How can I give port 563 low priority?

  • Hi, I've been playing around with traffic shaping in PfSense 1.2.3, 2.0-beta's and now 2.0-RELEASE but I just can't seem to figure out how to use it effectively so I'm hoping someone here can spell it out for me, step by step. Which menus, which buttons.

    What I want is to give traffic to tcp port 563 low priority. Any other traffic should always get priority over 563-TCP. 563 is nntp over ssl, i.e. downloading large files from a news server. I want that traffic to not interrupt webbrowsing (YouTube or other media sites being throttled), video chat, etc.

    I know a bit about PfSense, been using it for a couple of years at home and for business but I never got traffic shaping figured out. Thanks!

    I've got one WAN and one LAN interface. Using version 2.0-RELEASE.

  • First you need to use the wizard to setup the traffic shaper. Choose "Single WAN/Multi-LAN". For the scheduler, I choose PRIQ for both WAN and LAN, then answer other question in the Wizard.

    After that, be sure to check in the traffic shaper section that your WAN and LAN interface have the correct bandwidth assigned. In my case the LAN interface was never set to the value I specified in the Wizard (might be resolved in the 2.0-RELEASE). If you need more queue then the one created with the Wizard, you can add some manually. With the PRIQ scheduler, the queue with the lowest number have the lowest priority. For example, I have the following queues:

    • Home (My LAN interface)
      – qLink with priority 3 as default queue  
      -- qAck with priority 6
      -- qP2P with priority 1 (The lowest queue in my case)
      -- qOtherHigh with priority 4
      -- qOtherLow with priority 2
    • WAN
      -- qDefault with priority 3 as default queue
      -- The other queues are the same as my lan interface

    Next, you need to create a firewall rule with the destination TCP port of 563.
    Go to Firewall/Rules and select the Floating Interface and create an new rule.

    • Action: Pass
    • Direction: Any
    • Protocol: TCP
    • Source: Any
    • Destination: Any
    • Destination Port Range: 563
    • Advance features
      --Ackqueue/Queue: Choose the lowest queue in your configuration. I don't think an ackqueue is necessary in this case.

    Save the rule, reload the firewall rules and the go to Diagnostics/States and click on "Reset States". You can monitor your traffic by going in the Status/Queue in order to be sure that everything goes into the right queue.

    Hope this will help.

  • Thanks for your help, Setsuna666. I did what you say and it works but apparently my CPU isn't up to the task. The result is that my internet connection is 1/7 slower overall :D But that's not your fault.

    So it works but I need to find better hardware. Thanks!


    By the way - how about Scheduler options? They are

    Default queue

    Random Early Detection

    Random Early Detection In and Out

    Explicit Congestion Notification

    The last one is checked in the default queues. Do they have anything to do with how fast the rules are applied? Or is this really just milliseconds?

  • From what I read about Explicit Congestion Notification (, I believe this should be checked in all the queues.

  • Sounds good, but that's not really what I meant.

    My question is: in my scenario (nntp traffic lowest priority, all other traffic normal, processor PIII already straining to keep up with the traffic shaping (35% when there's a lot of nntp traffic)) which ones should I check? I guess there's a trade-off somewhere between processor power and extra methods checked.

    Can anyone shine a light on this? I can read about the theory but I would like to hear some practical experience.

    (Again thank you Setsun for your help!)

Log in to reply