Traffic Shaping Guide - PFSenseDocs
Short Description
Traffic Shaping Guide...
Description
23/11/2014
Traffic Shaping Guide - PFSenseDocs
Search
Personal tools
Log in
Traffic Shaping Guide From PFSenseDocs
Contents 1 PFSense 1.2.x Traffic Shaping Guide 1.1 Limitations 1.2 Wizards 1.3 ACK Queue sizing 2 PFSense 2.0 Traffic Shaping Guide (Work In progress) 2.1 What is traffic Shaping? 2.2 Wizards 2.2.1 Single Lan multi Wan 2.2.2 Single Wan multi Lan 2.2.3 Multiple Lan/Wan 2.2.4 Dedicated Links 2.2.5 Creating new Wizard templates 2.3 Queuing Schedulers 2.3.1 Priority Queueing (PRIQ) 2.3.2 Class Based Queueing (CBQ) 2.3.3 Hierarchical Fair Service Curve (HFSC) 2.4 ACK Queue Size 2.5 Floating Rules 2.5.1 Tips 2.6 Troubleshooting Traffic Shaping 2.6.1 View Queues with pfTop 2.6.2 View State Table with Queue info 2.6.3 Queue Numbers 2.7 Limiter 2.7.1 Setup Limiters 2.7.1.1 Dynamic queue creation 2.7.2 Assign Traffic 2.7.3 Limiter status 2.7.4 Captive Portal Notes 2.7.5 Using Limiters for Bandwidth Guarantees 2.7.6 Limiters on Bridges 2.7.7 Troubleshooting 2.7.7.1 Display Pipes 2.7.8 Dummynet Documentation https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
1/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
2.8 Layer 7 2.8.1 PFSense implementation 2.8.2 Defining Protocol Patterns 2.8.3 Using Layer 7 with a bridging firewall 2.9 Example Scenarios 2.9.1 Example 1 2.10 Other Documentation
PFSense 1.2.x Traffic Shaping Guide Limitations The 1.2.x traffic shaper will not work for more than one WAN and one LAN interface. Please look at version 2.0.x for that functionality.
Wizards It is recommened that you use the Traffic Shaping Wizard to create a default set of rules from which to start. The rules the wizard creates can sometimes cope well with VOIP traffic, but need tweaking to accomodate other traffic. As an example, let's look at shaping P2P traffic. Assuming you used the wizard, there will be qP2Pup and qP2Pdown created already. When you launch a P2P app, you should see traffic in these queues. They are designed to carry the bulk P2P traffic, which normally slows your connection down. Other generic traffic, like web pages (HTTP), email, IM, VOIP etc will go into other queues. Initially, the wizard sets all queues to 1% bandwidth. This is not enough. In particular, the queue qwanacks certainly needs more bandwidth if you do a lot of downloading. First, a quick note about ACK packets.
ACK Queue sizing When you download, your computer needs to send (upload) ACK packets. These are basically saying "yep, I got that part of the download OK". If the computer you are downloading from detects that an ACK has not been received, it assumes that the data was not received and sends it again. The rate at which ACKs are sent back is also used to help determine the maximum speed that you can download data at, so it's important that ACKs get sent as soon as possible and don't get dropped in order to keep your downloads flowing fast. Also, repeatedly dropped ACKs can result in dropped connections, web page timeouts etc. When you download, qwanacks is where the ACK packets your computer sends out go. You need to make sure this queue has enough bandwidth to maintain your downloads. To work out how much bandwidth you need, there are two options. You could simply experiment, keeping an eye on the queue while downloading as fast as your connection will allow, or you could try and work it out. As a rough starting point, an NTL 10Mb/512Kb cable connection needs about 260270Kb/sec of ACK packets to download at full speed.
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
2/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
Taking the above example, we can see that ACKs can consume 60% of the available upload bandwidth. Thus, qwanacks should have at least 60% bandwidth available (I use 65% for the above). If you set qwanacks like this, you should not see any drops in that queue. However, you will see a lot in qP2Pup, but that's OK. P2P upload packets are just bulk traffic, not really important so it doesn't matter if they drop a bit. qP2Pup will now be using what is left of the available upload bandwidth, after qwanacks has used up to 65% of it. You will probably want to increase the bandwidth allowance for qwandef as well, since this is where HTTP requests and other general uploads go, which chances are you want to be higher priority than qP2Pup. Bandwidth percentages need not add up to 100%, but unless you have a very slow connection you don't need too much for qwandef since it is mainly small requests or the odd few kb of email.
PFSense 2.0 Traffic Shaping Guide (Work In progress) Access to the PFSense Traffic Shaping settings is through the Traffic Shaper option in the Firewall dropdown in the webgui.
What is traffic Shaping? Traffic shaping (also known as "packet shaping") is the control of computer network traffic in order to optimize or guarantee performance, lower latency, and/or increase usable bandwidth by delaying packets that meet certain criteria. More specifically, traffic shaping is any action on a set of packets (often called a stream or a flow) which imposes additional delay on those packets such that they conform to some predetermined constraint (a contract or traffic profile). From Traffic Shaping Wikipedia article (http://en.wikipedia.org/wiki/Traffic_shaping).
Wizards PFSense 2.0 includes multiple wizards that setup the traffic shaping for various usage scenarios. It is recommend to start out with one of the Wizards since having a known starting point makes support easier.
Single Lan multi Wan This will setup the traffic shaping for the case where you have one local network and multiple WAN networks. You would also use this in the case where you only have one WAN and one LAN. Just specify 1 for the number of WAN links when going through the wizard. https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
3/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
Single Wan multi Lan This will setup the traffic shaping for the case where you have multiple local networks and one WAN network.
Multiple Lan/Wan This will setup the traffic shaping for the case where you have both multiple local networks and multiple WAN networks.
Dedicated Links Dedicated links is for when you want to manage more than 1 link which get routed to a separate different LAN in the same box. So a single firewall manages several 'virtual' links through it. For example, say you were providing services to 4 different customers in one building, and they each had their own separate internet connections. You could run all 4 internet connections through one pfsense box to each of the customers LAN networks and provide separate traffic shaping configurations to each one.
Creating new Wizard templates Wizard configuration files are located under /usr/local/www/wizards.
Queuing Schedulers Priority Queueing (PRIQ) Priority queuing is the simplest form of traffic shaping you can select. You create a flat hierarchy of priority levels, all packets at the highest priority level are always processed first. Pros Easy to configure and understand. Cons Lower priority queues can be completely starved for bandwidth easily. After naming your queue and assigning a priority, you must associate some traffic with the queue in Firewall/Rules/Advanced Features/Ackqueue/Queue. After save, the queue name will appear in the rules list in the queue column. You can monitor real time traffic flows in your queues with Status/Queues. You can see queue traffic trends in Status/RRD graphs/Queues.
Class Based Queueing (CBQ) CBQ is the next step up from priority queuing. You create a tree hierarchy of classes; each with an assigned priority and bandwidth limit. Priority works much in the same way that it does in the PRIQ however, instead of processing all packets from the class, it will only process enough packets until the bandwidth limit is reached.
Hierarchical Fair Service Curve (HFSC) https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
4/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
ACK Queue Size The size of the ACK Queue often needs to be adjusted with asymmetrical links since by default the size is based on both up and down speed being equal.
Floating Rules Floating rules allow you to to set shaping rules for all interfaces at once. They are evaluated before the interface rules, and are non terminating. The last floating rule that matches a stream will be the one that applies.
Tips When modifying floating rules, remember to clear the firewall states before you start testing your changes. If you do not do this, you many not get the results you expect.
Troubleshooting Traffic Shaping View Queues with pfTop To view live stats on traffic shaping (altq) from the command line use the following command. pftop -s1 -v queue
View State Table with Queue info To view the current state table with which queue each flow is associated with use the following command. pfctl -s state -vv
This will show you the Ack queue(priqueue) and the queue for each flow. If no queue is listed then the flow is matched by the default. Remember that any changes to rules made while you are troubleshooting, won't be applied to current states, so you have to clear states to get a complete picture.
Queue Numbers The state table identifies queues by number. Numbers start at 1 and count up for each new queue defined. Look at your rules.debug to see what order queues are created.
Limiter The limiter feature allows you to setup Dummynet pipes. Dummynet was designed to be able to simulate any kind of network connection. You can simulate a dialup connection, a T1, a T1 run through a microwave oven, or a satellite connection to the Moon. A side effect of being able to simulate any type https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
5/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
of network connection is that you can use them to limit the amount of bandwidth a host or group of hosts have access to. Both the packet shaper and limiters can be used at the same time so you can shape your traffic as a whole, and also limit certain traffic to a certain amount of bandwidth. There are 2 basic steps to setting up a limiter to control bandwidth. 1. Setup the limiters you will be using. 2. Assign traffic to those limiters.
Setup Limiters Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab. You can use just one pipe for both inbound and outbound traffic, but that would mean you are simulating a halfduplex connection (http://en.wikipedia.org/wiki/Half_duplex#Halfduplex). The recommended method is to create 2 pipes, one for inbound traffic and one for outbound traffic. The direction is from the perspective of the interface. If using limiters on LAN, the inbound queue is your upload and the outbound queue is your download. You should name the pipes so that you will easily remember which one is which, such as InLimitLan and OutLimitLan. Dynamic queue creation Dummynet pipes have a feature called dynamic queue creation which allows you to have a unique queue based on the uniqueness of a connections source protocol, ip, source port, destination ip or destination port. They can also be used in combination. pfSense currently only allows setting the source address or the destination address as the mask, meaning that you can give each host behind your firewall its own set of pipes so that each node is restricted to using a certain amount of bandwidth. To do this you would give your In pipe a Source Address mask, so that each host sending packets gets it's own dynamic pipe for uploading. You would give your Out pipe a destination address mask, so that each host receiving packets gets it's own dynamic pipe for downloading.
Assign Traffic Once you setup a limiter pipe, the next step is to assign traffic to it by setting the "in/out" option in a firewall rule. Remember that in and out are from the perspective of that interface on the firewall. If you're choosing limiters on the LAN interface, "out" is download speed (traffic from the LAN NIC into the LAN) and "in" is upload speed (traffic from the LAN into the LAN NIC). Simply creating the limiters does not do anything, you must assign them on a firewall rule for them to be used.
Limiter status The bandwidth usage and other limiter information is available under Diagnostics>Limiter Info.
Captive Portal Notes
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
6/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
Captive portal can automatically setup its own pipes for each logged in user, no need to set this up manually. Take a look at the captive portal setup page to set this up.
Using Limiters for Bandwidth Guarantees If you want to use limiters to guarantee a certain amount of bandwidth instead of limit, you can do so by making four limiters. 1. Bandwidth to guarantee upload 2. Bandwidth to guarantee download 3. Total bandwidth upload (less guaranteed above) 4. Total bandwidth download (less guaranteed above) Ensure that you do not set the Mask to anything other than "none". It must be "none" for these to work properly. So if you have 8Mb down and 2Mb up, and you want to guarantee 512Kb/s for service X, you'd have queues sized like so: 1. 512 Kb/s 2. 512 Kb/s 3. 1536 Kb/s 4. 7680 Kb/s Then direct the guaranteed service traffic into the first two limiters, and everything else into the "total" limiters.
Limiters on Bridges When using limiters on bridges, you need to assign the bridge interface and put the IP address for the bridge there, and place the limiters on the member interfaces.
Troubleshooting Display Pipes Visit Diagnostics > Limiter Info in the GUI, and it will show you the output of: ipfw pipe show
Which lists all of the pipes currently configured on your system, and related information about their status.
Dummynet Documentation Dummy Net documentation: http://www.dummynet.com/
Layer 7
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
7/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
Layer 7 filtering or shaping is identifying traffic at layer 7 (Application Layer) of the OSI model (http://en.wikipedia.org/wiki/OSI_model). Instead of shaping/filtering based on the port and source/destination, you are identifying a stream based on its contents. This is also sometimes called deep packet inspection (http://en.wikipedia.org/wiki/Deep_packet_inspection) since it works by looking into the contents of the packets not just the headers. You might want to use layer 7 if you need to deal with packets that use dynamic source and destination ports, or if filtering/shaping based on ports is not fine grained enough.
PFSense implementation PFSense is using the ipfwclassifyd application to provide Layer 7 filtering capabilities. * Initial Post announcing project. http://lists.freebsd.org/pipermail/freebsd-net/2008-July/019086.html * Research Paper by Andre Ribeiro, and Helder Pereira. http://www.di.uminho.pt/~prh/uce15-0809/g13.pdf
The protocol patterns are from the L7filter project.
Defining Protocol Patterns For now take a look at the L7filter Pattern Writing Howto. http://l7filter.sourceforge.net/Pattern HOWTO Patterns are stored under /usr/local/share/protocols.
Using Layer 7 with a bridging firewall If you want to use layer 7 with a bridging firewall you will need to make the following change to a sysctl under system > advanced. net.link.bridge.pfil_member = 0 net.link.bridge.pfil_bridge = 1
After that change you can use the floating rules to assign traffic in a bridging environment. If you don't make that change you would need to duplicate the assignment rules on each bridge member interface. (I think this is correct, but not sure).
Example Scenarios Example 1
Other Documentation Links to other useful documentation. PF packet flow diagram. (http://homepage.mac.com/quension/pf/flow.png) Notice how Altq is https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
8/9
23/11/2014
Traffic Shaping Guide - PFSenseDocs
the last item to get processed. Shaper 2.0 bounty thread. (http://forum.pfsense.org/index.php/topic,2718.0.html) ACK queue sizing thread. (http://forum.pfsense.org/index.php/topic,2484.0.html) QoS/Traffic Shaping information and tips. (http://forum.pfsense.org/index.php/topic,11986.0.html) Tips and Tricks thread. (http://forum.pfsense.org/index.php/topic,1384.0.html) P2P queue sizing discussion. (http://forum.pfsense.org/index.php/topic,9129.0.html) P2P queue sizing post. (http://forum.pfsense.org/index.php/topic,9427.0.html) Monitoring PF article. (http://prefetch.net/articles/monitoringpf.html) PF: Packet Queueing and Prioritization (OpenBSD not FreeBSD) (http://www.openbsd.org/faq/pf/queueing.html) HFSC howto on Calomel.org. (https://calomel.org/pf_hfsc.html) Paper on HFSC design. (http://www.cs.cmu.edu/~hzhang/HFSC/main.html) Linux HFSC description, good conceptual examples. (http://linuxip.net/articles/hfsc.en/) This article is part of the HOWTO series.
Retrieved from "https://doc.pfsense.org/index.php?title=Traffic_Shaping_Guide&oldid=6180" Categories: Howto MovedFromDevWiki Traffic Shaping Privacy policy About PFSenseDocs Disclaimers This page was last modified on 19 November 2014, at 12:38. This page has been accessed 357,453 times.
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
9/9
View more...
Comments