There are two variants of the traffic-shaping wizard: Multiple LAN/WAN, which is what we used in this recipe, and Dedicated Links, which we did not use. Dedicated Links is for cases in which certain LAN/WAN pairings do not mix with other traffic. This would be the case if users on a certain subnet have a different internet connection (and, therefore, a different WAN gateway) than other users. For example, imagine a network configuration in which traffic flows from the LAN to the WAN, but traffic from the demilitarized zone (DMZ) goes to WAN2. In such a case, each LAN-WAN connection has its own traffic-shaping requirements, and using the Dedicated Links wizard helps us take this into account.

On the Shaper configuration page of the wizard, you must choose the queuing discipline for each of the interfaces. In this recipe, we left the discipline set to PRIQ, but there are several choices:

• Priority Queuing (PRIQ): The simplest of all queuing disciplines supported by pfSense. Packets are assigned different priority levels, with higher priority levels being favored over lower priority levels. This guarantees lower latency for high priority traffic, but lower priority traffic can become starved of bandwidth.
• Class-Based Queuing (CBQ ): Each class has an upper and lower bound for bandwidth, and classes can be subdivided. No guarantees are made concerning latency.
• Hierarchical Fair Service Curve (HFSC): This type of queue utilizes two separate curves. The fairness portion of the curve provides a minimum latency, while the service portion determines the amount of bandwidth allocated. This queuing discipline tries to balance the competing interests of latency and bandwidth, but no guarantees concerning latency are made.

There is also a page of the wizard devoted to the Penalty Box. Very simply, the penalty box takes traffic from an IP or alias and places it into a queue that is limited to a percentage of the total bandwidth.

To see the rules the traffic-shaping wizard has generated, navigate to Firewall | Rules and click on the Floating tab. There should be three new rules: one to prioritize VoIP traffic, and two to lower the priority of BitTorrent traffic (one for BitTorrent TCP traffic and the other for BitTorrent UDP traffic). Note that these rules do not use the Pass, Block, or Reject actions, but instead use the Match action, and simply place traffic that match the rule criteria into different queues. Also, note the limitations of the traffic shaping wizard: the only criteria for the VoIP rule is that it uses the UDP protocol—yet there may well be other traffic that uses UDP that will now be placed in the VoIP queue. even though it is not VoIP traffic. The rules for BitTorrent, on the other hand, will match traffic that uses either UDP or TCP, and ports 6881 to 6999. We can easily circumvent these rules by using other ports for BitTorrent traffic.

One of the ways to prevent circumvention of the traffic-shaping rules is to identify traffic based on the content of the packets. This is referred to as layer 7 traffic shaping, or deep packet inspection. Unfortunately, the pfSense traffic shaper no longer supports layer 7 traffic shaping. Therefore, if you want to implement this form of traffic shaping in pfSense, you will find it necessary to use a third-party package such as Snort.