Regardless of the size or purpose of your network, you will derive benefits from optimizing the performance of your network. One of the means we have of optimizing the performance is through traffic shaping, which allows us to manage traffic in such a way that some packets are prioritized over others. Without traffic shaping, packets are processed on a first-in, first-out (FIFO) basis. While this might be adequate in many cases, in other cases it can lead to saturated connections and increased latency.

The traffic shaper does its job by examining packets leaving network interfaces. If packets meet certain criteria, they are treated differently. In this sense, implementing traffic shaping is similar to implementing firewall rules. Yet rather than pass, block, or reject packets, we place packets that match the traffic-shaping criteria into separate queues. Priority traffic goes into a priority queue, where it is sent immediately. Lower priority traffic is held back until the higher priority packets pass.

As you may have imagined, traffic shaping can be used in a variety of scenarios:

• When low latency is required, we can employ traffic shaping to make sure this happens. This is typically the case if we are using Voice over IP (VoIP) applications or online games.
• In many cases, latency is not important—we want as much excess bandwidth as is possible, but we don't care as much about when the packets arrive. This is typically the case when we are using peer-to-peer file sharing applications.
• We may have asymmetric internet connections that we want to even out. In North America, it is fairly commonplace to have more download bandwidth than upload bandwidth. Your maximum download bandwidth may seem unattainable in some cases. This may be because the download client is sending ACK packets (packets acknowledging receipt of data), but these packets are in a FIFO queue with all other outbound traffic. Setting up a separate outbound queue just for ACK packets will potentially increase the speed of downloads.
• If we are running pfSense at a business, we may want to deprioritize non-business-related traffic (for example, streaming video or file downloads).

These are just a few of the possible scenarios we may encounter when setting up traffic shaping on our networks.

Traffic shaping also plays a large role in the current debate on net neutrality. Advocates of net neutrality argue that internet data should be treated equally. Opponents of net neutrality argue in favor of multiple tiers of service, and that forcing internet providers to treat all data packets equally will result in fewer choices for consumers. Fortunately, the net neutrality debate is focused primarily on the public internet, and since we are mainly concerned with our private networks, we can sidestep this controversy.

As you become more involved with implementing traffic shaping with pfSense, you will become aware of the limitations of the built-in traffic shaper. The traffic shaper is capable of creating queues with varying levels of priority (levels 1 to 7, to be exact). Identifying which traffic should go into a certain queue can be challenging. We can assume that traffic coming in on a certain port is used by a certain application, and act accordingly. We can also make assumptions based on what protocol is being used (for example, VoIP traffic will tend to use User Datagram Protocol (UDP). In some cases, we need to examine the contents of a packet to determine which application has generated the packet. Since we are examining the contents of the packet in order to determine what application the packet originated from, and the seven-layer OSI model considers layer 7 the application layer, we call such an examination Layer 7 packet inspection. The pfSense traffic shaper lacks the ability to do any kind of layer 7 packet inspection (also known as deep packet inspection). Earlier versions of the traffic shaper attempted to implement this, but apparently it never really worked, and also caused other traffic-shaping functionality to break. As a result, more recent versions of pfSense do not implement layer 7 traffic shaping, and in order to get this done, we must use third-party packages.

In this chapter, we consider three separate scenarios. In the first, we will use the traffic shaping wizard to prioritize certain traffic and deprioritize other traffic. In the second, we will create a floating rule to deal with a more specific traffic shaping scenario. In the third, we will use Snort to implement layer 7 traffic shaping.