The rules and queues generated by the shaper wizard may not be an exact fit for a network. Network devices may use services that need shaped which are not listed in the wizard, games that use different ports, or other protocols that need limiting.
After the basic rules have been created by the wizard, it is relatively easy to edit or copy those rules to make adjustments for other protocols.
Editing Shaper Queues¶
Queues are where bandwidth and priorities are allocated by the shaper. Each queue has settings specific to the scheduler that was chosen in the wizard (ALTQ Scheduler Types). Queues can also be assigned other attributes that control how they behave. Queues may be managed at Firewall > Traffic Shaper. Click on a queue name in the list or tree shown on the By Interface or By Queue tabs, as seen in Figure Traffic Shaper Queues List
Creating or editing queues is for advanced users only. It is a complex task with powerful results, but without thorough understanding of the settings involved the best practice is to stick with queues generated by the wizard rather than trying to make new queues.
To edit a queue, click its name in the list/tree.
To delete a queue, click it once to edit the queue, then click Delete This Queue. Do not delete a queue if it is still being referenced by a firewall rule.
To add a new queue, click the interface or parent queue under which the new queue will be placed, and then click Add New Queue.
When editing a queue, each of the options must be carefully considered. For more information about these settings than is mentioned here, visit the PF Packet Queuing and Prioritization FAQ or read The OpenBSD PF Packet Filter book.
The queue name must be between 1-15 characters and cannot contain spaces. The most common convention is to start the name of a queue with the letter “q” so that it may be more readily identified in the ruleset.
The priority of the queue. Can be any number from 0-7 for CBQ and 0-15 for PRIQ. Though HFSC can support priorities, the current code does not honor them when performing shaping. Queues with higher numbers are preferred by the shaper when there is an overload, so situate queues accordingly. For example, VoIP traffic is the highest priority, so it would be set to a
7on CBQ or
15on PRIQ. Peer-to-peer network traffic, which can be delayed in favor of other protocols, would be set at
- Bandwidth (root queues)
The amount of bandwidth available on this interface in the outbound direction. For example, WAN-type interface root queues list upload speed. LAN type interfaces list the sum total of all WAN interface download bandwidth.
- Queue Limit
The number of packets that can be held in a queue waiting to be transmitted by the shaper. The default size is
- Scheduler Options
There are five different Scheduler Options that may be set for a given queue:
- Default Queue
Selects this queue as the default, the one which will handle all unmatched packets on an interface. Each interface must have one and only one default queue.
- Random Early Detection (RED)
A method to avoid congestion on a link. When set, the shaper will actively attempt to ensure that the queue does not get full. If the bandwidth is above the maximum given for the queue, drops will occur. Also, drops may occur if the average queue size approaches the maximum. Dropped packets are chosen at random, so connections using more bandwidth are more likely to see drops. The net effect is that the bandwidth is limited in a fair way, encouraging a balance. RED should only be used with TCP connections since TCP is capable of handling lost packets, and hosts can resend TCP packets when needed.
- Random Early Detection In and Out (RIO)
Enables RED with in/out, which results in having queue averages being maintained and checked against incoming and outgoing packets.
- Explicit Congestion Notification (ECN)
Along with RED, it allows sending of control messages that will throttle connections if both ends support ECN. Instead of dropping the packets as RED will normally do, it will set a flag in the packet indicating network congestion. If the other side sees and obeys the flag, the speed of the ongoing transfer will be reduced.
- Codel Active Queue
A flag to mark this queue as being the active queue for the Codel shaper discipline.
Optional text describing the purpose of the queue.
- Bandwidth (Service Curve/Scheduler)
The Bandwidth setting should be a fraction of the available bandwidth in the parent queue, but it must also be set with an awareness of the other neighboring queues. When using percentages, the total of all queues under a given parent cannot exceed 100%. When using absolute limits, the totals cannot exceed the bandwidth available in the parent queue.
- Scheduler-specific Options
Next are scheduler-specific options. They change depending on whether a queue is using HFSC, CBQ, or PRIQ. They are all described in ALTQ Scheduler Types.
Click Save to save the queue settings and return to the queue list, then click Apply Changes to reload the queues and activate the changes.
Editing Shaper Rules¶
Traffic shaping rules control how traffic is assigned into queues. If a new connection matches a traffic shaper rule, the firewall will assign packets for that connection into the queue specified by that rule.
Packet matching is handled by firewall rules, notably on the Floating tab. To edit the shaper rules:
Navigate to Firewall > Rules
Click the Floating Tab
Find the rule to edit in the list, as shown in Figure Traffic Shaper Rules List
Click to edit an existing rule or to create a copy of a rule
Make any required adjustments to match different connections
Save and Apply Changes as usual when editing firewall rules
Queues may be applied using pass rules on interface tabs, but the wizard only creates rules on the Floating tab using the match action that does not affect whether or not a connection is passed or blocked; it only queues traffic. Because these rules operate the same as any other rules, any criteria used to match connections may be used to queue.
Shaper Rule Matching Tips¶
Connections can be tricky to match properly due to several factors, including:
NAT applies before outbound firewall rules can match connections, so for connections that have outbound NAT applies as they leave a WAN-type interface, the private IP address source is hidden by NAT and cannot be matched by a rule.
Some protocols such as Bittorrent will use random ports or the same ports as other services.
Multiple protocols using the same port cannot be distinguished by the firewall.
A protocol may use a range of ports so wide that it cannot be distinguished from other traffic.
While many of these cannot be solved by the firewall directly, there are ways to work around these limitations in a few cases.
To match by a private address source outbound in WAN floating rules, first tag the traffic as it passes in on a local interface. For example, match inbound on LAN and use the advanced Tag field to set a value, and then use the Tagged field on the WAN-side floating rule to match the same connection as it exits the firewall. Alternately, queue the traffic as it enters the LAN with a pass rule instead of when it exits a WAN.
Match by address instead of port/protocol where possible to sort out ambiguous
protocols. In these cases, either the local source or the remote destination may
be a single address or a small set of addresses. For example, matching VoIP
traffic is much simpler if the firewall can match the remote SIP trunk or PBX
rather than attempting to match a wide range of ports for RTP (e.g.
If bittorrent is allowed on a network but must be shaped, then dedicate a specific local device that is allowed to use bittorrent and then shape all connections to/from that device as Peer-to-Peer traffic.
Removing Traffic Shaper Settings¶
To remove all traffic shaper queues and rules created by the wizard:
Navigate to Firewall > Traffic Shaper
Click the By Interface tab
Click Remove Shaper
Click OK on the confirmation prompt