Traffic Shaping with Differentiated Services (DiffServ) Identifiers

pfSense® software supports Differentiated services (DiffServ) for traffic filtering or queue assignments. DiffServ takes the place of the outdated Type of service (TOS). DiffServ uses the upper six bits of the TOS field in the IP header (the six bits being called the DiffServ Code Point field), while the lower two bits are reserved for Explicit Congestion Notification (ECN).

Unless appropriately configured, pfSense software ignores the content of the DiffServ Code Point (DSCP) field. To prioritize traffic, the Configuring Traffic Shaping needs to be set up accordingly.

Warning

pfSense software does not support the setting or changing of DiffServ values, only matching.

Supported DiffServ Code Point Values

Note that the interpretations of the DSCP values, as provided by the various RFCs, are only given as a reference. How the DSCP values are interpreted in any specific setup is entirely up to the user or end nodes.

The Assured Forwarding (AF) Behavior Group is recommended in RFC 2597.

Assured Forwarding (AF) Behavior Group values

Precedence

Class 1 (lowest)

Class 2

Class 3

Class 4 (highest)

Low Drop

AF11 (10/0x0a)

AF21 (18/0x12)

AF31 (26/0x1a)

AF41 (34/0x22)

Med Drop

AF12 (12/0x0c)

AF22 (20/0x14)

AF32 (28/0x1c)

AF42 (36/0x24)

High Drop

AF13 (14/0x0e)

AF23 (22/0x16)

AF33 (30/0x1e)

AF43 (38/0x26)

For low-drop/low-latency traffic, use EF and VA DSCP values.

Expedited Forwarding (EF) and Voice Admit (VA) values

PHB

DSCP Value

RFC

Expedited Forwarding (EF)

46/0x2e

RFC 3246

Voice Admit (VA)

44/0x2c

RFC 5865

The Class Selector (CS) PHB group has been retained from TOS.

Class Selector (CS) values

Class Selector

DSCP Value

CS1

8/0x08

CS2

16/0x10

CS3

24/0x18

CS4

32/0x20

CS5

40/0x28

CS6

48/0x30

CS7

56/0x38

To provide limited backward comparability to TOS, pfSense also recognizes the following DSCP/TOS values.

TOS Compatibility values

TOS

DSCP Value

TOS value

reliability

1/0x01

4/0x04

throughput

2/0x02

8/0x08

lowdelay

4/0x04

16/0x10

pfSense only matches exact values. All six bit in the DSCP field must match.

Caveats

By default, pfSense matches only the first packet of a connection, which is the packet that creates an entry in the state table. If a connection starts with a different DSCP value, has no DSCP value in the starting packet, or otherwise changes DSCP values during the connection, the traffic will not be classified as expected.

Tip

This can be worked around by using “no state” rules, but crafting these rules in a secure manner is difficult, so it is not a workaround that we recommend.

Adding additional DSCP values for experimental use

Assuming basic knowledge about PHP, it is possible to add additional DiffServ Code Point values by editing /usr/local/www/guiconfig.inc. In this file, the variable $firewall_rules_dscp_types is initialized with an array containing the recognized DSCP values. New values can be specified as hex values, optionally followed by a blank and a comment like, for example:

"0x03",

Valid values are in the range 0x01 through 0x3f.

Caution

These changes will be lost upon a firmware update.

RFCs

  • RFC 2474 — Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers

  • RFC 2475 — An Architecture for Differentiated Services

  • RFC 2597 — Assured Forwarding PHB Group

  • RFC 2983 — Differentiated Services and Tunnels

  • RFC 3086 — Definition of Differentiated Services Per Domain Behaviors and Rules for their Specification

  • RFC 3140 — Per Hop Behavior Identification Codes (replaces RFC 2836)

  • RFC 3246 — An Expedited Forwarding PHB (Per-Hop Behavior) (obsoletes RFC 2598)

  • RFC 3247 — Supplemental Information for the New Definition of the EF PHB (Expedited Forwarding Per-Hop Behavior)

  • RFC 3260 — New Terminology and Clarifications for Diffserv (updates

  • RFC 2474, RFC 2475 and RFC 2597)

  • RFC 4594 — Configuration Guidelines for DiffServ Service Classes

  • RFC 5865 — A Differentiated Services Code Point (DSCP) for Capacity-Admitted Traffic (updates RFC 4542 and RFC 4594)

  • RFC 3289 — Management Information Base for the Differentiated Services Architecture

  • RFC 3290 — An Informal Management Model for Diffserv Routers

  • RFC 3317 — Differentiated Services Quality of Service Policy Information Base