• How to Traffic Shape by Protocol?

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Add new interface

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    ?

    Well, since i have no patience i did not wait for an answer to that, and cleared everything then reran the wizard.

    The OPT1 interface is not a "real" interface, and will not be allowed it seems. I could only choose 1 WAN interface in the wizard.

    So, my next question would be: How do i shape any traffic <-> OPT1 interface (my IPV6 traffic)?

    C

  • Implementing Torrent Blocking with Layer7

    Locked
    4
    0 Votes
    4 Posts
    14k Views
    N

    In other threads there were discussions about only allowing ports which are in general only used for legal traffic (http,https,pop3,…) and the same for traffic shaper.
    Giving high priority to "legal" traffic and only low priority for "unknown" traffic.

    This will not block torrent at all but perhaps slow down it.

    For blocking other downloads I am using squid and squidguard and blocking torrent in URL and the well known filehoster as rapidshare, uploaded.to and so on.

    There are some (free) blacklists for squidguard but they are blocking oftem more than I just want to.
    You can give it a try of course!

    http://www.shallalist.de/
    http://urlblacklist.com/

  • Traffic Shape SIP/RTP using siproxd?

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    R

    Generally, it would be instructive to know if/how one can shape traffic that originates on pfSense and is just not passing through from interface to interface.

  • Debugging rules: How to determine what traffic is getting past?

    Locked
    10
    0 Votes
    10 Posts
    4k Views
    ?

    No help from me either im afraid, but the idea is awesome imo..

    Debugging queues and general traffic management with such a tool would indeed make things a LOT easier :)

    C

  • Another traffic shaping question

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Dynamic WAN bandwidth by IP-pool country

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Traffic Shaping wizard errors on reboot?

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • QoS step by step guide please..

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Shaping FTP

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    Y

    Good point. Thanks.

  • Can I do RDP compression over IP/VPN tunnel by PfSense?

    Locked
    7
    0 Votes
    7 Posts
    5k Views
    C

    Open source WAN acceleration doesn't exist in a stable, production-grade format, at least nothing comparable to what commercial (and pricey) WAN accelerators do. Though RDP isn't one of the benefits of having WAN acceleration, their primary benefit is with protocols like SMB that are by their design terrible over higher latency, and the magic WAN accelerators put in the middle works around the poor protocol design. Traffic Squeezer can do compression on compressible traffic, but RDP is not compressible. Compressing non-compressible traffic, like anything encrypted, actually makes it bigger. The best any WAN accelerator could do with RDP is muck with TCP window settings and related things that combat the usual issues with long fat pipes where it's hard to reach the capacity of the line without doing so. Nothing they do would help with RDP on slow connections. Changing RDP settings as people have suggested here is your best and really only option regardless of what devices you have on the network.

  • Rate limit

    Locked
    3
    0 Votes
    3 Posts
    4k Views
    T

    I built a test FW on 2.0 and applied the limiters to the lan interface and speed tests are showing the limited traffic speeds. Pretty easy once you put the right things in the right places!

    Here is a good link talking about it
    http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter

    Thanks for the pointer. Time to go update my FWs.

  • Status of FAIRQ scheduler

    Locked
    4
    0 Votes
    4 Posts
    5k Views
    D

    I asked because FAIRQ isn't listed in any of the 2.0 traffic shaping wizards, nor is it mentioned in the wiki pages. In both cases only HFSC/CBQ/PRIQ are listed. But you're right, FAIRQ is available in the traffic shaping settings.

  • Limit torrent traffic (2.0 Final)

    Locked
    4
    0 Votes
    4 Posts
    9k Views
    D

    Currently, a viable way to limit P2P traffic (which is mostly encrypted) would be to try to prioritize as many "known" services as practical (e.g. dns, http, smtp, pop, imap etc) and then just put all the rest (which would include P2P) in "bulk traffic" category with low bandwidth.

    L7 might be used to identify & classify certain protocols that also encrypt their traffic, e.g. Skype (I posted about it in this sub-forum a few weeks ago).

    Another way that I've considered would be to use pf's max-src-conn-* options to limit the total number of open connections for each IP, but pfsense currently puts the "offending" IPs into the <virusprot>table and thus blocks them altogether…

    To clarify, I'd like to define an alias known_ports = "{ 22, 25, 53, 80, 443, etc }" and then add a fw rule

    from LANnet
    to any
    port !known_ports
    max-src-conn-rate 4/60

    Since P2P connections tend to be numerous, short and bursty, with the only common parameter being the src-IP (the client running the P2P software), I would think it would throttle them down a bit.</virusprot>

  • Traffic Shaping Limiter and high Ping times.

    Locked
    4
    0 Votes
    4 Posts
    4k Views
    C

    Tomax,

    could you share your shaper configuration? In other posts (http://forum.pfsense.org/index.php/topic,42003.0.html) I've said that same issue is happening to me and one member of the group told me is due to ping is catched by the default queue.

    Hope this helps.

    Thanks in advance

  • Traffic Shapper per user with guaranteed bandwidth

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    J

    I would actually be interested insetting up something like this as well, but the scenario I have is with wired connections (1 WAN and 1 LAN as well).

    I just want to ensure that nobody "strangles" the connection for everybody (eg.: downloading torrents and eating up the connection for everybody), but I don't want to limit users when it is not necessary.

    The torrents were just an example, I want to ensure proper behavior with all types of traffic.

    Best regards!

  • Traffic Shaping Queries

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    D

    It doesn't work from WAN to LAN because the unit is in NAT mode.  You can't expect to ping from WAN to LAN without a port forward done for that purpose (and even then, to ping to that port on the WAN side).

    If you ping from LAN to WAN and there is a response, it means that communication works both ways (obviously, the packets need to return through WAN to LAN in order for the ping to be successful).

  • Trafficshaping out

    Locked
    6
    0 Votes
    6 Posts
    2k Views
    D

    @mamruoc:

    First of all,

    thank you for answering me.

    Yes, I'm on pfSense 2.0

    What you just told me is probably 100% correct and make sense for other people, but not for me.
    I did not understand too much, nor have I found any good documentation, so I'm kinda lost… This way one of the reasons I went away from pfSense before, but now I really want to make it work.

    Could you please be so kind to give me a bit more detailed explanation?

    Thanks!

    CBQ basically commits (guarantees) a certain bandwidth per queue and there is a priority setting.  When 2 or more queues have exceeded the commited bandwidth, priority is used to determine how much of the remaining bandwidth is allocated (borrowed) to each queue.

    I have no idea how you want to shape your traffic but the most basic is just bandwidth for both VLAN subnets as a whole.

    Let's assume VLAN1 has subnet 10.0.1.0/24 and VLAN2 has subnet 10.0.2.0/24.

    Also assume that you create 2 queues for your shaper ->  qVLAN1 & qVlan2 (set this as default to keep the shaper happy).
    Depending on your needs, set the commited bandwidth accordingly.  You might want to set say 400Kbps and 100Kbps respectively.  This leaves 4.5Mbps of bandwidth for borrowing.
    Change the Priority of qVLAN1 to 4 and qVLAN2 to 1.  This approximates a 4:1 borrow ratio if I recall correctly.
    Note that this needs to be done for both upload and download queue sets.

    Any traffic heading out to WAN for these 2 subnets will have to go through the allow any any rule you'd need by default.
    Under firewall rules, look in VLAN1 tab and find that rule.  Edit it and set it so that the traffic shaping queue is set to qVLAN1.  Ignore the Ack queue for now since that is beyond the current scope and you can change the rules and edit the queues later when you get the gist of the shaper.

    Go to VLAN2 tab and do the same except that you set it to qVLAN2 for the shaper.

    This settles your outbound traffic.

    Now go to Floating rules.
    Make a new rule on quick match.  Set the 'In' interface to WAN and any for protocol.
    Set the Source to any and the destination to 10.0.1.0/24 subnet (VLAN1 subnet).
    Set the queue to qVLAN1.
    Repeat for VLAN2 by changing the destination subnet and queue respectively.

    This settles the inbound traffic to each VLAN.

  • Limiters

    Locked
    14
    0 Votes
    14 Posts
    7k Views
    D

    ok
    I will test both on LAN, many forum users says that this works, but I still believe that it'd be better: upload on LAN and Download on WAN..

    thanks

    after my test I will post again the results I get

  • Dual-limiter (per-user & overall limits)?

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    D

    @Jason:

    I don't see where I can apply a limiter to an entire interface, just the firewall rules.

    Under floating rules, you can use the In on the specific interface to match traffic.

    e.g.  In on LAN would imply traffic going from LAN to WAN (or another subnet) -> outbound traffic

    Naturally, this applies to any other shaper rules you may have for specific protocols/ source/ destination masks.  In this case, you can still apply the In (if there are no other limiters applicable) or Out (if there is a per user limit already applied).

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.