Once you let the Wizard establish the basic rules, you can edit and copy them to suit your needs. You just navigate to the Firewall:Shaper:Rules screen shown back in Figure 6, choose the rule you want to edit or copy and click the appropriate icon. If you can't decipher the icons, just move your mouse pointer over an icon and a tooltip will pop up, describing the function.
Figure 10 shows the edit screen for the third rule down in Figure 6 (m_P2P BitTorrent inbound for TCP). There is more to the screen, but most of the time, you'll just be changing the Destination Port Range. This rule is for BitTorrent, so is set for ports 6881 through 6999. If you wanted to change the ports, just enter the new ones, save the rule and clear the States.
Figure 10: Rule edit
Each rule has a Target field that sets the Queue where the packets that match the rule are sent. To create a new rule for a different application, just find a rule that uses a Queue with the desired bandwidth, copy it, and change the Destination Port Range to the ports that the new application uses. Save it, reset the States and you should be all set.
Note that Rules are position sensitive and executed from top to bottom as listed. You always want to put more restrictive rules ahead of wider rules, otherwise the more restrictive rule will not be executed. That's why in Figure 6, which includes the rules for the P2PCatchAll option, you see the BitTorrent rules (with destination ports 6881 - 6999) higher in the list.
You can tune existing Queues and create new ones too (no copying, however), but you need to proceed carefully. Figure 11 shows the Queues created by the Traffic Shaper Wizard when I used only the P2P page to set a bandwidth limit for BitTorrent.
Figure 11: Rule edit
The qP2PUp and qP2PDown queues are what actually limit the traffic matching my BitTorrent rule. But note the pairs of "Root" and "def" and "acks" queues that were also created. These are automatically created by the Wizard and should be left alone.
But if you wanted to increase the bandwidth allocated to BitTorrent downloads, you can just edit that rule. Navigate to the Firewall: Traffic Shaper screen, click the Queues tab and click the edit icon for the qP2PDown queue. Figure 12 shows the edit screen for that rule.
Figure 12: Queue edit
Again, there are lots of knobs to mess with. But all you need to adjust is the one circled in red (Service Curve upper limit, m2). Save the queue, reset the States and the bandwidth will be adjusted.
If you wanted to have a different bandwidth limit for a different set of applications, you could just use the Penalty Box option in the Wizard to create a new set of Queues. Then just copy a similar rule, edit the Destination ports and point it to the new pair of Queues
But what if you don't know the ports used by the applications that you want to throttle? Or the standard ones aren't working because your little piggy has modified the ports or is using a proxy. Aside from just putting him or her in the Penalty Box, you can use PFtop to see what's going on.
Pftop is a small, curses-based utility for real-time display of active states and rule statistics for pf, the packet filter for OpenBSD. It's an option (9) available (and best used) in the pfSense console. But you can access it for quick checks using the Diagnostics: Execute Shell Command function (Figure 13). This mode only gives you the default view and sort, so it's rather limited. But the default view seems to bring the most active connections to the top and would definitely reveal a large up or download.
Figure 13: pfTop via Execute Shell Command
While I was debugging my BitTorrent filtering, I found pftop very useful. Help is available by typing h and provides the keyboard commands for the various field sorts. I found screen 7 (speed) to be very helpful in tracking down the sessions that were sucking the most bandwidth. The source field will tell you the IP address of the offender and the port number to use in your rule can be found in the destination IP after the colon, i.e. 184.108.40.206:80.
One last hint is that the Diagnostics: Show States screen has a kill icon next to each session (the right hand column in Figure 14). Unfortunately, the page doesn't auto refresh and it doesn't show rates or bytes transferred as pftop does. Still, it can be a quick and dirty way to kill off sessions that are eating up too much bandwidth.
Figure 14: States screen
I have just scratched the surface of pfSense's Traffic Shaping features and haven't even touched all of the other things that it can do to help tame an unruly LAN. But if you have a spare machine and a little patience, I'm sure you'll find pfSense a handy addition to your network.
In Part 2, I'll look at the bi-directional bandwidth management features in some small business routers.