pfSense to the rescue

m0n0wall's Traffic Shaping features have long been the go-to tool for bandwidth control for folks who don't mind throwing together custom routers using embedded x86-based computers. But, to tell the truth, I found the concepts of Rules, Queues and Pipes too complicated and continued to look for off-the-shelf products with easier-to-use controls. I also didn't want the time and expense of putting together my own single-board embedded system.

However, Michael Graves' recent article and his online video walkthrough, pushed me toward revisiting m0n0wall. Only this time, with a nudge from Forum regular YeOldeStonecat, I decided to try pfSense. pfSense is a m0n0wall fork, focused on running on standard PCs instead of embedded single board computers.

I downloaded the 1.2 version and gave it a quick try on my trusty, but aging Dell Inspiron 4100 notebook (1 GHz Celeron, 512 MB) by booting and running it directly from the CD. Although things were a bit slow, some simple experiments told me that it could control download bandwidth nicely. So I Ghosted the notebook, rebooted pfSense and had it install onto the Dell's hard drive.

Of course, since I was using my notebook as a router, I first had to add a second Ethernet interface. pfSense detected the 4100's 3Com compatible 3c905C internal adapter just fine. But it didn't detect the Linksys PCM200 10/100 Cardbus Ethernet card that I pulled out of my back room. So a check of the pfSense Hardware Compatibility list (which points to the FreeBSD 6.2 Hardware Compatibility List) eventually led me to buy a D-Link DFE-690TXD (only $20), which worked just fine.

Once pfSense was installed on the drive, I ran a quick throughput check using Jperf and found 90+ Mbps both LAN > WAN and WAN > LAN; basically 100 Mbps wire-speed.

I'm not going to do a full review of pfSense here, but it has an impressive set of features. You can easily see why m0n0wall has such a large fan base, even if you can't flash it on a $50 router like you can with DD-WRT, Tomato, etc.

Figure 4: pfSense System Overview

pfSense even has different skins (System: General Setup) but I just used the default "nervecenter" shown in Figure 4. If you're more accustomed to m0n0wall's left hand menu bar, you can just switch to the "pfsense" skin.

The Traffic Shaper is under the Firewall menu and takes you right into the Traffic Shaper Wizard the first time you hit it. The Wizard walks you through a series of menus that automatically configure the Rules, Queues and Pipes for common applications, organized by categories. It's a painless way to get a working set of bandwidth controls in place that you can tweak and/or copy to create new ones.

The first screen has you enter your actual Internet connection up and download speeds. It's better to err on the low side here, using the results from a few bandwidth test runs (80% of the actual values is frequently suggested). For my "3 Mbps / 640 Kbps" ADSL connection, I entered 2500 and 350 (you enter Kbps), which is what I typically get from Embarq. Then you hit the VoIP screen, which has only two controls, Provider and Bandwidth that you want to guarantee for VoIP.

The next screen is the Penalty Box, the first of interest for controlling bandwidth hogs. Figure 5 shows the simple controls—just IP address (you can enter more than one) and up and down bandwidth limits.

Figure 5: Traffic Shaping Wizard - Penalty Box

The Penalty Box is a fairly blunt instrument that applies to all traffic to and from an IP address. But it might be just the ticket for users who are too persistent in bypassing port-based controls by changing the ports used by bandwidth-hogging applications.

Next is the Peer to Peer Wizard. The controls are again simple; up and down bandwidth limits and a list of P2P applications. Note the p2pCatchAll option, which you need to use with care. This option creates two pair (not sure why) of the same LAN > WAN and WAN > LAN rules that take traffic from all protocols, ports and IPs and send it into the same reduced-bandwidth P2P queues.

Figure 5: Traffic Shaping Wizard - P2P

These rules are set at a lower priority than the port-specific filters, so kick in on all other traffic (Figure 6). This basically means that all traffic gets bandwidth-reduced unless you create higher-priority rules to send it to the default unlimited bandwidth queues. In other words, using that "catchall" option is like putting all traffic into the "Penalty Box"!

Figure 6: Shaper Rules w/ P2P Catchall

Tags: Bandwidth, How To, pfSense,

Related Articles: