This document provides an overview of traffic shaping basics using PRIQ (Priority Queuing) on pfSense. It discusses what traffic shaping is, how it works by placing traffic into queues and controlling transmission order. It then covers the types of traffic shaping available in pfSense, including PRIQ which prioritizes traffic based on priority numbers alone. The document walks through using the pfSense traffic shaping wizard to easily set up queues and rules for common traffic types like VoIP, games, and P2P. It also discusses testing and troubleshooting techniques for traffic shaping.

1. Traffic Shaping Basics with PRIQ
February 2016 Hangout
Jim Pingle

2. Traffic Shaping Basics with PRIQ
● Project News
● What is Traffic Shaping?
● How does Traffic
Shaping work?
● Types of Traffic Shaping
● Limitations
● Why use PRIQ?
● Traffic Shaping Wizard
● PRIQ Queue Structure
● Matching & Queuing
with Floating Rules
● Testing and
Troubleshooting
● Q&A

3. Project News
● 2.2.7? Possible, depending on OpenSSL announcement
● 2.3 is nearing RC
– Release timing will roughly parallel FreeBSD 10.3-RELEASE
– No more new features, focus now completely on bug fixes (Less than 25 open new bugs now!)
– Snapshots at https://snapshots.pfsense.org/
● New hardware!
– XG-2758 replaces C2758
● 8 core, 16GB RAM
● 2x 10G SFP and 4x 1G ports (1 shared 1G RJ45/SFP)
● European pfSense Training Tour!
– April 7-8 in Bournemouth (UK, Amica Partner)
– April 12-13 in London (UK, Amica Partner)
– May 17-18 in Frankfurt (DE, Voletech Partner)
– http://netgate.com/training/ – All are 9am-6pm local time
– Online training March 22-23, sign up now!
● Keep an eye on the blog

4. What is Traffic Shaping?
● A means to assure Quality of Service (QoS) by queuing traffic and
using criteria to control when it is delivered
● Different from traffic policing, which drops all frames above a
committed rate
● Passes important traffic (e.g. ACKs, VoIP) first at the expense of
lesser traffic (e.g. SMTP)
● Ensures that traffic is passed efficiently
– Queuing and delaying packets is less harsh to TCP than dropping, but
packets can be dropped from queues when full
● Can prevent traffic from over-filling circuits (peak smoothing)
● Shares bandwidth more effectively across many clients
● Discourages unwanted services by degrading their traffic flow

5. How does Traffic Shaping work?
● A queue structure is defined to specify how types of traffic will be shaped
– Exact structure varies by shaper type
– For example, queues might define a priority (PRIQ) or a bandwidth allocation
(HFSC)
● Traffic is identified by firewall rules and placed into appropriate queues
– Typically Floating rules are used with the Match action
● Traffic is queued OUTBOUND on interfaces
– That is the only place the firewall can limit the rate of packets
● Rough idea of how processing works (PRIQ):
– Packets match rules and are placed into separate queues
– Packets are held momentarily before transmission in each queue
– Packets in higher priority queues are always processed before lower priority queues

6. Types of Traffic Shaping
● ALTQ
– PRIQ – Priority Queuing (only one covered today)
● Very simple/easy to work with
● Only concerned with priority, priorities of 0-15, highest number queues are processed first
● Flat list of queues, no nesting/children/trees/etc
– HFSC – Hierarchical Fair Service Curve
● Powerful but complex/confusing
● Primarily concerned with bandwidth (throughput), not priority
● Tree of queues for each interface
– CBQ – Class Based Queuing
● Similar to HFSC but not as accurate, has both bandwidth and priority options
● Partitions and shares link bandwidth among queues, child can borrow from parent, etc
– Others: FAIRQ, CODELQ, supported but not covered today
● Limiters
– “Buckets” with defined upper limits of traffic can be shared/common for all or be masked to
have per-address or per-subnet limits
– Currently has known issues with pfsync (HA) and some NAT scenarios

7. Limitations
● ALTQ is inefficient and has a notable usage penalty
– ~10% but exact throughput loss depends on system, traffic, etc
– If the system is fast or not running near wire speed, loss may not
be noticeable
● ALTQ does not work with all NICs, only supported NICs
– VLANs are OK, LAGG+VLANs OK, but not LAGG on its own
– Support varies by NIC driver, see list in the altq(4) FreeBSD man
page
● Shaping will add some (usually minor) latency
● Tricky to shape traffic inside VPNs

8. Why use PRIQ?
● Easiest ALTQ shaper type
● Flexible enough for most use cases
– Great for putting VoIP or games above other traffic
● No concern for bandwidth means it is less likely to
have issues with WANs of varying speeds or with
NICs that fail to properly report bandwidth (e.g.
Realtek)
● Priority only, so no bandwidth limits/caps or
reservations to calculate or design

9. Traffic Shaping Wizard - Start
● Wizard is the easiest way to get the shaper setup
● Even if you don't want to use the wizard rules, let it create the
queues for you.
● Firewall > Traffic Shaper, Wizards tab
● Pick “Multiple LAN/WAN” / multi-all for most uses
● “Dedicated Links” is for cases where single WANs and LANs are
linked with no cross-usage (e.g. LAN1→WAN1, LAN2→WAN2)
● Enter # of WANs and LANs
– WAN = interface with gateway on INTERFACE settings
– LAN = no gateway

10. Traffic Shaping Wizard - Config
● Pick appropriate interfaces for each LAN/WAN
● Select PRIQ as the scheduler for each interface
● For WAN, enter values for Upload and
Download bandwidth
– They are not used by PRIQ, but the wizard requires
they be set

11. Traffic Shaping Wizard - VoIP
● Check enable if VoIP shaping is desired
● Choose provider type to help craft better VoIP
matching rules
– “Generic” will match all UDP
● Enter the Upstream SIP server
– Difficult to match on local IP addresses, matching
remote server address is much more accurate
● Leave bandwidths blank

12. Traffic Shaping Wizard – Penalty Box
● Not used with PRIQ
● Sets up a queue for known bad hosts to limit
their usage

13. Traffic Shaping Wizard - P2P
● Attempts to match P2P traffic
– Not all that accurate since it can only match by ports, which clients
can randomize.
● Catchall changes the default queue to be the P2P queue
– The “catchall” option sounds tempting until you realize you have to
identify all good traffic and classify it into other queues
– OK to use, but a management headache! Be prepared to work for
it
– Used for lowering priority of “everything else” which could be P2P
on random ports or good but unclassified traffic
● Check boxes for the protocols to match

14. Traffic Shaping Wizard - Games
● Presets for many popular games, consoles, and
platforms
● Check the boxes for games to match
● If the game you want is not listed, check any
other game so the queues are created and then
manually adjust rules later

15. Traffic Shaping Wizard –
Raise/Lower
● Classifies other common traffic to raise or lower its
priority
● Choices are entirely subjective – set however the
needs of the network require
● Frequently things like screen-sharing protocols are
raised, bulk traffic like chat and SMTP are lowered
● Best to set at least one high and one low so the
queues will be created for later use

16. Traffic Shaping Wizard – Finish Up
● Click Finish on the last screen and the wizard
will finish creating all the queues and rules
● The filter will reload and its status displayed
– If there is an error with the queues, it may be due to
a lack of support in the NIC or an improper
bandwidth value
● The wizard retains the values entered, so if you
need to change something, re-run the wizard
and adjust as needed

17. PRIQ Queue Structure
● Firewall > Traffic Shaper, By Interface tab
● Each interface has a similar set of queues
– LANs have a qLink to ensure LAN-to-LAN traffic is not shaped
● Priorities:
qVoIP: 7 – Highest Priority, delivered first
qACK: 6
qGames: 5
qOthersHigh: 4
qDefault (WANs): 3 – Unclassified traffic lands here
qOthersLow: 3 on LANs, 2 on WANs
qLink (LANs): 2
qP2P: 1 – Lowest Priority, delivered last
● When crafting custom rules or other queues, keep these in mind

18. Matching/Queuing w/Floating Rules
● Firewall > Rules, Floating tab
● Rules from the wizard are here and good for examples/duplication if custom
rules are needed
● Rules use the Match action which does not pass or block, only applies queuing
● Packets can be matched in any way possible in pf
● Choose the queue and ACK queue in Advanced Options
– Queue is for normal traffic with a payload
– ACK queue is for TCP ACKs with no payload or TOS lowdelay to ensure ACKs are not
lost so data is delivered quickly/efficiently
● “Quick” keyword is not usable with match
– Rules are LAST MATCH WINS, so take care when crafting rules
● Beware of using local sources on outbound WAN rules – NAT hides source

19. Testing and Troubleshooting
● Status > Queues to view how packets are being processed in queues
● Start some traffic, test traffic or otherwise
– Sipp is handy for testing SIP matching: http://sipp.sourceforge.net/index.html
● If traffic is flowing but not showing in a queue:
– 1. Traffic is not matching the expected rule
● Check that rules obey proper order (last match wins)
● Consider the way the rules are processed, and NAT involved, etc.
– 2. States were not reset after shaper setup
● Drops are OK, and how shaping works
– Sometimes lower priority packets must be dropped so that higher priority
packets can pass
– Increase queue length to lower/stop drops if they cause problems

20. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc