9/4/2013 Edit: Check out the latest version of the config at the following post here:
Some of you may know that although I’m an IT consultant by day, I’m also an avid PC gamer by pretty much any other time. I run a small LAN party called ForgeLAN in Northeast Ohio. Since I run the LAN out of my Church, the internet connection can be a bit of an issue. There isn’t exactly a business case to pay for a 50/10 pipe, which is a huge problem when it comes to getting 30 guys together and all sharing an itty bitty 7/1 connection, and trying to play games that require internet connectivity to play together like Starcraft II and League of Legends.
The reason I am writing this post is because nowhere could I find a plain english simple walkthrough and sample posting of sample traffic shaping configuration that would allow download traffic to use the entire link, but always prioritize gaming traffic. I tried using a couple automated native solutions like D-Link’s Gamefuel QoS on a DGL-4500 that I picked up on eBay, but there was no way to configure the port ranges and assign percentages for utilization. As a result, anytime someone was downloading from Steam the latency for gaming traffic was absolutely squeezed out, giving players almost 400 ms of latency which makes games unplayable.
Before we get started, let me be perfectly clear, I am not a pfSense expert by any means. I will simply be posting my configs and explaining what I ended up doing to make a 7/1 network connection work for a 25-30 person sized LAN, which meant throttling down HTTP and Steam downloads so that gaming traffic goes uninterrupted.
Choosing the Physical PC
First, you need to actually have an old PC that at least has 2 NICs that will be the dedicated pfSense box. This PC will be what takes the place of your router, or in my case the Dlink DGL-4500. The reason it needs 2 NICs is because you will need one to be your WAN interface, and one to be your LAN interface. The nice part is that the WAN interface can be a 10/100 link, but definitely make the LAN interface 10/100/1000. There is a way of actually using two internet modems together to loadbalance traffic between two of them, but that’s out of scope for this free post. : D You don’t even really need a hard drive in the computer you want to use, because you can boot from the pfSense CD, then restore the configuration from the web interface. Granted, you’ll lose all configuration changes if you lose power, so I’d recommend finding an older hard drive or partitioning the one you have so that configurations are committed. That way you can actually install pfSense to a disk.
If you want the official install thread, here’s the link. I have no guarantees on mine, riddled with whatever errors I happen to capture : D http://doc.pfsense.org/index.php/Installing_pfSense#pfSense_default_configuration
Download the pfsense iso from here: http://www.pfsense.org/mirror.php?section=downloads
32-Bit LiveCD: pfSense-LiveCD-2.0.2-RELEASE-i386.iso.gz
64-Bit LiveCD: pfSense-LiveCD-2.0.2-RELEASE-amd64.iso.gz
FWIW, I ran into an unexplained issue where the DNS forwarder would just stop working for no reason on 2.0.1. Nothing in the logs, nothing. So, if I were you, stick with 2.0.2.
Extract the ISO with a program like 7zip or WinRAR, and burn it to CD and boot to it. During the boot up process, if you just let it boot normally it will skip past the installation screen, but at one point shown below you can push I, which will kick off the installation portion of the boot up sequence. You can also do this later from the direct console interface using option 99.
Lets assume that you’re going to take my advice and install to a hard drive. Hit I at the screen above. Next, I arrowed down 3 times and accept the default settings,
Following my mantra of keeping it simple, I opted for the quick/easy install. If you want to choose a partition or have multiple hard drives, I’d recommend using the custom install or only having one drive connected when you perform the installation. It’ll install by default on the first drive, but still better safe than sorry.
Once finished, I installed SMP.
Now reboot and remove the CD once the boot process has started. You’ve now installed pfSense and are ready for configuration.
Configuration of pfSense
So for easy peasyness, start with all ethernet unplugged. This way you will be able to identify what network port corresponds with which port ID assignment, such as em0, sk0. In my example, I have 2 ethernet adapters em0 and em1.
Say N on the setting up VLANs now:
At this point you can either enter the interface name, or you can use auto detection. I like auto detection because then you don’t have to worry about being sure which is which, especially if you have a dual port NIC. Hit A then enter
Now, connect the ethernet adapter that you want to be the WAN interface and it will change to up. Then hit enter.
Now do the same thing with the LAN adapter:
Ready to rock. Now let’s give the LAN adapter an IP address on a private block, I like to use 10.0.0.0/24, because in my lab, the 192.168.0 subnet is actually my internal network, but for the sake of demonstration it’s acting like my WAN connection. Choose option 2, and hit enter.
2, choose LAN, enter the IP address, enter the subnet mask length, (24 = 255.255.255.0), enable DHCP, choose the range,
Choose yes for the webConfigurator protocol revert, then hit enter. Now, connect a PC either directly to the LAN port or connect the LAN port to a switch, and connect a PC in. It should have an IP address on the 10.0.0.10-254 IP range.
Cool, now we have 2 IP’d addresses, the DHCP server is set up on the LAN interface and we can connect to 10.0.0.1 with a web browser. OK, so now I have a DHCP assigned address on my machine that’s connected to the LAN port. So now we can get to the webpage of the pfSense, logging in with the default credentials of admin / pfsense.
Configuring the QoS for Gaming
Lets talk about this in theory. If you’re following along with me at this point, chances are you want the simple explanation for this, I know I did. So basically, what I wanted to set up was something like this:
So there are two steps , first I had to define “queues”, which are basically define the service, and the priority. For example, I created a games queue and specified that it should have a high percentage of bandwidth. Next I had to define firewall rules, which basically say, TCP Port 1119 for Starcraft, make sure you are in the games queue. If you look at the configs up to this point, this is what you’ll see.
We can see that there’s only two shaper interfaces with no queues on either WAN and LAN. We’ll look at what this means here in a bit.
We can also see that there are no rules if we click on Firewall > Rules, then click on the Float Tab.
We can see that there’s no rules defined.
Now let’s restore the backup of the two different configs I have uploaded, one for firewall rules, the other for shaper configuration.
The traffic shaper config backups which are versioned, are available online right here:
The configs included in this download are for a 7/1 internet connection with the following percentages allocated:
qPremiumGames – 60%, at least 3Mb allocated at all times for gaming
qMedium – 30% available bandwidth
qSteamDownload – 8% available bandwidth
qNerfed – 2% available bandwidth, limited to 500 packets per second. Default queue, AKA, all traffic not matching a firewall rule goes here.
Combined HTTP and Steam traffic queues
Changed queues to use only percentages (with the exception of internet and WAN)
Then the firewall rule backups which are versioned, are available online right here:
1.1 Changes: LoL and SC2 updates, added TCP and UDP rules. Added some additional rules.
1.2 Changes: Matching the new queue names
then reboot the router. If we now navigate back to the Firewall > Rules page, then click on the Floating tab, we can see that we have a lot of gaming traffic rules that I’ve pre-populated, along with HTTP and steam downloads.
Then if we click on the the Firewall > Traffic Shaper page, we can see the list of shaper queues.
The important part is now looking at what we’ve configured in these queues, as this is where the QoS really is brought into play. There are two different logical ways to order the shaping.
1. Statically setting the rates for HTTP and Steam Downloads
We can specifically nerf the HTTP and Steam downloads by specifying the maximum % or Mb each traffic type will get. The problem with this method is, if someone absolutely needs to download, (for example, you restore a current steam backup, but a small 70Mb download is still required) you might potentially be wasting bandwidth capping the downloads at a rate slower than otherwise could be. For example on this 7/1 internet conenction, by viewing the queues by going to Status > Queues, we can see that the http traffic is nerfed at 1.65Mb/sec, even though there’s pretty much nothing else being used. Not exactly efficient use of the bandwidth. This method is very static, and not all that flexible. But, it works very well if you can stomach inefficiency.
If you wanted to configure a static maximum for qMedium and qSteamDownload, you’d set tick the upperlimit box and set the m2 field as either 2Mb, or 30%. That way, it could never go above that static amount whether specific amount or percentage you set. This is how to do method 1.
2. Guarantee the total amount of bandwidth for gaming Traffic that cannot be used for anything else.
If you wanted to configure a required minimum amount of available bandwidth for qPremiumGames, you’d set tick the real time box and set the m2 field as either 2Mb, or 30%. That way, the bandwidth allocated is set aside specifically for gaming without having to set a hard upper-limit on the other queues. This is how to do method 2.
Now, you can watch this video I made which showcases and demonstrates what happens when you have 3 computers sharing a link, one that is downloading Steam, one that is Downloading a Linux distro, and one that is trying to play PC games Team Fortress 2 and Diablo III, both with and without the traffic filtering. This video highlights method 1. I should soon be doing another video that highlights method 2.
Using pfSense to Throttle Downloads for LAN Party Traffic from Joe Clarke on Vimeo.
50 thoughts on “Using pfSense for QoS at a LAN Party: Nerfing the Steam downloads and HTTP traffic”
Thanks a lot. This blog is very helpful. I’ve seen your post in pfsense forums and followed the link here. I just want to ask if these xml files applicable for all online games like games in garena (league of legends, frozen throne) and all fps games like crossfire,special force and others?
Thanks a lot..
Hey there, I updated the post so that the links to the XML files are more obviously placed. Thanks for visiting!
Hi! Thanks for updating the post. Now it’s clear to me. thanks..
About the last rule which has destination address of 10.0.0.1, should I change it to the ip address of my router? I’m configuring my pfsense with a 192.168.2.1 LAN ip. Should I use 192.168.2.1?
Wow ! This is amazing . Just what i was looking for . Hope you keep this updated (:
Will do, I have already been working on 1.1 of the xml files which has some numerous changes, I was able to playtest some more and had to add some additional ports for games like LoL and Starcraft (uses both TCP/UDP 1119)
Please I am new and really need a config file for LAN to access the internet, with blocking video and audio streaming, online games and all bandwidth consumption applications and protocols, please help, I have spend weeks trying to setup this, Finally I got thru, but once captive portal is active, the net will stop working, please I need help
This article is about how to prioritize gaming traffic….not the other way around. : D
So I have a copy of pfsense on CD, but the screenshot you posted looks nothing like what I am getting. So I think the problem is that I am downloading the wrong file from pfsense and you don’t state which one you downloaded and i can’t make sense out of pfsense explanations of these type. Could you tell which file you actually downloaded from the mirror?
Here’s a direct link to the 32-bit LiveCD I used (from the NY mirror), except I was using version 2.0.1 when I did my original post. Make sure to use the x64 version of the ISO if you have a 64 bit capable machine you’ll be running it on.
This is fascinatinng and I’m playing with it for my home usage, is there an obvious way I can change what the bandwidth allocation is? The connection I want to use this on is a 25/5 connection. I’ve been reading through the configs and I see the reference to 7 down but I don’t see the reference to 1 up.
Traffic shaper > WAN. The up amount should be right there. HTH!
I also make Lanpartys with 50-70 People!
in past i used ipcop – but with your post here i will try pfsense! (Thanks a lot) 🙂
i have installed a testmachine but i also can’t find a way to change the things for my 25/4 Internet Connection! Under WAN is only Bandwidth for upload i think….
Thanks for help!
To change the available up throughput in Mbps:
Traffic shaper > WAN
To change the available down throughput in Mbps:
Traffic shaper > qInternet
Good Day..coz mine is ADSL residential internet connection it has dynamic IP, can this configuration be allowed?? thank you..
thank you very much! 🙂
Hello, this weekend I had a lanparty! Unfortunately, I had trouble with the pfsense and your config quite! Highping at LOL … Internet speed varies difficult … pfsense was installed on an HP PC with Broadcom and Realtek 10/100/1000 adapter. Had to finally switch back to the old firewall! There were about 50 guests and I had constant 26.7 Mbps down and 3.75 up!
Maybe you have some tips for me running the Lan better next year! Thank you! Greetings imulade
Interesting, I attended a different LAN this weekend and it worked great for us, although we didn’t play much League. I’ll take another look at the firewall rules, perhaps I missed one. Also, did you monitor the traffic queues while people were experiencing slowness?
I got an error message when I want to import the traffic shaper settings with 1.2. I have pfsense 2.0.2 and get “The following input errors were detected: You have selected to restore an area but we could not locate the correct xml tag.”
I got pfsense 2.0.2 and get an error like: “The following input errors were detected:
You have selected to restore an area but we could not locate the correct xml tag.”
Just wanted to import 1.2 xml
Make sure to choose the appropriate drop down and that the encryption checkbox is not selected when restoring the config.
Already done, now againg – no success. But the video helped me so that I can set it up like you, thanks!
sir thank you for this it helps a lot in my computer shop…. i just have a question, what if i edit the rules and choose both WAN and LAN on the interface packets, is it ok? i just saw this here http://forums.heroesofnewerth.com/showthread.php?329830-please-sticky-An-ADVANCED-networking-guide-for-people-with-1-2-5mb-of-upstream
Since the rules are floating in my config, i think they should apply to any interface regardless of what’s selected there. I’ll see what I can find. That is also a good linked write up, thanks for the link!
ok no problem… I have set my own traffic shaper using the traffic shaping wizard, both HFSC on WAN/LAN and 85% of my bandwidth set on upload/download. I’ve been testing it for two days now and I’m getting 1 to 8 drops on qGames queue and i think that not good. Can you help me how to tweak this?
With Floating rules , it is important to choose all the interfaces you want it applied to with PFSense. I tested and found that unless I did that , I did not see the traffic hitting the proper queue. You can go here http://forum.pfsense.org/index.php/topic,60613.0.html to see how I have it setup for load balancing with MultiWAN and traffic shaping. I chose to use Alias’s for the ports to make it easier when configuring the rules. This has been tested and it does load balance and shapes as desired. We had 18 people at a mini LAN on 2 30MB/5MB TWC modems and we had no game latency and people were downloading games via Steam at the same time.
You still might see drops in some queues but you just have to tweak the percentage you give them at times.
hi i used to download the xml above and followed the instruction but i dont see any of Firewall > Traffic Shaper page that has configuration like what you show above please help.
Make sure you import the firewall rules after importing the shaper config. Follow along with the video if you’re confused about how to import the rules.
already have firewall rules in floating after importing xml in diagnostic backup/restore what else do i miss there is no additional nor configuration changes has ever been load
i am using lusca cache is this going to affect my cache or not?
@ lionel i am using lusca and it works very well
Hi ! Is the config file applicable in pfsense 2.0.3 ???
Hey Ferdinand, will update and give it a shot. Thanks for asking!
wooww fast reply …. I just folllow you in twitter … and I love your background nice waterblocks…. advance thanks for the config.xml update.. 😀
I’m coming out with a new version that allows you specifically nerf individuals consuming the most HTTP/HTTPS bandwidth quickly and easily. : D
Hi !! How are you?? can you share how did you configure?
Hi. Do your configs limit a computer downloading in the HTTP queue, not affecting browsing for the rest?
Thanks for the write up. Tested on a virtualbox setup and its really great. Looking forward to trying it out at my next lanparty. Seems like no matter how much i stress downloading all your games before, their is always some cheapo who decides to download every game known to man just cause i have good internet. I have 50/5 internet and it will be all gig. cant wait to try it out.
I think a lot of Steam content downloading is now occurring over port 80. Any ideas how to throttle that accordingly, now?
Short of just throttling all HTTP traffic, anyway.
Hey there, I just posted version 1.3 of the config which addresses that specific issue. Check it out here: https://elgwhoppo.com/2013/09/04/pfsense-lan-party-qos-1-3-individually-limited-tcp-streams/
Good effort, and I think I’ll start by saying we likely have different use cases but basically your rule would limit all HTTP traffic, while I just want to limit Steam’s port 80 download traffic.
Steam content server downloads occur over destination port 80 and to various IP addresses, so it’s difficult to classify/filter then assign it a queue.
I can run netstat and find out what destination IPs that the steam content servers are, but this rule would need supervision and updating from time to time (depending on what Valve does).
It feels like marking Steam.exe packets a DSCP priority level would work. I’m just not certain pfSense can inspect packets for the DSCP number and finally assign it to a queue.
That said, you still have the complication of marking the packets at all, based on a process basis. I’m just trying to be as specific as possible with my rules instead of dumping my whole IP or PC into a queue/rule. Makes sense?
Makes sense to me, and yep. Only thing is my TCP ceiling rules actually limit all TCP traffic, which is pretty much all web and downloads no matter source/dest or application. I think at that point we’re starting to look at layer 7 inspection, which would be the most granular method of filtering types of traffic. Perhaps that will be what I look at next. I’m sure there’s a better way, but I only have a limited amount of time to play and test. : )
Help me. Config QOS muti WAN.
hi i have 3 pc at my home 1 pc for gaming 2 for www but when at my home open youtube or download a lot i have a lot of lag with pfsense is possible reduce lag currently i play starcraft 2 and dota sorry my english is really bad thanks
can you import those rules on Pfsense 2.1 ?
Nice one! Thanks!
hi sir elgwhoppo, i have internet cafe with 2 ISP connection., i tried your configuration ang it works well but i have notice that only one ISP is making a graph on gui.,
would you please help to how to configure something like this in multiwan.
Do you have an updated version for the latest PFSENSE 64?
Help me. Config QOS muti WAN.
Very helpful Topic
link is dead. You can reup for your reference