Thus far, we have shown how queues can be added and edited, but the queues have no effect unless a firewall rule places packets into one of these queues. We covered these rules in depth in Chapter 6, Firewall and NAT.
At one point, pfSense had a separate tab for traffic shaper rules. More recent versions have done away with this tab, and to see the traffic shaper rules, navigate to Firewall | Rules and click on the Floating tab. The traffic shaper rules will be here, and so will any other floating rules you created. You should be able to differentiate traffic shaping rules by their description, by the fact that traffic shaping rules tend to have Match designated as their action (as opposed to pass, block, or reject), and by the fact that all traffic shaping rules have a value specified for Queue.
To edit one of these rules, click on the Edit icon; to delete a rule, click on the Delete icon. You can also change the order of the rules by clicking on them and dragging them to a different position, or by checking the rules and clicking on Move checked rules above this one icon (this is often an easier way of moving multiple rules). To add a new rule, click on one of the Add buttons, and to create a rule based on an existing rule, click on the Copy icon.
Each rule has several matching criteria, ensuring that traffic is fed into the right queue. Separate queues can be created for inbound and outbound traffic. Traffic shaping rules could take advantage of this to feed inbound and outbound traffic into different queues, but most of the rules generated by the pfSense traffic shaping wizard seem to have the same queue for inbound and outbound traffic. These rules utilize the fact that floating rules can apply to traffic in both directions and feed such traffic into the same queue. Since each rule can only feed traffic into a single queue, this saves the wizard from having to create more than one rule for a traffic shaping task.
By clicking on the Edit option for a traffic shaping rule, you can alter that rule's settings. You can also see that traffic shaping rules have much in common with other rules, with some significant differences. First, there is the fact mentioned earlier that traffic shaping rules use the Match option. In addition, the interface selected is usually the WAN interface. Most of the rules seem to apply to traffic in both directions.
These settings are the same for virtually all traffic shaping rules, but the core of traffic shaping rules are what differentiate the traffic. In most cases, pfSense uses the protocol and port number to filter traffic. TCP is commonly used in traffic shaping rules, but ones that apply to VoIP and gaming services often use UDP.
One example of an automatically generated rule is to send DCC traffic to the P2P queue. TCP is selected as the Protocol, and the Destination port range is set to 6666 to 6668. A user could easily circumvent such a rule by changing the port range (at least when receiving files—sending files over a different port range will require a new NAT entry). However, the auto-generated rules should work pretty well with rules that always use the same ports.
Although they seldom seem to be used by the traffic shaping rules, the TCP flags are another way in which traffic could be matched. The TCP flags indicate various states of a connection. They can be matched based on whether they are set or cleared. We can also leave both the set and cleared check-boxes unchecked if we don't care whether they are set or not.
The last option in Advanced Options for Floating Rules is Ackqueue. This is where matching traffic is assigned to a queue. The first drop-down box is where the queue for ACK traffic is selected. The second one selects the queue for all other traffic. In many cases, Ackqueue is left undefined (set to None) and Queue is the only selection made. However, it is a good idea to set up a dedicated queue for ACK traffic; this prevents delays caused by the remote end of a connection waiting for ACKs stuck in a queue with non-ACK traffic.
Although it is easy to change traffic shaping rules, it is good practice to make a backup before making any rule changes. This enables you to revert back to your old ruleset in case the changes you made do not have the desired results.