OPNsense
OPNsense firewall traffic shaping and bufferbloat optimization
Video IBRACORP OPNsense Tutorial
Useful Links
Related Videos Check IBRACORP YouTube channel for latest tutorials
Thank you for choosing to collaborate with IBRACORP π
Please read our disclaimer https://docs.ibracorp.io/#disclaimer
Creditsβ
Role | Contributor |
---|---|
Writer / Producer | IBRACORP |
Video Recording and Voice | IBRACORP |
Contributor | OPNsense Community |
Testing / Proofreading | IBRACORP Community |
Feature Listβ
OPNsense Traffic Shaping Features:
- Advanced traffic shaping with fq_codel algorithm
- Bufferbloat reduction and latency optimization
- Quality of Service (QoS) management
- Bandwidth allocation and limiting
- FlowQueue-CoDel (FQ-CoDel) scheduler implementation
- ECN (Explicit Congestion Notification) support
- Per-flow fair queuing
- Real-time traffic monitoring and statistics
- Rule-based traffic classification
- Network performance optimization
Prerequisitesβ
System Requirements:
- OPNsense Firewall: Installed and configured
- Administrative Access: Full admin privileges
- Network Information: ISP bandwidth specifications
- Testing Tools: BufferBloat testing websites
Network Prerequisites:
- Internet Connection: Active ISP connection
- Bandwidth Knowledge: Upload and download speeds
- Network Topology: Understanding of your network layout
Traffic Shaping Overviewβ
What is BufferBloat?β
BufferBloat Definition: BufferBloat occurs when excessive buffering of network packets causes high latency and poor network performance. This happens when network equipment stores too many packets in memory, causing delays.
Symptoms of BufferBloat:
- High ping times during file downloads/uploads
- Video call quality degradation during network usage
- Gaming lag when other devices use bandwidth
- Web browsing slowdown during large transfers
FQ-CoDel Algorithmβ
FlowQueue-CoDel Benefits:
- Fair Queuing: Separate queues for different flows
- Active Queue Management: Dynamic packet dropping
- Low Latency: Reduced buffering delays
- Automatic Configuration: Self-tuning parameters
- ECN Support: Congestion notification without packet loss
Configurationβ
Step 1: Pipes Configurationβ
Navigate to Traffic Shaping:
- Log into OPNsense web interface
- Navigate to Firewall β Shaper β Pipes
- Click "Add" to create new pipe
Download Pipe Configuration:
download_pipe:
enabled: true
bandwidth: 950 # Mbps (set to 95% of actual download speed)
bandwidth_metric: "Mbit/s"
mask: "none"
buckets: 64
scheduler: "FlowQueue-CoDel"
fq_codel_ecn: true
fq_codel_quantum: 1500 # 300 per 100 Mbps
codel_target: 10 # milliseconds
codel_interval: 100 # milliseconds
description: "Download bandwidth shaping"
Upload Pipe Configuration:
upload_pipe:
enabled: true
bandwidth: 45 # Mbps (set to 95% of actual upload speed)
bandwidth_metric: "Mbit/s"
mask: "none"
buckets: 64
scheduler: "FlowQueue-CoDel"
fq_codel_ecn: true
fq_codel_quantum: 450 # 300 per 100 Mbps (adjusted for 50 Mbps)
codel_target: 10 # milliseconds
codel_interval: 100 # milliseconds
description: "Upload bandwidth shaping"
Pipe Configuration Steps:
- Enable Advanced Mode: Check advanced options
- Set Bandwidth: Enter your ISP speed (minus 5% buffer)
- Select Scheduler: Choose "FlowQueue-CoDel"
- Enable ECN: Check "(FQ-)CoDel ECN" option
- Configure Quantum: Calculate as 300 per 100 Mbps
- Save Configuration: Apply settings
Step 2: Queues Configurationβ
Navigate to Queues:
- Switch to Queues tab
- Click "Add" to create new queue
Download Queue Configuration:
download_queue:
enabled: true
pipe: "download_pipe"
weight: 100
mask: "destination"
mask_bits: 32
buckets: 64
description: "Download queue for shaping"
Upload Queue Configuration:
upload_queue:
enabled: true
pipe: "upload_pipe"
weight: 100
mask: "source"
mask_bits: 32
buckets: 64
description: "Upload queue for shaping"
Queue Configuration Steps:
- Select Pipe: Choose corresponding pipe
- Set Weight: Use 100 for balanced priority
- Configure Mask:
- Download: "destination" mask
- Upload: "source" mask
- Set Buckets: Default 64 buckets
- Save Queue: Apply configuration
Step 3: Rules Configurationβ
Navigate to Rules:
- Switch to Rules tab
- Click "Add" to create new rule
Download Rule Configuration:
download_rule:
enabled: true
sequence: 100
interface: "LAN"
direction: "in"
protocol: "any"
source: "any"
destination: "any"
target_pipe: "download_pipe"
target_queue: "download_queue"
description: "Shape incoming traffic (download)"
Upload Rule Configuration:
upload_rule:
enabled: true
sequence: 200
interface: "WAN"
direction: "out"
protocol: "any"
source: "any"
destination: "any"
target_pipe: "upload_pipe"
target_queue: "upload_queue"
description: "Shape outgoing traffic (upload)"
Rule Configuration Steps:
- Set Direction:
- Download: "in" direction on LAN interface
- Upload: "out" direction on WAN interface
- Configure Target: Link to appropriate queue
- Set Protocol: "any" for all traffic
- Apply Rules: Save and apply configuration
Advanced Configurationβ
Bandwidth Calculationβ
Optimal Bandwidth Settings:
# Calculate optimal bandwidth (95% of actual speed)
def calculate_bandwidth(actual_speed_mbps):
optimal_bandwidth = actual_speed_mbps * 0.95
return optimal_bandwidth
# Example calculations
download_speed = 1000 # Mbps
upload_speed = 50 # Mbps
optimal_download = calculate_bandwidth(download_speed) # 950 Mbps
optimal_upload = calculate_bandwidth(upload_speed) # 47.5 Mbps
FQ-CoDel Quantum Calculation:
# Calculate quantum value (300 per 100 Mbps)
def calculate_quantum(bandwidth_mbps):
quantum = (bandwidth_mbps / 100) * 300
return int(quantum)
# Example calculations
download_quantum = calculate_quantum(950) # 2850
upload_quantum = calculate_quantum(47.5) # 142.5 β 150
Priority-Based Shapingβ
Gaming Traffic Priority:
gaming_queue:
enabled: true
pipe: "upload_pipe"
weight: 200 # Higher priority
mask: "source"
mask_bits: 32
protocol_filter: "UDP"
port_range: "1024-65535"
description: "Gaming traffic priority queue"
VoIP Traffic Priority:
voip_queue:
enabled: true
pipe: "upload_pipe"
weight: 150 # High priority
mask: "source"
mask_bits: 32
dscp_marking: "EF" # Expedited Forwarding
description: "VoIP traffic priority queue"
Application-Specific Rulesβ
Streaming Service Optimization:
streaming_rule:
enabled: true
sequence: 50
interface: "LAN"
direction: "in"
protocol: "TCP"
destination_port: "443,80"
source: "192.168.1.0/24"
target_queue: "streaming_queue"
description: "Optimize streaming traffic"
Bulk Transfer Limitation:
bulk_transfer_rule:
enabled: true
sequence: 300
interface: "WAN"
direction: "out"
protocol: "TCP"
source_port: "21,22,993,995" # FTP, SSH, IMAPS, POP3S
target_queue: "bulk_queue"
bandwidth_limit: "10%" # Limit to 10% of total bandwidth
description: "Limit bulk transfer impact"
Monitoring and Testingβ
BufferBloat Testingβ
Testing Tools:
- Waveform BufferBloat Test: https://www.waveform.com/tools/bufferbloat
- DSLReports Speed Test: http://www.dslreports.com/speedtest
- Fast.com: https://fast.com/
- Speedtest.net: https://www.speedtest.net/
Testing Procedure:
# Before implementing traffic shaping
1. Run baseline bufferbloat test
2. Note latency under load
3. Record grades (A, B, C, D, F)
# After implementing traffic shaping
1. Run same tests
2. Compare latency improvements
3. Verify grade improvements
# Expected improvements:
# - Latency reduction: 50-90%
# - Grade improvement: D/F β A/B
# - Consistent performance under load
Real-Time Monitoringβ
Traffic Statistics:
- Navigate to Firewall β Shaper β Statistics
- Monitor real-time traffic flow
- Observe queue utilization
- Check packet drop rates
Performance Metrics:
monitoring_metrics:
bandwidth_utilization: "Current usage vs configured limits"
queue_depth: "Number of packets in queue"
drop_rate: "Percentage of dropped packets"
latency_stats: "Average and peak latency"
flow_distribution: "Traffic distribution across flows"
Logging Configurationβ
Enable Traffic Shaping Logs:
logging_config:
firewall_logs: true
shaper_logs: true
log_level: "informational"
log_facility: "local0"
remote_logging: false
log_rotation: "daily"
retention_days: 30
Log Analysis:
# View shaping logs
grep "shaper" /var/log/filter.log
# Monitor queue statistics
grep "queue" /var/log/system.log
# Check for dropped packets
grep "drop" /var/log/filter.log | tail -20
Troubleshootingβ
Common Issuesβ
Traffic Not Being Shaped:
- Verify Rule Order: Check sequence numbers
- Interface Assignment: Ensure correct interface selection
- Direction Configuration: Verify in/out directions
- Rule Activation: Confirm rules are enabled
Performance Not Improved:
- Bandwidth Settings: Verify 95% rule
- Quantum Calculation: Check FQ-CoDel quantum
- Testing Methodology: Use proper testing tools
- Network Topology: Ensure shaping at correct point
High CPU Usage:
cpu_optimization:
hardware_offloading: true
interrupt_moderation: true
polling_mode: false
queue_size_optimization: true
buffer_tuning: "automatic"
Performance Optimizationβ
Hardware Acceleration:
hardware_config:
nic_offloading: true
tso_enabled: true # TCP Segmentation Offload
lro_enabled: true # Large Receive Offload
checksum_offload: true
interrupt_coalescing: true
Memory Optimization:
memory_config:
buffer_size: "auto"
mbuf_clusters: 65536
socket_buffer_max: "16M"
tcp_sendspace: "65536"
tcp_recvspace: "65536"
Advanced Troubleshootingβ
Packet Capture Analysis:
# Capture traffic on shaped interface
tcpdump -i igb0 -w /tmp/shaped_traffic.pcap
# Analyze with specific filters
tcpdump -r /tmp/shaped_traffic.pcap 'host 192.168.1.100'
# Check DSCP markings
tcpdump -r /tmp/shaped_traffic.pcap -v 'ip[1] & 0xfc != 0'
Queue Depth Monitoring:
# Monitor queue statistics
netstat -aq | grep -E "(queue|drop)"
# Check interface statistics
netstat -i | grep -E "(Ipkts|Opkts|Drops)"
# Monitor system resources
top -P | grep -E "(CPU|Mem)"
Best Practicesβ
Configuration Guidelinesβ
Bandwidth Allocation:
- Conservative Approach: Start with 90-95% of actual bandwidth
- Gradual Adjustment: Fine-tune based on testing results
- Overhead Consideration: Account for protocol overhead
- Peak vs Average: Consider peak usage patterns
Queue Management:
- Fair Queuing: Use appropriate mask settings
- Priority Assignment: Assign weights based on traffic importance
- Buffer Sizing: Let FQ-CoDel auto-tune buffers
- Flow Isolation: Ensure proper flow separation
Maintenance Proceduresβ
Regular Tasks:
maintenance_schedule:
weekly:
- "Review traffic statistics"
- "Check for dropped packets"
- "Monitor queue utilization"
- "Verify rule effectiveness"
monthly:
- "Update bandwidth settings if ISP changes"
- "Review and adjust priorities"
- "Test bufferbloat improvements"
- "Backup shaping configuration"
quarterly:
- "Full performance review"
- "Compare before/after metrics"
- "Update documentation"
- "Plan optimizations"
Configuration Backup:
#!/bin/bash
# opnsense-backup.sh
BACKUP_DIR="/backup/opnsense"
DATE=$(date +%Y%m%d_%H%M%S)
# Create backup directory
mkdir -p "$BACKUP_DIR"
# Export configuration via API
curl -u admin:password -X POST \
"https://opnsense.local/api/core/backup/download/this" \
-o "$BACKUP_DIR/opnsense-config-$DATE.xml"
# Keep only last 30 backups
find "$BACKUP_DIR" -name "opnsense-config-*.xml" -mtime +30 -delete
Integration Examplesβ
Home Network Setupβ
Typical Home Configuration:
home_network:
internet_speed:
download: "1000 Mbps"
upload: "50 Mbps"
device_priorities:
gaming_console: "high"
streaming_devices: "medium"
work_computers: "high"
iot_devices: "low"
backup_systems: "lowest"
traffic_classes:
real_time: "gaming, voip"
interactive: "web browsing, email"
streaming: "video, audio streaming"
bulk: "file transfers, backups"
Business Network Setupβ
Enterprise Configuration:
business_network:
internet_speed:
download: "500 Mbps"
upload: "100 Mbps"
department_allocation:
critical_systems: "40%"
user_traffic: "35%"
guest_network: "15%"
management: "10%"
service_priorities:
sip_voip: "highest"
business_apps: "high"
email: "medium"
web_browsing: "medium"
file_transfers: "low"
Special Thanksβ
- OPNsense Team for their excellent open-source firewall platform
- FreeBSD Community for the underlying operating system
- To our fantastic Discord community and our Admins DiscDuck and Hawks for their input and documentation (as always)
Please support the developers and creators involved in this work to help show them some love. β€οΈ
Final Wordsβ
We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.
Support Usβ
Our work sometimes takes months to research and develop.
If you want to help support us please consider:
- Liking and Subscribing to our Youtube channel
- Joining our Discord server
- Becoming a paid member on our IBRACORP website
- Donating via Paypal
Thank you for being part of our community!