Or will it cancel the load balancing as the ports are already assigned to which wans?

Got most other issues resolved.  Anyone else seeing this, or just me?

But if you use esxi it works without problem :/
Its seems to be so unfair.
I cant get a good xen firewall

Many thanks!

No.  You didn't mention that.  That makes it a lot easier.  You should see those states whenever the VPN is connected no matter what you're doing.  Uploading, downloading, etc.  That is a state for the tunnel, not anything inside the tunnel.  pfSense can't see that traffic.  it's just a router in the middle just like all the other hops between you and the server.

Just create the queues on LAN and WAN and pass the OpenVPN connection with a rule on the LAN interface and put it into the right queue.

Looks like:

Pass IPv4 UDP source 192.168.2.20 port any dest 209.xxx.xxx.xxx port 443
Set the queue to qVPN (or whatever you named them.)

Thank you I will read about this

@Derelict:

Not really.  It still needs a shaper to avoid over-saturating your links.

Yes, but because the limiter has that nifty feature where it can limit evenly per IP address, it leads me to believe that it doesn't limit the queue.

It should be easy enough to test.

limit the interface and test two clients trying to saturate upload at the same time and monitor ping remove limit from the interface and instead use the limiter and do the same upload test

My guess is the limiter happens before the queue, which means it limits how quickly the queue fills up. If you want Codel to work, you need to limit how quickly it's drained.

*Entirely a guess based on what features the limiter has

What is the proper way of using floating rules?

From what I understand, floating rules are simply a way of having one rule that acts on multiple interfaces in multiple directions.  That's it.

Aside this, i also realized from Status >> RRD Graphs >> Queues & QueueDrops for WAN are missing too, another Codel specific cosmetic bug?

Related system log: ""php-fpm[245]: /status_rrd_graph_settings.php: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source""

Ok got it.

No idea what you need to do to make it work with a proxy.  sorry.

I do see one more error.  You have both limiters masked by source address.

On LAN:
your out queue will be your clients' download and should be masked by dest address
your in queue will be your clients' upload and should be masked by source address.

These should be applied to your lan rules with in as in and out as out.

@Harvy66:

I don't know much about enterprise solutions offered by ISPs, but don't ISPs primarily offer bandwidth and redundancy but it's up the the client to shape their traffic or the client is given a device that will do the shaping?

When you shape per customer, you're talking about N number of rules, but when you start shaping per combination of customers, now it's N^2.

Anyway, you seem to have a business case for this, but I still wonder if there is a "proper" solution short of telling the customer to do it or helping them do it on their end.

Good Luck. I can't wait to see a more seasoned person's response.

Hi Harvy,

We don't apply traffic prioritization per protocol  , or something similar , you're right  our customers apply their own Qos rules at their end according to their convenience. We only apply a limit (upper) for each customer, simple as that.  As said before , in addition to that  I want to have a way of prioritize the whole traffic from some special clients over the others.

Any ideas?

bests wishes

I changed the units bat to gbits like you suggested, and my bandwidth values did not change from what they were a few minutes ago.  It sure seems like just changing that value on the form is not taking effect when you save / apply it.

https://forum.pfsense.org/index.php?topic=87931.0

It is on their mind, but no plans as of yet.

This is usually done through a radius server. The cp can't do this.

@markn62:

I know servers don't typically initate which is true in this case. If it requires a floating rule on Wan out do you have a suggested rule example?

First rule here: https://forum.pfsense.org/index.php?topic=88311.msg487589#msg487589

I know the Ack requirements for tcp/udp.  You earlier suggested a Wan out rule and here you say both directions.  Which is it?

Yeah, that was a mistake.

Maybe not in your example, but I have an OpenVpn nat rule matching every Lan nat rule so my client remote connection can connect to all forwarded Lan devices, not just connect to the Lan device GUI itself.  It's essential, to match Lan rules or I can't remote connect to anything but PfSense itself. To keep the discussion simple we can ignore this fact.

Why are you natting?  Yes, you need firewall rules to pass traffic, but unless you're dealing with conflicting subnets there's usually no reason to NAT traffic across a VPN.

What do you mean "create an assigned interface on the server"?  What interface on what server?  A virtual interface on the PfSense server?

I mean create an interface in Interfaces > Assign and assign it to the OpenVPN instance.

I wouldn't have hosts and the remote side of the tunnel, only clients.

Hosts != Servers.  Hosts means a host on the network.

I tried a rule on the OpenVpn virtual interface and it only shaped traffic from the OpenVpn interface to the Lan adapter. Does me no good.  I'm trying to read between the lines on what you are trying to convey.  Are you suggesting if I rule match to a Wan In and assign to a queue name that connection will retain the queue name thru the Wan, onto the Lan, onto OpenVpn, then migrate around to some of the assigned lan gateways, then return in the opposite direction and transverse these three adapters and out the Wan still retaining the same queue as the packet goes out the Wan back to the remote client?  Seems far fetched.  Currently I don't have any Lan queues, only Wan queues because I don't shape the Lan I only dynamic limit per ip on Lan out (downstream). I'm not clear what your suggesting here.

@Derelict:

Now you will have THREE layers of QoS WAN/LAN, The OpenVPN tunnel, and traffic within the tunnel.  It'll be quite a juggling act.

I never said it was easy or perfect.

It shouldn't be this complicated.

But it is.  Sorry.

What, exactly, do you want to shape?  The tunnel itself or traffic inside the tunnel?

I was under the impression you wanted to shape the tunnel itself.

To do this you need a floating rule on WAN out on the OpenVPN client as illustrated above.  That will allow you to put the traffic from the OpenVPN client to the OpenVPN server into a queue.

You will also need to create a queue on the OpenVPN server.  You will apply this queue to the rule allowing connections to the OpenVPN server.  This will allow you to put the traffic from the OpenVPN server to the OpenVPN Client into a queue.

When dealing with the tunnel, no interfaces except the two WANs see the traffic.  Ever.  It's a service hosted on pfSense itself.  There's nothing else you can do.