Another option for traffic shaping in pfSense is using limiters. The Limiters option allows you to set up a series of dummynet pipes; dummynet is a FreeBSD traffic shaper that was designed to simulate different types of connections. Bandwidth and queue size limitations can be imposed, as well as scheduling and queue management policies and delay/loss emulation.

To set up a limiter, navigate to Firewall | Traffic Shaper, and click on the Limiters tab. If you have set up limiters previously, you will see a tree showing the different queues. Otherwise, the page will be mostly blank, but there will be a new limiter button on the left of the page. Click on this button to set up a new limiter.

There are some things to consider when creating a new limiter:

• It is generally considered a good idea to create separate queues for the in and out traffic. In and out are always from the perspective of the interface. Thus, the in queue is for upload traffic, and the out queue is for download traffic.
• Keep in mind that the newly created limiter will have no effect until a rule is created which assigns traffic to the limiter. We will cover creating rules that assign traffic to a queue later in this chapter.

The configuration page for limiters has two sections: Limiters and Advanced

Options. The first option on the page is the Enable checkbox. If checked, the limiter (and its children) will be enabled. Next, there is also a Name edit box where you must enter a name for the limiter.

The next section of the page is called Bandwidth. Here, you enter the upper limit for the bandwidth. The amount of bandwidth is entered in the Bandwidth edit box, and the unit of measure (bps, Kbps, or Mbps) can be selected in the Bw type drop-down box. The third option is Schedule. In this drop-down box, you can select a time frame in which the bandwidth limit will be imposed. The schedule has to be one that was defined by using the pfSense Schedule option, which can be found at Firewall | Traffic Shaper. (Detailed information about how to create a schedule can be found in Chapter 4, pfSense as a Firewall). If you do not want to use a schedule on this limiter, you can select none in the drop-down box. You can also create multiple bandwidth schedule entries by clicking on the Add Schedule button.

The next field is the Mask drop-down box. In this box, you can set up the limiter so that it only applies to either source or destination traffic. If you select either Source addresses or Destination addresses, then a dynamic pipe will be created for each source or destination IP address encountered. This dynamic pipe will have the bandwidth, delay, packet loss and queue size specified for the limiter. As a result, you can easily specify bandwidth limits per host with this option. If you utilize this option, you must specify the IPv4 mask or IPv6 mask in the appropriate drop-down boxes. You may also enter a brief non-parsed description in the Description field.

The next section is Advanced Options. These options are mainly useful if you want to simulate certain network conditions, and are not particularly useful in real-world situations. Delay (ms) allows you to specify a delay. Packet loss rate allows you to specify a rate of packet loss, expressed as a fraction of 1. For example, a value of 0.001 means that one packet in 1000 is dropped; 0.01 will drop one in 100, and so on. If a number is specified for Queue size (slots), then the limiter will create a fix-sized queue into which packets in the pipe will be placed. They will then be delayed by the amount specified in Delay (ms), and then they will be delivered to their destination. Finally, Bucket size (slots) allows you to specify the number of slots in the bucket array used for source or destination hashing. When you are done making changes, click on the Save button at the bottom of the page.

What is a limiter good for? You can use it for anything for which you would use a traffic shaper. One possible use of limiters is to set up a guaranteed minimum bandwidth queue. To do this, create two queues (one for uploading and one for downloading) with the upper bandwidth limit set to the amount you want as the guaranteed minimum bandwidth (for example, 1 Gbps up and 1 Gbps down). Then create two more queues with the upper bandwidth limit set to whatever bandwidth is left (for example, if your connection is 10 Gbps up and 20 Gbps down, set the upload queue limit to 9 Gbps and the download queue to 19 Gbps. Direct guaranteed service traffic into the 1 Gbps queues, and everything else into the other 2 queues. This will have the effect of guaranteeing bandwidth to an application or service using the 1 Gbps queues, since it will be able to have sole use of the queues.