipe.<br />
<br />
== Understanding Limiter Direction ==<br />
<br />
Limiters are applied to firewall rules by specifying them under '''In''' and '''Out''' in the advanced options. The direction of traffic is from the perspective of that interface of the firewall.<br />
<br />
* '''Traffic coming into the LAN NIC''' = upload traffic<br />
* '''Traffic leaving the LAN NIC''' = download traffic<br />
<br />
The mask of limiters can be configured on a '''source address''' or '''destination address''' basis:<br />
<br />
{| class="wikitable"<br />
! Limiter !! Mask Setting !! Reason<br />
|-<br />
| Download (2M-down) || Destination addresses || Traffic leaving the LAN interface has internal clients' IPs as the destination.<br />
|-<br />
| Upload (512K-up) || Source addresses || Traffic entering the LAN interface is sourced from internal clients' IPs.<br />
|}<br />
<br />
== Configuring Limiters ==<br />
<br />
On '''fw1-HQ''', browse to '''Firewall → Traffic Shaper → Limiters''' tab. Click '''New Limiter''' to add a new limiter.<br />
<br />
=== Download Limiter ===<br />
<br />
{| class="wikitable"<br />
! Setting !! Value<br />
|-<br />
| Name || 2M-down<br />
|-<br />
| Enable || (checked)<br />
|-<br />
| Bandwidth || 2 Mbit/s<br />
|-<br />
| Mask || Destination addresses<br />
|-<br />
| Description || 2 Mb down per-IP<br />
|}<br />
<br />
Leave the remainder at defaults and click '''Save'''.<br />
<br />
=== Upload Limiter ===<br />
<br />
{| class="wikitable"<br />
! Setting !! Value<br />
|-<br />
| Name || 512K-up<br />
|-<br />
| Enable || (checked)<br />
|-<br />
| Bandwidth || 512 Kbps<br />
|-<br />
| Mask || Source addresses<br />
|-<br />
| Description || 512 Kb up per-IP<br />
|}<br />
<br />
Leave the remainder at defaults, click '''Save''', then '''Apply Changes'''.<br />
<br />
== Applying Limiters to Firewall Rules ==<br />
<br />
Just configuring the limiters doesn't make them active. They must be assigned to a firewall rule to be applied.<br />
<br />
# Browse to '''Firewall → Rules → LAN'''.<br />
# Edit the '''"Default allow LAN to any"''' rule.<br />
# Scroll down under '''Advanced''', and click the '''Advanced''' button to the right of '''In/Out'''.<br />
# For the '''In''' limiter, choose '''512K-up'''.<br />
# For the '''Out''' limiter, choose '''2M-down'''.<br />
# Click '''Save''' and '''Apply Changes'''.<br />
<br />
Back at the LAN firewall rules screen, you'll see the '''(a)''' icon to the left of the default LAN rule, meaning one or more advanced options are specified on that rule. Hover your mouse cursor over that button to see what is configured.<br />
<br />
== Testing Limiters ==<br />
<br />
# Pull up '''Status → Traffic Graph → WAN''' on fw1-HQ.<br />
# Run a speed test (e.g., speedtest.net).<br />
# You should see speeds of approximately '''2 Mb down, 512 Kb up'''.<br />
<br />
== Traffic Shaper Basic Configuration (Wizard) ==<br />
<br />
In this section we configure a basic traffic shaping setup prioritizing VoIP over all else at the branch location (fw1-branch).<br />
<br />
=== Wizard Setup ===<br />
<br />
# Browse to '''Firewall → Traffic Shaper → Wizards'''.<br />
# Choose '''traffic_shaper_wizard_multi_all.xml'''.<br />
# At the first screen, specify '''1''' for the number of WAN and LAN connections and click '''Next'''.<br />
# Choose '''PRIQ''' for both download and upload schedulers.<br />
# Specify connection bandwidth as '''100 Mbit/s''' upload and download.<br />
# Click '''Next'''.<br />
# Check '''"Prioritize Voice over IP traffic"'''. Fill in '''128 Kbit/s''' for upload and download bandwidth (not actually used with PRIQ).<br />
# Click '''Next''' three times past penalty box, peer-to-peer networking, and network games.<br />
# At the '''"Raise or lower other applications"''' screen, enable it and choose '''VNC''' as higher priority.<br />
# Click '''Finish'''.<br />
<br />
== Reviewing Firewall Rule Shaping Configuration ==<br />
<br />
Browse to '''Firewall → Rules → Floating''' to see the traffic shaper rules added by the wizard. These are match rules which specify the appropriate queue for each type of traffic.<br />
<br />
* The VoIP traffic classification ends up as a rule matching all UDP traffic from any source to any destination, with queue '''qVoIP'''.<br />
* All traffic not matching a floating rule specifying a queue will go into the '''default queue'''.<br />
<br />
== Reviewing Shaper Queue Configuration ==<br />
<br />
Browse to '''Firewall → Traffic Shaper'''. The '''By Interface''' and '''By Queue''' tabs both show configured queues (two different layouts of the same data).<br />
<br />
* '''By Queue''' is typically used for manual configuration.<br />
* '''By Interface''' is the standard review view.<br />
* You can click '''"Remove Shaper"''' on the '''By Interface''' tab to remove and disable traffic shaping.<br />
<br />
== Testing and Checking Status ==<br />
<br />
# Reset all states: '''Diagnostics → States → Reset States''' tab → click '''Reset'''.<br />
# Browse to '''Status → Queues''' and monitor while generating traffic.<br />
# Run a speed test — the speed test traffic will fall into the '''default queue'''.<br />
<br />
== Generating SIP Traffic ==<br />
<br />
Use '''SIPp''' on the test systems:<br />
<br />
On '''remote-host''' (100.64.0.50):<br />
<pre><br />
training@remote-host:~$ sipp -sn uas<br />
</pre><br />
<br />
On '''branch-client''' (172.18.1.100):<br />
<pre><br />
training@branch-client:~$ sipp -sn uac 100.64.0.50<br />
</pre><br />
<br />
These commands initiate 10 SIP calls per second indefinitely. View '''Status → Queues''' while running to see traffic in the VoIP queue.<br />
<br />
== Long-term Monitoring ==<br />
<br />
When traffic shaping is enabled, RRD graphs include queue statistics and queue drops.<br />
<br />
# Browse to '''Status → Monitoring''' and click the wrench icon.<br />
# For '''Left Axis''', choose '''Queues'''.<br />
# The '''Queue Drops''' graph shows packets dropped from each queue.<br />
<br />
Ideally, you want to see '''0 drops''' across all high-priority queues, with drops limited to lower or default priority traffic.<br />
<br />
----<br />
<br />
<div style="background:#f0f8ff; padding:10px; border-left:4px solid #005500;"><br />
'''Previous Module:''' [[Training:_Traffic_Shaping|Section 9 — Traffic Shaping (Slides)]]<br />
</div><br />
<br />
== Source Attribution ==<br />
<br />
* '''Document:''' FUND001-LIVE-Lab9-TrafficShaping.pdf<br />
* '''Course:''' pfSense Plus Fundamentals and Practical Applications<br />
* '''Copyright:''' © 2021 Rubicon Communications, LLC (Netgate)<br />
* '''Extracted and formatted for internal training wiki.'''</div>
Justinaquino