My understanding is that traffic shaping only works with logical interfaces and there is no good way to do traffic shaping in a way that multiple interfaces work as a single traffic shaping group.

What are your traffic shaping settings(categories, algorithm, settings for each)? some actual values, not what you think you set them to

What interface is that on?

How much bandwidth do you have?

Did you rate limit your port?

Hi,

Thank you for your replies - Sorry doktornotor, you've probably never been a newbie  ;) I thought shapping would happen before encryption for LAN sent traffic.

Initially, I wanted to sent DATA and VoIP through VPN. according to your replies, I think I'll try to do my configuration like this :

DATA through VPN VoIP through WAN without encryption, but with use of shaping, that should work?

Following your advice Derelict, I shoud shape sent traffic at both ends, OpenVPN server and client sides?
My goal is to connect 4 remote sites to a main sites, hosting Alcatel OXO and Data server.

Thks,

Thomas

Also, incoming UDP packets cannot be rate-limited because UDP has no congestion control. Only TCP has congestion control which can be leveraged to control bandwidth. This is one reason why UDP flooding was/is a popular denial-of-service method.

It depends on what the actual bug is. There have been some fixes after 2.2 for the wizard for a similar issue, it could be related to this one or the same one.

Does it work when you remove the limiter?

Did you even try to do any research or searching before asking?

@Harvy66:

My understanding is that if you want Diffserv to be honored, it must be set before reaching the firewall. Traffic shaping is set at the time the connection is made. Because you have Squid running inside the firewall, the diffsrv is being set after reaching the firewall.

Ok thanks.

So there is no way a rule on LAN can tell which traffic passing thru is from cache.

They're physically "sub" interfaces, but logically, they are all completely separate.

Or will it cancel the load balancing as the ports are already assigned to which wans?

Got most other issues resolved.  Anyone else seeing this, or just me?

But if you use esxi it works without problem :/
Its seems to be so unfair.
I cant get a good xen firewall

Many thanks!

No.  You didn't mention that.  That makes it a lot easier.  You should see those states whenever the VPN is connected no matter what you're doing.  Uploading, downloading, etc.  That is a state for the tunnel, not anything inside the tunnel.  pfSense can't see that traffic.  it's just a router in the middle just like all the other hops between you and the server.

Just create the queues on LAN and WAN and pass the OpenVPN connection with a rule on the LAN interface and put it into the right queue.

Looks like:

Pass IPv4 UDP source 192.168.2.20 port any dest 209.xxx.xxx.xxx port 443
Set the queue to qVPN (or whatever you named them.)

Thank you I will read about this

@Derelict:

Not really.  It still needs a shaper to avoid over-saturating your links.

Yes, but because the limiter has that nifty feature where it can limit evenly per IP address, it leads me to believe that it doesn't limit the queue.

It should be easy enough to test.

limit the interface and test two clients trying to saturate upload at the same time and monitor ping remove limit from the interface and instead use the limiter and do the same upload test

My guess is the limiter happens before the queue, which means it limits how quickly the queue fills up. If you want Codel to work, you need to limit how quickly it's drained.

*Entirely a guess based on what features the limiter has

What is the proper way of using floating rules?

From what I understand, floating rules are simply a way of having one rule that acts on multiple interfaces in multiple directions.  That's it.

Aside this, i also realized from Status >> RRD Graphs >> Queues & QueueDrops for WAN are missing too, another Codel specific cosmetic bug?

Related system log: ""php-fpm[245]: /status_rrd_graph_settings.php: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source""

Ok got it.