Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN How To

pfSense to the rescue

m0n0wall's Traffic Shaping features have long been the go-to tool for bandwidth control for folks who don't mind throwing together custom routers using embedded x86-based computers. But, to tell the truth, I found the concepts of Rules, Queues and Pipes too complicated and continued to look for off-the-shelf products with easier-to-use controls. I also didn't want the time and expense of putting together my own single-board embedded system.

However, Michael Graves' recent article and his online video walkthrough, pushed me toward revisiting m0n0wall. Only this time, with a nudge from Forum regular YeOldeStonecat, I decided to try pfSense. pfSense is a m0n0wall fork, focused on running on standard PCs instead of embedded single board computers.

I downloaded the 1.2 version and gave it a quick try on my trusty, but aging Dell Inspiron 4100 notebook (1 GHz Celeron, 512 MB) by booting and running it directly from the CD. Although things were a bit slow, some simple experiments told me that it could control download bandwidth nicely. So I Ghosted the notebook, rebooted pfSense and had it install onto the Dell's hard drive.

Of course, since I was using my notebook as a router, I first had to add a second Ethernet interface. pfSense detected the 4100's 3Com compatible 3c905C internal adapter just fine. But it didn't detect the Linksys PCM200 10/100 Cardbus Ethernet card that I pulled out of my back room. So a check of the pfSense Hardware Compatibility list (which points to the FreeBSD 6.2 Hardware Compatibility List) eventually led me to buy a D-Link DFE-690TXD (only $20), which worked just fine.

Once pfSense was installed on the drive, I ran a quick throughput check using Jperf and found 90+ Mbps both LAN > WAN and WAN > LAN; basically 100 Mbps wire-speed.

I'm not going to do a full review of pfSense here, but it has an impressive set of features. You can easily see why m0n0wall has such a large fan base, even if you can't flash it on a $50 router like you can with DD-WRT, Tomato, etc.

pfSense System Overview

Figure 4: pfSense System Overview

pfSense even has different skins (System: General Setup) but I just used the default "nervecenter" shown in Figure 4. If you're more accustomed to m0n0wall's left hand menu bar, you can just switch to the "pfsense" skin.

The Traffic Shaper is under the Firewall menu and takes you right into the Traffic Shaper Wizard the first time you hit it. The Wizard walks you through a series of menus that automatically configure the Rules, Queues and Pipes for common applications, organized by categories. It's a painless way to get a working set of bandwidth controls in place that you can tweak and/or copy to create new ones.

The first screen has you enter your actual Internet connection up and download speeds. It's better to err on the low side here, using the results from a few bandwidth test runs (80% of the actual values is frequently suggested). For my "3 Mbps / 640 Kbps" ADSL connection, I entered 2500 and 350 (you enter Kbps), which is what I typically get from Embarq. Then you hit the VoIP screen, which has only two controls, Provider and Bandwidth that you want to guarantee for VoIP.

The next screen is the Penalty Box, the first of interest for controlling bandwidth hogs. Figure 5 shows the simple controls—just IP address (you can enter more than one) and up and down bandwidth limits.

pfSense System Overview

Figure 5: Traffic Shaping Wizard - Penalty Box

The Penalty Box is a fairly blunt instrument that applies to all traffic to and from an IP address. But it might be just the ticket for users who are too persistent in bypassing port-based controls by changing the ports used by bandwidth-hogging applications.

Next is the Peer to Peer Wizard. The controls are again simple; up and down bandwidth limits and a list of P2P applications. Note the p2pCatchAll option, which you need to use with care. This option creates two pair (not sure why) of the same LAN > WAN and WAN > LAN rules that take traffic from all protocols, ports and IPs and send it into the same reduced-bandwidth P2P queues.

Traffic Shaping Wizard - P2P
Click to enlarge image

Figure 5: Traffic Shaping Wizard - P2P

These rules are set at a lower priority than the port-specific filters, so kick in on all other traffic (Figure 6). This basically means that all traffic gets bandwidth-reduced unless you create higher-priority rules to send it to the default unlimited bandwidth queues. In other words, using that "catchall" option is like putting all traffic into the "Penalty Box"!

Shaper Rules w/ P2P Catchall
Click to enlarge image

Figure 6: Shaper Rules w/ P2P Catchall

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Okay, this is going to be quite long as I am a network noob; as such, I don’t know which items of information are important, and which may not be. Net...
I have a mixed environment today with an AC-68U as the primary internet boundary router connected to an AC-68U and an AC-66U via gigabit ethernet as A...
HelloI wanted to start fresh with 384.12, I had issues with 100% cores which was resolved with disabling Ai protectionHow can I make it so that it's l...
Hello all,I am looking to be able to do the following: At the touch of a button I would like to block clients on my LAN from accessing a set of extern...
I just noticed that my node was down (2x86U) .. most likely for multiple days. I have icmp disabled and only allow login with ssh via pub/private key....

Don't Miss These

  • 1
  • 2
  • 3