The rules and queues generated by the shaper wizard may not be an exact fit for a network. Network devices may use services that need shaped which are not listed in the wizard, games that use different ports, or other protocols that need limiting.
After the basic rules have been created by the wizard, it is relatively easy to edit or copy those rules to make adjustments for other protocols.
Editing Shaper Queues¶
Queues are where bandwidth and priorities are allocated by the shaper. Each queue has settings specific to the scheduler that was chosen in the wizard (ALTQ Scheduler Types). Queues can also be assigned other attributes that control how they behave. Queues may be managed at Firewall > Traffic Shaper. Click on a queue name in the list or tree shown on the By Interface or By Queue tabs, as seen in Figure Traffic Shaper Queues List
Creating or editing queues is for advanced users only. It is a complex task with powerful results, but without thorough understanding of the settings involved the best practice is to stick with queues generated by the wizard rather than trying to make new queues.
To edit a queue, click its name in the list/tree.
To delete a queue, click it once to edit the queue, then click Delete This Queue. Do not delete a queue if it is still being referenced by a firewall rule.
To add a new queue, click the interface or parent queue under which the new queue will be placed, and then click Add New Queue.
When editing a queue, each of the options must be carefully considered. For more information about these settings than is mentioned here, visit the PF Packet Queuing and Prioritization FAQ or read The OpenBSD PF Packet Filter book.
The queue name must be between 1-15 characters and cannot contain spaces. The most common convention is to start the name of a queue with the letter “q” so that it may be more readily identified in the ruleset.
The priority of the queue. Can be any number from 0-7 for CBQ and
0-15 for PRIQ. Though HFSC can support priorities, the current code does not
honor them when performing shaping. Queues with higher numbers are preferred
by the shaper when there is an overload, so situate queues accordingly. For
example, VoIP traffic is the highest priority, so it would be set to a
|Bandwidth (root queues):|
The amount of bandwidth available on this interface in the outbound direction. For example, WAN-type interface root queues list upload speed. LAN-type interfaces list the sum total of all WAN interface download bandwidth.
The number of packets that can be held in a queue waiting to be
transmitted by the shaper. The default size is
There are five different Scheduler Options that may be set for a given queue:
Optional text describing the purpose of the queue.
|Bandwidth (Service Curve/Scheduler):|
The Bandwidth setting should be a fraction of the available bandwidth in the parent queue, but it must also be set with an awareness of the other neighboring queues. When using percentages, the total of all queues under a given parent cannot exceed 100%. When using absolute limits, the totals cannot exceed the bandwidth available in the parent queue.
Next are scheduler-specific options. They change depending on whether a queue is using HFSC, CBQ, or PRIQ. They are all described in ALTQ Scheduler Types.
Click Save to save the queue settings and return to the queue list, then click Apply Changes to reload the queues and activate the changes.
Editing Shaper Rules¶
Traffic shaping rules control how traffic is assigned into queues. If a new connection matches a traffic shaper rule, the firewall will assign packets for that connection into the queue specified by that rule.
Packet matching is handled by firewall rules, notably on the Floating tab. To edit the shaper rules:
- Navigate to Firewall > Rules
- Click the Floating Tab
- Find the rule to edit in the list, as shown in Figure Traffic Shaper Rules List
- Click to edit an existing rule or to create a copy of a rule
- Make any required adjustments to match different connections
- Save and Apply Changes as usual when editing firewall rules
Queues may be applied using pass rules on interface tabs, but the wizard only creates rules on the Floating tab using the match action that does not affect whether or not a connection is passed or blocked; it only queues traffic. Because these rules operate the same as any other rules, any criteria used to match connections may be used to queue.
Shaper Rule Matching Tips¶
Connections can be tricky to match properly due to several factors, including:
- NAT applies before outbound firewall rules can match connections, so for connections that have outbound NAT applies as they leave a WAN-type interface, the private IP address source is hidden by NAT and cannot be matched by a rule.
- Some protocols such as Bittorrent will use random ports or the same ports as other services.
- Multiple protocols using the same port cannot be distinguished by the firewall.
- A protocol may use a range of ports so wide that it cannot be distinguished from other traffic.
While many of these cannot be solved by the firewall directly, there are ways to work around these limitations in a few cases.
To match by a private address source outbound in WAN floating rules, first tag the traffic as it passes in on a local interface. For example, match inbound on LAN and use the advanced Tag field to set a value, and then use the Tagged field on the WAN-side floating rule to match the same connection as it exits the firewall. Alternately, queue the traffic as it enters the LAN with a pass rule instead of when it exits a WAN.
Match by address instead of port/protocol where possible to sort out ambiguous protocols. In these cases, either the local source or the remote destination may be a single address or a small set of addresses. For example, matching VoIP traffic is much simpler if the firewall can match the remote SIP trunk or PBX rather than attempting to match a wide range of ports for RTP (e.g. 10000- 20000).
If bittorrent is allowed on a network but must be shaped, then dedicate a specific local device that is allowed to use bittorrent and then shape all connections to/from that device as Peer-to-Peer traffic.
Removing Traffic Shaper Settings¶
To remove all traffic shaper queues and rules created by the wizard:
- Navigate to Firewall > Traffic Shaper
- Click the By Interface tab
- Click Remove Shaper
- Click OK on the confirmation prompt