Depends on whether you're shaping on the OpenVPN client or the server.

If the server, set the queue on the firewall rule that passes OpenVPN traffic into the firewall.

If on the client set a floating match rule on WAN out for the OpenVPN client (UDP/1194?) and set the queues there.

There is not anything in the wizard for this. Use the wizard to establish basic queues and manually tweak from there.

@kfkehua:

Nope. My initial guess was correct.
see here: https://www.youtube.com/watch?v=nMJnp7GMwcg

In 2.2 they still had the descriptions. In 2.3 they removed all the description.  >:(

the first screen is where you spec your pipe bandwidth.
the second screen is where you reserve or guarantee the bandwidth for your VOIP.

thanks.

That's exactly what I said.

Thanks.

Ideally we want to be able to apply traffic shaping rules ONTO different types of web traffic.

To do this would require a layer7 filter, which has unfortunately been removed from 2.3 (it was removed because it wasn't working correctly in 2.2.x) I have already submitted a feature request for a replacement option - nDPI from ntop - https://redmine.pfsense.org/issues/5813 - maybe add your vote to it

@nightanole:

Not to hijack a thread, but upgrading to 2.3 ended up blocking gdrive from connecting.  Connected directly to the cable modem works great.  It wont connect at all behind pfsense, dropbox and onedrive are not affected.  Im running a very min setup for psfsense since im a beginner.  Its setup like a consumer router from one cable modem, and the only thing else im running is a CODELQ traffic shaper to cut down on buffer bloat.

Use tcpdump or logs to confirm that pfSense is blocking. Unless you have a specific rule blocking outgoing packets, the packets should be passed and NATted like anything else.

Thank you for the fast answer. Sadly this rule does not work, neither a rule having set the private address of the host as source in an equivalent floating rule.
I am by far no professional but for my understanding this cannot work as the WAN rules are applied after (for traffic originating in the LAN) NATing took place, hence simply match private LAN IP addresses on the WAN interfaces does not work. Feel free to correct me if my understandings are wrong.
Of course I would appreciate any other hints.

Wouldn't it be an option to apply queuing on LAN interface in IN direction? At least it seem to work and sends the traffic to the correct queue, when i setup a floating rule on LAN interface in IN direction matching source IP address as the host i want to prioritize by its IP address.
I often read things like "only create floating rules for the WAN interfaces for traffic shaping". Are there any side effects?

sMau

If you want to limit interface bandwidth, then do traffic shaping, not bandwidth limiting.

Any help guys?

Are you certain it only happens there? From the error it sounds like the disk can't be written for one reason or another.

Is this a full install? NanoBSD? Is the disk read-only for some reason?

moikerz,

Thank you - it took me until tonight to be able to re-test with your suggestions. I tested after each of the following steps:

Setting the bandwidth in Kbps - PRIQ 50000 down 5000 up; VOIP 1000 down 1000 up. Tested.

Reset state table. Tested.

Unchecked Explicity Congestion Notification on all queues, then reset state table. Tested.

In each case the bandwidth tests through speedtest.net show between 8Mbps down and 4+ Mbps up.

Here is the output from pftop:

pfTop: Up Queue 1-6/6, View: queue, Cache: 10000                        21:16:42 QUEUE              BW SCH  PR  PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S  B/S qACK                  priq  6    0    0      0      0    0            0    0 qDefault              priq  3 87069  33M    126 133488    0            69 8168 qVoIP                  priq  7    28 17724      0      0    0            0    0 qLink                  priq  2  168K  81M    184 196856    0          242  94K qACK                  priq  6    0    0      0      0    0            0    0 qVoIP                  priq  7    56 29484      0      0    0            0    0

I then ran through the shaper with the same settings as above, but enabling the "Raise or lower other Applications" page and giving Higher Priority to Http/Https and RDP traffic. With or without "Explicit Congestion Notification" checked we still get 8Mbps download and 4.3 Mbps upload. But we do see some traffic in teh qACK queues. Here is the pftop output at the end:

pfTop: Up Queue 1-10/10, View: queue, Cache: 10000                      21:30:32 QUEUE              BW SCH  PR  PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S  B/S qACK                  priq  6  2187  120K      0      0    0            37 2312 qDefault              priq  3 24690  11M    60  85001    0          351 388K qVoIP                  priq  7    8  5064      0      0    0            0    0 qOthersHigh            priq  4  2232  976K      0      0    0            23 8680 qOthersLow            priq  2    0    0      0      0    0            0    0 qLink                  priq  2 52395  27M    136 194579    0          379  72K qACK                  priq  6  1975  111K      0      0    0            19 1168 qVoIP                  priq  7    16  8424      0      0    0            0    0 qOthersHigh            priq  4  2519 2052K      0      0    0            54  64K qOthersLow            priq  3    0    0      0      0    0            0    0

I'm attaching a screen clip of the floating rules (could not figure out how to filter from "pfctl -vvsr").

Any other ideas?

pfsense_floating_rules.jpg
pfsense_floating_rules.jpg_thumb

I take the whitelist approach instead of the blacklist. What I mean is I identify the traffic I want to by normal or high priority and all unknown traffic goes to low/idle priority. I use the term priority loosely because I use HFSC and all it really means is more or less bandwidth.

Don't forget to enable CoDel on your child disciplines. At some point in the far future, PFSense should get Cake, once it's done and ported. Then you will probably never need to configure priorities again.

You can play with it, but queue limit shows on every discipline, regardless of it actually being used. The UI is not complex enough to show/hide based on what is supported.

I don't know if you've seen this guide on fixed vs. flexible limiters, but this is the one I used.

https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

I found the flexible limiter works best for my environment, and I verified the up and down limits were working by using speedtest.net.

Here is the latest config for multi modem's.  This is the list of updates:

1. Added in Alias's for:
    A. The Division , Battlefield 4 , Rocket League , Warframe , Wargaming Family of Games (WoT , WoS)
    B. Cleaned up a few Alias's as well.
2. Cleaned up Floating Firewall rules to a more condensed list.
3. Made a generic password - pfsense111 so that you can use my System config which has modifications to it.
4. Added back in apinger with Gateway monitoring of Level 3 external DNS for the IP so that when getting same gateway on cable modem's you will get a true RTT now instead of using default gateway.
5. Modified Traffic Shaper so all queues are set to 100.
6. Modified Traffic Shaper for the following split:
    A. qACK - 20%
    B. qHTTP / qGames - 35%
    C. qDefault / qCatchAll - 10%
7. Added NAT configs so that static port mapping is enable for all WAN's to help with console use at LAN Parties - this is just for generic console use on your tables. This is not going to fix Halo 5 issues on Xbox One problems with Teredao IP and Strict NAT.
8. UPnP is enable by default.

So to use this config do the following:

1. Download the Zip and extract.
2. Login to PFSense and restore
3. Remember the password is pfsense111
4. Rename the WAN's as you desire.  If you need more than 2 then enable Traffic Shaping for them as it is not checked right now. There are 4 WAN's in this config.
5. Modify DNS under General if you dont want to use who I have set there.
6. CHANGE THE LIMITER UNDER FIREWALL / LIMITER to what limits you want.   - right now this is set at 5Mbits for Down and 2Mbits for Up as I was testing.

As always backup your config before you put mine on your system.  Remember to reset your states.  Enjoy the config and happy LAN partying!!!!  if you have suggestions please post in a different topic as I want to keep this clean for edits and updates of the config.

Thanks.

PfseneMultiWANGoldConfig.zip

hi Derelict,

@Derelict:

If each subnet is limited, do you really care about limiting it further if it's somewhat equally shared?

decided to go on with this option, at least till i reach to any other suitable solution. can you please point me to the directions on how should i implement this (configuration wise)?

i get the "limiting each subnet" part. i create limiters (without dynamic pipes) and apply it in LAN rules for subnets. How am i gonna configure to "somewhat equally share" bandwidth within the users of that subnet?

thanks in advance.

You can use HFSC, create a separate queue for HTTP traffic for each WAN interface, then assign the queues depending on which WAN is used, set HFSC's queue upper limit to 70Mb.