Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN How To


Once you let the Wizard establish the basic rules, you can edit and copy them to suit your needs. You just navigate to the Firewall:Shaper:Rules screen shown back in Figure 6, choose the rule you want to edit or copy and click the appropriate icon. If you can't decipher the icons, just move your mouse pointer over an icon and a tooltip will pop up, describing the function.

Figure 10 shows the edit screen for the third rule down in Figure 6 (m_P2P BitTorrent inbound for TCP). There is more to the screen, but most of the time, you'll just be changing the Destination Port Range. This rule is for BitTorrent, so is set for ports 6881 through 6999. If you wanted to change the ports, just enter the new ones, save the rule and clear the States.

Traffic Shaping Wizard - Other Applications
Click to enlarge image

Figure 10: Rule edit

Each rule has a Target field that sets the Queue where the packets that match the rule are sent. To create a new rule for a different application, just find a rule that uses a Queue with the desired bandwidth, copy it, and change the Destination Port Range to the ports that the new application uses. Save it, reset the States and you should be all set.

Note that Rules are position sensitive and executed from top to bottom as listed. You always want to put more restrictive rules ahead of wider rules, otherwise the more restrictive rule will not be executed. That's why in Figure 6, which includes the rules for the P2PCatchAll option, you see the BitTorrent rules (with destination ports 6881 - 6999) higher in the list.

You can tune existing Queues and create new ones too (no copying, however), but you need to proceed carefully. Figure 11 shows the Queues created by the Traffic Shaper Wizard when I used only the P2P page to set a bandwidth limit for BitTorrent.

Traffic Shaping Wizard - Other Applications
Click to enlarge image

Figure 11: Rule edit

The qP2PUp and qP2PDown queues are what actually limit the traffic matching my BitTorrent rule. But note the pairs of "Root" and "def" and "acks" queues that were also created. These are automatically created by the Wizard and should be left alone.

But if you wanted to increase the bandwidth allocated to BitTorrent downloads, you can just edit that rule. Navigate to the Firewall: Traffic Shaper screen, click the Queues tab and click the edit icon for the qP2PDown queue. Figure 12 shows the edit screen for that rule.

Traffic Shaping Wizard - Other Applications
Click to enlarge image

Figure 12: Queue edit

Again, there are lots of knobs to mess with. But all you need to adjust is the one circled in red (Service Curve upper limit, m2). Save the queue, reset the States and the bandwidth will be adjusted.

If you wanted to have a different bandwidth limit for a different set of applications, you could just use the Penalty Box option in the Wizard to create a new set of Queues. Then just copy a similar rule, edit the Destination ports and point it to the new pair of Queues

Finding Ports

But what if you don't know the ports used by the applications that you want to throttle? Or the standard ones aren't working because your little piggy has modified the ports or is using a proxy. Aside from just putting him or her in the Penalty Box, you can use PFtop to see what's going on.

Pftop is a small, curses-based utility for real-time display of active states and rule statistics for pf, the packet filter for OpenBSD. It's an option (9) available (and best used) in the pfSense console. But you can access it for quick checks using the Diagnostics: Execute Shell Command function (Figure 13). This mode only gives you the default view and sort, so it's rather limited. But the default view seems to bring the most active connections to the top and would definitely reveal a large up or download.

Traffic Shaping Wizard - Other Applications
Click to enlarge image

Figure 13: pfTop via Execute Shell Command

While I was debugging my BitTorrent filtering, I found pftop very useful. Help is available by typing h and provides the keyboard commands for the various field sorts. I found screen 7 (speed) to be very helpful in tracking down the sessions that were sucking the most bandwidth. The source field will tell you the IP address of the offender and the port number to use in your rule can be found in the destination IP after the colon, i.e.

One last hint is that the Diagnostics: Show States screen has a kill icon next to each session (the right hand column in Figure 14). Unfortunately, the page doesn't auto refresh and it doesn't show rates or bytes transferred as pftop does. Still, it can be a quick and dirty way to kill off sessions that are eating up too much bandwidth.

Traffic Shaping Wizard - Other Applications
Click to enlarge image

Figure 14: States screen

Closing Thoughts

I have just scratched the surface of pfSense's Traffic Shaping features and haven't even touched all of the other things that it can do to help tame an unruly LAN. But if you have a spare machine and a little patience, I'm sure you'll find pfSense a handy addition to your network.

In Part 2, I'll look at the bi-directional bandwidth management features in some small business routers.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

I have an old router if i can say, that is made already reset to it and default usernames and passwords doesn't work. It has been functional somewhere...
Hello, i have the problem that my RT-AC86U is boot looped. The router reboots automatically every day and sometimes i already had the problem that it ...
Hi I want to connect Netflix in Germany, country currently I'm living allows Netflix but the content is censored. I have a cyberghostvpn account and I...
I rebooted my 86U this morning, and noticed that after the reboot, I was unable to connect to the openvpn server and was getting an auth failed error ...
Not seen this before, and this new router blocked my phones today, was getting authentication error. Deleted phones wifi added new entry, nope would ...

Don't Miss These

  • 1
  • 2
  • 3