Slides for the February 2016 pfSense Hangout video

1. Traffic Shaping Basics with PRIQ
February 2016 Hangout
Jim Pingle

2. Traffic Shaping Basics with PRIQ
● Project News
● What is Traffic Shaping?
● How does Traffic
Shaping work?
● Types of Traffic Shaping
● Limitations
● Why use PRIQ?
● Traffic Shaping Wizard
● PRIQ Queue Structure
● Matching & Queuing
with Floating Rules
● Testing and
Troubleshooting
● Q&A

3. Project News
● 2.2.7? Possible, depending on OpenSSL announcement
● 2.3 is nearing RC
– Release timing will roughly parallel FreeBSD 10.3-RELEASE
– No more new features, focus now completely on bug fixes (Less than 25 open new bugs now!)
– Snapshots at https://snapshots.pfsense.org/
● New hardware!
– XG-2758 replaces C2758
● 8 core, 16GB RAM
● 2x 10G SFP and 4x 1G ports (1 shared 1G RJ45/SFP)
● European pfSense Training Tour!
– April 7-8 in Bournemouth (UK, Amica Partner)
– April 12-13 in London (UK, Amica Partner)
– May 17-18 in Frankfurt (DE, Voletech Partner)
– http://netgate.com/training/ – All are 9am-6pm local time
– Online training March 22-23, sign up now!
● Keep an eye on the blog

4. What is Traffic Shaping?
● A means to assure Quality of Service (QoS) by queuing traffic and
using criteria to control when it is delivered
● Different from traffic policing, which drops all frames above a
committed rate
● Passes important traffic (e.g. ACKs, VoIP) first at the expense of
lesser traffic (e.g. SMTP)
● Ensures that traffic is passed efficiently
– Queuing and delaying packets is less harsh to TCP than dropping, but
packets can be dropped from queues when full
● Can prevent traffic from over-filling circuits (peak smoothing)
● Shares bandwidth more effectively across many clients
● Discourages unwanted services by degrading their traffic flow

5. How does Traffic Shaping work?
● A queue structure is defined to specify how types of traffic will be shaped
– Exact structure varies by shaper type
– For example, queues might define a priority (PRIQ) or a bandwidth allocation
(HFSC)
● Traffic is identified by firewall rules and placed into appropriate queues
– Typically Floating rules are used with the Match action
● Traffic is queued OUTBOUND on interfaces
– That is the only place the firewall can limit the rate of packets
● Rough idea of how processing works (PRIQ):
– Packets match rules and are placed into separate queues
– Packets are held momentarily before transmission in each queue
– Packets in higher priority queues are always processed before lower priority queues

6. Types of Traffic Shaping
● ALTQ
– PRIQ – Priority Queuing (only one covered today)
● Very simple/easy to work with
● Only concerned with priority, priorities of 0-15, highest number queues are processed first
● Flat list of queues, no nesting/children/trees/etc
– HFSC – Hierarchical Fair Service Curve
● Powerful but complex/confusing
● Primarily concerned with bandwidth (throughput), not priority
● Tree of queues for each interface
– CBQ – Class Based Queuing
● Similar to HFSC but not as accurate, has both bandwidth and priority options
● Partitions and shares link bandwidth among queues, child can borrow from parent, etc
– Others: FAIRQ, CODELQ, supported but not covered today
● Limiters
– “Buckets” with defined upper limits of traffic can be shared/common for all or be masked to
have per-address or per-subnet limits
– Currently has known issues with pfsync (HA) and some NAT scenarios

7. Limitations
● ALTQ is inefficient and has a notable usage penalty
– ~10% but exact throughput loss depends on system, traffic, etc
– If the system is fast or not running near wire speed, loss may not
be noticeable
● ALTQ does not work with all NICs, only supported NICs
– VLANs are OK, LAGG+VLANs OK, but not LAGG on its own
– Support varies by NIC driver, see list in the altq(4) FreeBSD man
page
● Shaping will add some (usually minor) latency
● Tricky to shape traffic inside VPNs

8. Why use PRIQ?
● Easiest ALTQ shaper type
● Flexible enough for most use cases
– Great for putting VoIP or games above other traffic
● No concern for bandwidth means it is less likely to
have issues with WANs of varying speeds or with
NICs that fail to properly report bandwidth (e.g.
Realtek)
● Priority only, so no bandwidth limits/caps or
reservations to calculate or design

9. Traffic Shaping Wizard - Start
● Wizard is the easiest way to get the shaper setup
● Even if you don't want to use the wizard rules, let it create the
queues for you.
● Firewall > Traffic Shaper, Wizards tab
● Pick “Multiple LAN/WAN” / multi-all for most uses
● “Dedicated Links” is for cases where single WANs and LANs are
linked with no cross-usage (e.g. LAN1→WAN1, LAN2→WAN2)
● Enter # of WANs and LANs
– WAN = interface with gateway on INTERFACE settings
– LAN = no gateway

10. Traffic Shaping Wizard - Config
● Pick appropriate interfaces for each LAN/WAN
● Select PRIQ as the scheduler for each interface
● For WAN, enter values for Upload and
Download bandwidth
– They are not used by PRIQ, but the wizard requires
they be set

11. Traffic Shaping Wizard - VoIP
● Check enable if VoIP shaping is desired
● Choose provider type to help craft better VoIP
matching rules
– “Generic” will match all UDP
● Enter the Upstream SIP server
– Difficult to match on local IP addresses, matching
remote server address is much more accurate
● Leave bandwidths blank

12. Traffic Shaping Wizard – Penalty Box
● Not used with PRIQ
● Sets up a queue for known bad hosts to limit
their usage

13. Traffic Shaping Wizard - P2P
● Attempts to match P2P traffic
– Not all that accurate since it can only match by ports, which clients
can randomize.
● Catchall changes the default queue to be the P2P queue
– The “catchall” option sounds tempting until you realize you have to
identify all good traffic and classify it into other queues
– OK to use, but a management headache! Be prepared to work for
it
– Used for lowering priority of “everything else” which could be P2P
on random ports or good but unclassified traffic
● Check boxes for the protocols to match

14. Traffic Shaping Wizard - Games
● Presets for many popular games, consoles, and
platforms
● Check the boxes for games to match
● If the game you want is not listed, check any
other game so the queues are created and then
manually adjust rules later

15. Traffic Shaping Wizard –
Raise/Lower
● Classifies other common traffic to raise or lower its
priority
● Choices are entirely subjective – set however the
needs of the network require
● Frequently things like screen-sharing protocols are
raised, bulk traffic like chat and SMTP are lowered
● Best to set at least one high and one low so the
queues will be created for later use

16. Traffic Shaping Wizard – Finish Up
● Click Finish on the last screen and the wizard
will finish creating all the queues and rules
● The filter will reload and its status displayed
– If there is an error with the queues, it may be due to
a lack of support in the NIC or an improper
bandwidth value
● The wizard retains the values entered, so if you
need to change something, re-run the wizard
and adjust as needed

17. PRIQ Queue Structure
● Firewall > Traffic Shaper, By Interface tab
● Each interface has a similar set of queues
– LANs have a qLink to ensure LAN-to-LAN traffic is not shaped
● Priorities:
qVoIP: 7 – Highest Priority, delivered first
qACK: 6
qGames: 5
qOthersHigh: 4
qDefault (WANs): 3 – Unclassified traffic lands here
qOthersLow: 3 on LANs, 2 on WANs
qLink (LANs): 2
qP2P: 1 – Lowest Priority, delivered last
● When crafting custom rules or other queues, keep these in mind

18. Matching/Queuing w/Floating Rules
● Firewall > Rules, Floating tab
● Rules from the wizard are here and good for examples/duplication if custom
rules are needed
● Rules use the Match action which does not pass or block, only applies queuing
● Packets can be matched in any way possible in pf
● Choose the queue and ACK queue in Advanced Options
– Queue is for normal traffic with a payload
– ACK queue is for TCP ACKs with no payload or TOS lowdelay to ensure ACKs are not
lost so data is delivered quickly/efficiently
● “Quick” keyword is not usable with match
– Rules are LAST MATCH WINS, so take care when crafting rules
● Beware of using local sources on outbound WAN rules – NAT hides source

19. Testing and Troubleshooting
● Status > Queues to view how packets are being processed in queues
● Start some traffic, test traffic or otherwise
– Sipp is handy for testing SIP matching: http://sipp.sourceforge.net/index.html
● If traffic is flowing but not showing in a queue:
– 1. Traffic is not matching the expected rule
● Check that rules obey proper order (last match wins)
● Consider the way the rules are processed, and NAT involved, etc.
– 2. States were not reset after shaper setup
● Drops are OK, and how shaping works
– Sometimes lower priority packets must be dropped so that higher priority
packets can pass
– Increase queue length to lower/stop drops if they cause problems

20. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc