Traffic Limiting with PfSense 2.0 RC3

Traffic Limiting with PfSense 2.0 RC3

PfSense is a FreeBSD-based firewall distribution, which is extremely flexible for both businesses and individuals.  Additionally this platform can be installed on small ALIX hardware with Flash Memory as the storage all the way up to a full server deployment.  To give you an idea of speed, the small ALIX box (I have a few) is easily able to push 20Mbps.  I have a slightly larger box with spinning disks and an Atom processor, which is able to push 60Mbps (which is the maximum on my WAN).  In addition to this though with the larger box I am able to deploy other packages on my PfSense box, such as Squid and many many more.

One of the things I set out to do was limit part of my Internet connection to ensure that my customers don’t experience any sort of slow down based on less important usage.

 Setup the Limiting Pipe

With the Advanced Rule options we are able to limit either the upload or download or both.  First we need to setup the Limiter “Pipes” one for upload and one for download.  In this example I am limiting down to 1Mbps download and .5Mbps upload.

pfSense Firewall Traffic Shaper Limiter UploadFigure 1 – pfSense 2.0 RC3 Traffic Shaping – Limiter Setup for Upload Stream

 pfSense Firewall Traffic Shaper Limiter DownloadFigure 2 – pfSense 2.0 RC3 Traffic Shaping – Limiter Setup for Download Stream

 Apply the Limitations to the Firewall Rule

Now that we have the limiter pipes set up it is time to apply the pipes to individual rules.

pfSense Firewall Rules Advanced Features In and OutFigure 3 – pfSense 2.0 RC3 Firewall Rule Setup – Advanced Setup – Applying Filter


pfSense Firewall RulesFigure 4 – pfSense 2.0 RC3 Rule Setup Overview

There you have it.  We now have firewall rule sets which will prevent a certain type of traffic from overtaking your entire connection.

9 thoughts on “Traffic Limiting with PfSense 2.0 RC3

    1. matthew.mattoon Post author

      The way you setup any sort of traffic shaping in pfsense 2.0 is by configuring a pipe, then configuring a rule to use the pipe. So if your rule is for specific IP addresses only or even an IP range then the pipe will enforce the traffic restrictions on that firewall ruleset.


  1. Devryguy81

    Why can pfSense not just tell us this? Their forums are loaded with traffic shaper questions and this is the ONLY site I’ve seen to list out exactly what I need!

    I’m running 2.0.1-RELEASE. It was super-easy. I wanted to limit traffic on two VLANs that were being used for non-organization related traffic. ALL I wanted to do was limit their upload/download speeds so that the could not saturate our connection.

    – I blew away my existing shaping Wizard config in Firewall –> Traffic Shaper
    – Go to “Limiter” tab
    – Create a new limiter
    – Enable it and call it something meaningful, like “upload-limiter”
    – Input the Bandwidth limit and give it a description
    – Change nothing else and press Save

    – Create a new limiter (again)
    – Enable it again and this one will be the “download-limiter”
    – Input the Bandwidth limit and description
    – Press Save

    – Now go to Firewall –> Rules, and select the appropriate interface tab
    – Create a new rule AT THE TOP
    – For the selected interface, for TCP protocol, for the same source, select “In/Out” from the Advanced Features below the rule information
    – If the limiter speeds are set the same, it doesn’t matter where the upload and download limiters go. Upload should go to the “In” and download should go to the “Out”. Remember it’s all from the viewpoint of the INTERFACE, not the user!

    Good luck! It worked instantly for me and I’m VERY happy now!

    1. matthew.mattoon Post author

      To be fair to the guys who work on pfSense, they do have it documented…

      However they are quite difficult to understand, this is why I wrote up an article on it. In this case I suspect that this is due to the complex nature of traffic shaping and its many use cases. Additionally this is a fairly new release in which a load of changes were made, and like any other open source project documentation is generally much slower to get updated then the actual code.

      Good note about making sure that the rule is in the top of the ruleset. In case folks don’t know you want to ensure that it is the first matching rule that is applied. So if you have 2 rules…

      rule one allows TCP 80 to everything and is unlimited.
      rule two allows TCP 80 to and is limited to 1Gbps (or whatever).

      The effective rule would be rule one and the traffic would _not_ be limited as you intended. If you reverse the rule order then the rule matches first and that traffic is limited while the wider internet is matched later with an unlimited pipe. This is of course a massive oversimplification, but as Devryguy pointed out rule order is very important.


  2. Roy

    Excellent and useful info… There a couple of other questions I have:

    * Could you please explain the use of the “Mask” option? I think that is what I’m looking for, but not sure how to use it.

    * When do you think “children” limiters could be necessary or useful?

    Thanks again.

  3. matthew.mattoon Post author

    The mask option allows us to instead of creating a single static pipe, we can create multiple dynamic pipes, based on the source or destination IP address. So if the goal is to limit the total aggregate traffic to 1Mbps then mask is unnecessary. However if the goal is to limit any particular user to 1Mbps then mask is what you are looking for.

    As for child limiters, I have not used them, so I do not fully understand them.


  4. John

    This is by far the best How to…Traffic Limiting with PfSense v2.x. Thank you for the post.