pfSense Traffic Shaper - Bandwidth Management Guide
pfSense provides two independent bandwidth management mechanisms: ALTQ (Alternate Queuing) and Limiters. Both address the need for traffic control, but they rely on fundamentally different FreeBSD subsystems and serve distinct operational goals. The choice between them depends on whether the priority is traffic prioritization with guaranteed bandwidth for critical applications or hard rate limiting on a per-user or per-subnet basis.
The shaper operates by queuing packets at points where the operating system controls packet flow. Inbound downloads are shaped when leaving the LAN interface, while uploads are shaped when leaving the WAN interface. This is a significant architectural difference from MikroTik, where Simple Queues are applied directly to the receiving interface.
Two Approaches to Traffic Management
ALTQ (Alternate Queuing)
ALTQ is a queuing framework integrated with pf (packet filter). It supports multiple scheduler types (PRIQ, CBQ, HFSC, FAIRQ) and enables hierarchical queue structures with priorities and bandwidth borrowing. ALTQ is the preferred choice when guaranteed minimum bandwidth for critical services (VoIP, video conferencing) is required alongside throttling of lower-priority traffic.
A notable limitation of ALTQ is its dependency on network interface card drivers. Not all drivers support ALTQ, and enabling the shaper reduces the maximum throughput capacity of the firewall.
Limiters (dummynet)
Limiters are built on the FreeBSD dummynet(4) subsystem and operate independently of ALTQ. They enforce hard bandwidth caps by delaying or dropping packets to achieve a target line rate. The key advantage of Limiters is per-IP and per-subnet rate limiting - a capability unavailable in ALTQ. Limiters are driver-independent and work with any network hardware.
ALTQ vs Limiters Comparison
| Feature | ALTQ | Limiters (dummynet) |
|---|---|---|
| Traffic prioritization | Full support (priority queues) | Limited (child queue weights) |
| Bandwidth guarantees | Yes (HFSC) | No |
| Per-IP rate limiting | No | Yes (via masks) |
| Per-subnet rate limiting | No | Yes (via masks) |
| Bandwidth borrowing | Yes (CBQ, HFSC) | No |
| NIC driver dependency | Yes | No |
| Performance impact | Significant | Moderate |
| Wizard-based setup | Yes | No |
| DSCP/DiffServ marking | Yes | No |
| Bufferbloat mitigation (CoDel) | No | Yes |
Choosing the Right Mechanism
ALTQ is appropriate when the goal is to:
- Prioritize VoIP and video traffic over bulk data transfers
- Guarantee minimum bandwidth for business-critical applications
- Mark packets with DSCP values for upstream equipment or ISP coordination
- Implement hierarchical bandwidth distribution models
Limiters are appropriate when the goal is to:
- Enforce individual speed limits per user (per-IP limiting)
- Cap bandwidth for a guest Wi-Fi network
- Restrict aggregate bandwidth for an entire subnet
- Mitigate bufferbloat using CoDel or FQ-CoDel
- Shape traffic on NICs that lack ALTQ driver support
Warning:
ALTQ and Limiters can be used simultaneously, but applying both mechanisms to the same traffic flow is not recommended. Doing so leads to unpredictable behavior and complicates performance troubleshooting.
In This Section
- Limiters - per-IP and per-subnet bandwidth limiting, CoDel for bufferbloat, applying limits through firewall rules
- ALTQ Traffic Shaper - wizards for traffic prioritization, PRIQ and HFSC scheduler types, manual queue configuration
Related Sections
- pfSense Firewall - filtering rules through which Limiters are applied
- Firewall Rules - configuring In/Out pipes in rule advanced options
- pfSense Multi-WAN - load balancing and failover affecting traffic shaping