Post

Traffic Shaping with OPNsense 25.1: Prioritize Critical Traffic Over HTTP Traffic

Posted
Preview Image
By Manuel Laggner
4 min read
Traffic Shaping with OPNsense 25.1: Prioritize Critical Traffic Over HTTP Traffic

Do you ever experience video calls dropping, games lagging, or file syncs stalling when someone starts a massive download? You’re not alone. In this guide, I’ll show you how to use traffic shaping in OPNsense 25.1 to prioritize critical services over bandwidth-heavy HTTP/HTTPS traffic, like downloads and streaming — without hard bandwidth limits that waste idle capacity.

🌐 What Is Traffic Shaping?

Traffic shaping is the art of controlling bandwidth usage intelligently. It allows you to:

  • 🎯 Prioritize traffic that’s sensitive to delay (VoIP, gaming, conferencing)
  • 📦 Deprioritize traffic that can wait (downloads, streaming)
  • 🧠 Create fairness when multiple flows compete for bandwidth

It’s implemented using mechanisms like pipes, queues, and rules — and in modern OPNsense, powerful algorithms like FQ-CoDel help manage fairness dynamically.

🔍 Static Shaping vs Dynamic Shaping

Before diving into configuration, let’s clarify two major traffic shaping strategies:

🪵 Static Shaping

  • 📐 Predetermines bandwidth caps per traffic type
  • 🚫 Unused bandwidth stays reserved even when not in use
  • ✅ Guarantees some bandwidth for high-priority services
  • ❌ Can waste bandwidth when traffic is idle

Example: Cap downloads to 20 Mbps even if nothing else is using the connection.

⚙️ Dynamic Shaping (FQ-CoDel)

  • 📊 Adapts in real-time based on current traffic load
  • 🚀 Gives bulk traffic full bandwidth when available
  • ⏱ Automatically deprioritizes lower-importance flows when latency-sensitive traffic appears
  • ✅ Fair, efficient, low-latency under load

Example: Downloads get full speed when no one else is online, but slow down when a Zoom call starts.

In this guide, we’ll implement dynamic shaping using pipes with FQ-CoDel — the best of both worlds.

🛠️ Setting Up Traffic Shaping in OPNsense 25.1

Let’s walk through setting up dynamic shaping using the Shaper Pipes, Queues, and Rules system in OPNsense 25.1. All values entered in the example assume that we have 100 Mbps download and 20 Mbps upload speed.

🧱 Step 1: Create Pipes

Go to Firewall > Shaper > Pipes and click ➕ Add to configure the pipes (using advanced mode!):

Download Pipe:

  • Enable
  • Bandwidth: 85 Mbps (85% of actual download)
  • Queue number: 2 (or 1 if you don’t want traffic class splitting)
  • Mask: destination
  • Scheduler: FlowQueue-CoDel
  • Description: DownloadPipe

OPNSense Pipe

Upload Pipe (Optional):

  • Enable
  • Bandwidth: 17 Mbps (85% of actual upload)
  • Queue number: 2
  • Mask: source
  • Scheduler: FlowQueue-CoDel
  • Description: UploadPipe

Click Save after each pipe.

🧮 Step 2: Create Queues (Optional, for Prioritization)

If you want to split traffic into different priority levels (e.g., VoIP vs downloads), you can assign different weights:

Go to Firewall > Shaper > Queues and click ➕ Add to configure the queues:

🚀 High Priority Queue for Critical Traffic:

  • Enable
  • Pipe: DownloadPipe
  • Weight: 80
  • Mask: leave empty or choose none
  • Description: DownloadHighPriorityQueue

OPNSense Queue

🐢 Low Priority Queue (for Downloads)

  • Enabled
  • Pipe: DownloadPipe
  • Weight: 20
  • Mask: leave empty or choose none
  • Description: DownloadLowPriorityQueue

Repeat for upload pipe if needed.

If you’re just starting, you can skip queues and let FQ-CoDel handle fairness dynamically — it’s often enough.

🔁 Step 3: Create Rules

Now we match traffic to the appropriate pipes/queues.

Go to Firewall > Shaper > Rules and click ➕ Add to configure the rules (using advanced mode!):

🐢 Rule: Catch All HTTP/HTTPS Traffic

  • Enabled
  • Interface: WAN (the uplink interface)
  • Protocol: TCP
  • Source: any
  • Src-port: http
  • Destination: any
  • Dst-port: any
  • Direction: in
  • Target: DownloadLowPriorityQueue
  • Description: DownloadLowPriorityRule

OPNSense Rule

You need to create a dedicated rule for HTTPS too!

Place this rule at the top so it matches first.

🎯 Rule: Prioritize other traffic

  • Enabled
  • Interface: WAN (the uplink interface)
  • Protocol: TCP
  • Source: any
  • Src-port: any
  • Destination: any
  • Dst-port: any
  • Direction: in
  • Target: DownloadHighPriorityQueue
  • Description: DownloadHighPriorityRule

You need to create a dedicated rule for UDP too!

📈 Monitoring the Effect

To check shaping effectiveness:

  • Go to Firewall > Shaper > Status
  • View usage per pipe and queue
  • Use real-world tests (e.g., run a Zoom call and start a download to observe behavior)
  • Use online tools like the Bufferbloat Test

🧪 Tip: Tools like iperf3, fast.com, or real-life usage (Netflix + Zoom) are great for validating configuration.

💡 Best Practices

  • Use ~85–90% of your line speed for shaping to avoid bufferbloat
  • Match critical traffic precisely using ports or IP aliases
  • Backup your config before applying big changes
  • Rules are evaluated top-down — order matters

🧠 Final Thoughts

Traffic shaping with OPNsense 25.1 doesn’t just prevent slowdowns — it makes your network feel snappy, even under load. By using FlowQueue-CoDel in shaping pipes, you avoid starving HTTP downloads entirely while still protecting voice, video, and gaming traffic.

This dynamic shaping model is far more efficient than traditional static shaping — you’ll enjoy better performance and make smarter use of your bandwidth.

homeserver
opnsense networking
This post is licensed under CC BY 4.0 by the author.