Need help finding guidance on traffic shaping that meets my needs

joshuagoshert

Small network for a non-profit organization. One WAN, one LAN, one internal subnet, no VLAN, pfSense 2.6.0, with anywhere from 20 to 50 devices on average. I'm very new to pfSense.
Need to force dynamic but equal sharing of bandwidth (total/# of active users), but priority needs to be set by application, not by IP/MAC.
If bandwidth is maxed out, I want Zoom (and other video-conferencing) to have number one priority. I do not have VOIP. I want to force everything YouTube to the bottom of the priority and Facebook below that.
Everything I've found either doesn't apply to my situation or is unanswered.

joshuagoshert

@joshuagoshert One other note to add on. I added ntopng to help identify wasted bandwidth and was impressed to see it could differentiate between Facebook, YouTube, and a variety of Google Services. I hope that something available in pfSense can help me prioritize Zoom over those services without blocking them.

thiasaef

@joshuagoshert probably not what you want to hear, but I would send the traffic through an additional linux box which runs CAKE (which by default supports per host fairness) and will also automatically meet most of your other demands.

I hope that something available in pfSense can help me prioritize Zoom over those services

Probably not unless you make sure that DSCP markings are applied to all relevant traffic on all clients.

joshuagoshert

@thiasaef Definitely worth a try, thanks for the advice.

luckman212

@thiasaef would you suggest openwrt or something home-grown? Does the CAKE box go in between LAN <-> pfSense or between ISP <-> pfSense?

thiasaef

@luckman212 said in Need help finding guidance on traffic shaping that meets my needs:

would you suggest openwrt or something home-grown?

I have never used OpenWRT (but I think it is much better than its reputation). Using CAKE on Linux is as simple as typing:

tc qdisc add dev eth0 root cake bandwidth XXmbit

Here is an in-depth guide on how to set it up: https://www.bufferbloat.net/projects/codel/wiki/Cake/#configuring-cake

Does the CAKE box go in between LAN <-> pfSense or between ISP <-> pfSense?

I guess it depends on your exact configuration and what you're trying to achieve, but if you're running all your LAN traffic through a single interface, I'd probably go with the former.

The main reason why I recommended CAKE on Linux in this case is that

force dynamic but equal sharing of bandwidth (total/# of active users)

is not possible with pfSense - at least to my knowledge.

thiasaef

@luckman212, in case you are wondering how CAKE's performance compares to FQ-Codel:

The difference between the 'ingress' and 'egress' keywords is described here: Regarding cake's “ingress” keyword

luckman212

@thiasaef Thanks. I'm still waiting for the limiter bug in 22.05 to be fixed so I can test properly. I don't have very aggressive needs so I'm hoping I don't end up needing anything more than pfSense.

Side note: how did you generate those nice graphs?

thiasaef

@luckman212 said in Need help finding guidance on traffic shaping that meets my needs:

Side note: how did you generate those nice graphs?

Flent: The FLExible Network Tester

A Former User

This post is deleted!

joshuagoshert

Ended up reverting back to 2.5.2 and everything works as it should. Not as I want, but at least the static traffic shaping does what it is described to do in the guide.