@markn62:
I know servers don't typically initate which is true in this case. If it requires a floating rule on Wan out do you have a suggested rule example?
First rule here: https://forum.pfsense.org/index.php?topic=88311.msg487589#msg487589
I know the Ack requirements for tcp/udp. You earlier suggested a Wan out rule and here you say both directions. Which is it?
Yeah, that was a mistake.
Maybe not in your example, but I have an OpenVpn nat rule matching every Lan nat rule so my client remote connection can connect to all forwarded Lan devices, not just connect to the Lan device GUI itself. It's essential, to match Lan rules or I can't remote connect to anything but PfSense itself. To keep the discussion simple we can ignore this fact.
Why are you natting? Yes, you need firewall rules to pass traffic, but unless you're dealing with conflicting subnets there's usually no reason to NAT traffic across a VPN.
What do you mean "create an assigned interface on the server"? What interface on what server? A virtual interface on the PfSense server?
I mean create an interface in Interfaces > Assign and assign it to the OpenVPN instance.
I wouldn't have hosts and the remote side of the tunnel, only clients.
Hosts != Servers. Hosts means a host on the network.
I tried a rule on the OpenVpn virtual interface and it only shaped traffic from the OpenVpn interface to the Lan adapter. Does me no good. I'm trying to read between the lines on what you are trying to convey. Are you suggesting if I rule match to a Wan In and assign to a queue name that connection will retain the queue name thru the Wan, onto the Lan, onto OpenVpn, then migrate around to some of the assigned lan gateways, then return in the opposite direction and transverse these three adapters and out the Wan still retaining the same queue as the packet goes out the Wan back to the remote client? Seems far fetched. Currently I don't have any Lan queues, only Wan queues because I don't shape the Lan I only dynamic limit per ip on Lan out (downstream). I'm not clear what your suggesting here.
@Derelict:
Now you will have THREE layers of QoS WAN/LAN, The OpenVPN tunnel, and traffic within the tunnel. It'll be quite a juggling act.
I never said it was easy or perfect.
It shouldn't be this complicated.
But it is. Sorry.
What, exactly, do you want to shape? The tunnel itself or traffic inside the tunnel?
I was under the impression you wanted to shape the tunnel itself.
To do this you need a floating rule on WAN out on the OpenVPN client as illustrated above. That will allow you to put the traffic from the OpenVPN client to the OpenVPN server into a queue.
You will also need to create a queue on the OpenVPN server. You will apply this queue to the rule allowing connections to the OpenVPN server. This will allow you to put the traffic from the OpenVPN server to the OpenVPN Client into a queue.
When dealing with the tunnel, no interfaces except the two WANs see the traffic. Ever. It's a service hosted on pfSense itself. There's nothing else you can do.