pfSense and Shaping Facebook – The Definitive Guide.


July 22, 2015 by aubreykloppers

Using pfSense to Shape/Limit Facebook traffic

Out with the old, in with the new!

There is a better way, but for the way I described below, that is, instead of thinking sites as High/Low priority or as Good/Bad, think more of the bandwidth you have available and how to manage the bandwidth.  the sites will quickly fall in place.  To do this, the following recipe have been tried and tested.  It works, works well and users do not get irate, bandwidth is managed and the overall experience smooth!

Now to the fun-stuff using pfSense

The idea is to create POOLS and assigning bandwidth to said POOL.  I create 3 pools, High/Medium/Low priority pools with bandwidth assigned of 1/1.8/2.8Mbit/s.

Pool Creation:

Low Upload Pool and Queue:

  • Enable
  • Name: LOWupPOOL
  • Bandwidth: 1000 Kbit/s
    • Enable
    • Name: LOWupPRIByHost
    • Mask: Source addresses

Low Download Pool and Queue:

  • Enable
  • Name: LOWdownPOOL
  • Bandwidth: 1000 Kbit/s
    • Enable
    • Name: LOWdownPRIByHost
    • Mask: Destination addresses

Then, repeat the above for MED/HI 1800/2800.

Firewall Rules:

Firewall: Rules: Edit

  • Edit Firewall Rule
    • Action: pass
    • Interface: LAN
    • Protocol: TCP
    • Source: Single host or alias
    • Address: LOW_PRI_ALIAS (Note: Create an alias with your Low Priority IP’s on your LAN)
    • Description: LOW-PRIORITY Traffic
  • Advanced features
    • In/Out: LOWupPRIByHost/LOWdownPRIByHost

Then, repeat the above for MED/HI Priority Traffic


  • Facebook shape: You can use the same recipe with “Source: LAN Net” and “Destination: Facebook_Alias” in your Firewall Rule.
  • To find Facebook servers:
  • Personally I “grep and find” Facebook and related sites in my squid access.log.* files once a month and update my alias…

To manage Youtube

I use the “Custom ACLS (Before_auth)” in Squid with the following: (NOTE: I switch the option “Enable Logging: OFF”, else none of the “Custom ACLS” works.)

logfile_rotate 3650
debug_options rotate=3650
access_log /var/squid/log/access.log

# Limiting YOUTUBE at 8 * 128.000 Byte/s = 1.024.000 bit/s = 1 Mbit/s
delay_pools 2
delay_class 2 1
delay_parameters 2 128000/128000
acl YOUTUBE dstdomain
delay_access 2 allow YOUTUBE

The following is left as a note to users who do not want to use pools, but a DEAD Block instead…


The first thing you have to understand is that shaping/limiting Facebook traffic will have a huge impact on your business.  Not everything will be gained as any traffic to and from Facebook will be limited to a maximum network rate.  This could have an adverse effect on things like likes/shares/links on other pages using Facebook technologies.

That said, limiting Facebook traffic will also have a huge advantage to your overall network responses and will relieve bandwidth to vital technologies to your business.

Now to the fun-stuff using pfSense

Note: I will NOT use squid/squidGuard to BLOCK traffic, I will be using the firewall to Limit traffic.

Note1: This is a FLOATING RULE that you will apply on your WAN address.

Creating your aliases:

  • Click on Firewall/Aliases and create a new alias called “Facebook” with the following list of networks (Make sure you use NETWORK as your Type):
'' - Without the quotes

  • Click on Firewall/Traffic Shaper/Limiter and create 2 limiters:

Name: FBupPRI
Bandwidth: 300 Kbit/s
Mask: Destination address

Name: FBdownPRI
Bandwidth: 300 Kbit/s
Mask: Destination address

    • Click Firewall/Rules/Floating and create (at the top) a Facebook Rule:

Action: Pass
Edit Firewall rule:
Direction: out
Protocol: any
Source: any
Destination Type: Single host or Alias
Destination Address: Facebook
Advanced Features:
Gateway: (Your WAN Gateway)
In/Out: FBupPRI/FBdownPRI

  • If you now look on your Diagnostics/Limiter Info you will see 2 limiters with the 300.000 Kbit/s limiters and anyone using Facebook (even your firewall) will be left using only 300 Kbit/s and your entire LAN experience will improve!

So, If your admin is running pfSense and you found this post, please do not scream at me, rather let your IT Engineer buy me a beer!

3 thoughts on “pfSense and Shaping Facebook – The Definitive Guide.

  1. techgs says:

    1. How you could get all the facebook host-names ? Is there any way to find all the host-names used by a particular site ?

    2. Appreciated your efforts. Can you also please write similar things on


    • I am about to re-write the post with a better one! The way I did the shaping was successful in pissing my users of, so I re-wrote with the same thing in mind, but instead of thinking FaceBook bad Google good, shape EVERYONE (or in my new example, groups of IP’s)…

      Hoe you like the re-write!


  2. Kim Callis says:

    I know this is an old post, but it was somewhat informational. I am stuck in the dark ages with a DSL connection that is 12M/1… In what world does that exist??? Obviously where I live… So with such a poor bandwidth, how can I better use your example?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: