Jump to content

Training Lab 9: Traffic Shaping

From MediawikiCIT
Revision as of 07:10, 23 April 2026 by Justinaquino (talk | contribs) (Imported from FUND001-LIVE-Lab9-TrafficShaping.pdf)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Netgate pfSense Plus Fundamentals — Lab 9: Traffic Shaping
Training lab manual: FUND001-LIVE-Lab9-TrafficShaping.pdf

Overview

This lab covers limiters and traffic shaping at an introductory level.

We will configure limiters to restrict HQ LAN hosts to 2 Mb down / 512 Kb up. The mask option of limiters is used to configure this limit on a per-IP basis — so each IP in the LAN gets its own 2 Mb down, 512 Kb up pipe.

Understanding Limiter Direction

Limiters are applied to firewall rules by specifying them under In and Out in the advanced options. The direction of traffic is from the perspective of that interface of the firewall.

  • Traffic coming into the LAN NIC = upload traffic
  • Traffic leaving the LAN NIC = download traffic

The mask of limiters can be configured on a source address or destination address basis:

Limiter Mask Setting Reason
Download (2M-down) Destination addresses Traffic leaving the LAN interface has internal clients' IPs as the destination.
Upload (512K-up) Source addresses Traffic entering the LAN interface is sourced from internal clients' IPs.

Configuring Limiters

On fw1-HQ, browse to Firewall → Traffic Shaper → Limiters tab. Click New Limiter to add a new limiter.

Download Limiter

Setting Value
Name 2M-down
Enable (checked)
Bandwidth 2 Mbit/s
Mask Destination addresses
Description 2 Mb down per-IP

Leave the remainder at defaults and click Save.

Upload Limiter

Setting Value
Name 512K-up
Enable (checked)
Bandwidth 512 Kbps
Mask Source addresses
Description 512 Kb up per-IP

Leave the remainder at defaults, click Save, then Apply Changes.

Applying Limiters to Firewall Rules

Just configuring the limiters doesn't make them active. They must be assigned to a firewall rule to be applied.

  1. Browse to Firewall → Rules → LAN.
  2. Edit the "Default allow LAN to any" rule.
  3. Scroll down under Advanced, and click the Advanced button to the right of In/Out.
  4. For the In limiter, choose 512K-up.
  5. For the Out limiter, choose 2M-down.
  6. Click Save and Apply Changes.

Back at the LAN firewall rules screen, you'll see the (a) icon to the left of the default LAN rule, meaning one or more advanced options are specified on that rule. Hover your mouse cursor over that button to see what is configured.

Testing Limiters

  1. Pull up Status → Traffic Graph → WAN on fw1-HQ.
  2. Run a speed test (e.g., speedtest.net).
  3. You should see speeds of approximately 2 Mb down, 512 Kb up.

Traffic Shaper Basic Configuration (Wizard)

In this section we configure a basic traffic shaping setup prioritizing VoIP over all else at the branch location (fw1-branch).

Wizard Setup

  1. Browse to Firewall → Traffic Shaper → Wizards.
  2. Choose traffic_shaper_wizard_multi_all.xml.
  3. At the first screen, specify 1 for the number of WAN and LAN connections and click Next.
  4. Choose PRIQ for both download and upload schedulers.
  5. Specify connection bandwidth as 100 Mbit/s upload and download.
  6. Click Next.
  7. Check "Prioritize Voice over IP traffic". Fill in 128 Kbit/s for upload and download bandwidth (not actually used with PRIQ).
  8. Click Next three times past penalty box, peer-to-peer networking, and network games.
  9. At the "Raise or lower other applications" screen, enable it and choose VNC as higher priority.
  10. Click Finish.

Reviewing Firewall Rule Shaping Configuration

Browse to Firewall → Rules → Floating to see the traffic shaper rules added by the wizard. These are match rules which specify the appropriate queue for each type of traffic.

  • The VoIP traffic classification ends up as a rule matching all UDP traffic from any source to any destination, with queue qVoIP.
  • All traffic not matching a floating rule specifying a queue will go into the default queue.

Reviewing Shaper Queue Configuration

Browse to Firewall → Traffic Shaper. The By Interface and By Queue tabs both show configured queues (two different layouts of the same data).

  • By Queue is typically used for manual configuration.
  • By Interface is the standard review view.
  • You can click "Remove Shaper" on the By Interface tab to remove and disable traffic shaping.

Testing and Checking Status

  1. Reset all states: Diagnostics → States → Reset States tab → click Reset.
  2. Browse to Status → Queues and monitor while generating traffic.
  3. Run a speed test — the speed test traffic will fall into the default queue.

Generating SIP Traffic

Use SIPp on the test systems:

On remote-host (100.64.0.50): 

training@remote-host:~$ sipp -sn uas

On branch-client (172.18.1.100): 

training@branch-client:~$ sipp -sn uac 100.64.0.50

These commands initiate 10 SIP calls per second indefinitely. View Status → Queues while running to see traffic in the VoIP queue.

Long-term Monitoring

When traffic shaping is enabled, RRD graphs include queue statistics and queue drops.

  1. Browse to Status → Monitoring and click the wrench icon.
  2. For Left Axis, choose Queues.
  3. The Queue Drops graph shows packets dropped from each queue.

Ideally, you want to see 0 drops across all high-priority queues, with drops limited to lower or default priority traffic.

Source Attribution

  • Document: FUND001-LIVE-Lab9-TrafficShaping.pdf
  • Course: pfSense Plus Fundamentals and Practical Applications
  • Copyright: © 2021 Rubicon Communications, LLC (Netgate)
  • Extracted and formatted for internal training wiki.
Retrieved from "https://mediawiki.comfac.net/index.php?title=Training_Lab_9:_Traffic_Shaping&oldid=244"