HFSC & VOIP over OpenVPN
-
@ermal:
You upgraded to latest snapshot?
Do you have any proxy running on pfSense?Please show me the output of cat /tmp/rules.debug not pfctl -sr.
Upgraded to the lastet snapshot. Same result. :(
I think I've found the problem: with tcpdump I see data passing on ovpns1 interface with the voip gateway ip, but on the wan interface the traffic comes from wan ip.
Should I need a rule to use the queue on the openvpn interface?
Regards,
Stenio -
I think I've found the problem: with tcpdump I see data passing on ovpns1 interface with the voip gateway ip, but on the wan interface the traffic comes from wan ip.
Should I need a rule to use the queue on the openvpn interface?
Just tried: same results. :(
-
Just go to the by Queue view and duplicate the queues of WAN to the Openvpn interface(YES you need to assign the Openvpn interface) and either change the scheduler to PRIQ or make the bandwidth adjustments, if any.
-
@ermal:
Just go to the by Queue view and duplicate the queues of WAN to the Openvpn interface(YES you need to assign the Openvpn interface) and either change the scheduler to PRIQ or make the bandwidth adjustments, if any.
Hi, I tried but than the clients cannot "see" the LAN. They can connect to the server, but not to the voip gateway.
The strange thing is that the shaping works perfectly with PPTP. :-\ -
Hi Stenio,
thanks for pointing me to your thread and Ermal's reply. The issue remains for ipsec though, I wish I could get some help with that too since you cannot assign an interface to ipsec tunnels the same as for OpenVPN.
http://forum.pfsense.org/index.php/topic,34132.0.htmlI just tried it (OpenVPN) and had the same effect as you. You need to configure the openVPN interface as type "none".
It didn't work for me after that, the tunnel was up but I couldn't reach anything from the OpenVPN Client's side.
I then re established the vpn from the client side: still no luck.To get it to work I simply had to restart the openVPN server on the pfsense box ;)
Did you try that already? -
After you create the OpenVPN interfaces(Enabled and set as none) Go to VPN:OpenVPN and resave your tunnel setups. This should work, if not, reboot your box… Also, create allow rules under Firewall:Rules then select the Tab of your new OpenVPN interface name.
I'm not sure what the default OpenVPN Firewall:Rules tab is used for after you create the interfaces... I disabled my default allow all rule on that tab for now. Waiting to hear back on a topic i started last night http://forum.pfsense.org/index.php/topic,34201.msg177412.html#msg177412
-
@mxx:
To get it to work I simply had to restart the openVPN server on the pfsense box ;)
Did you try that already?Hi Mmx,
You are right! Now it works perfectly! :)
Thanks,
Stenio -
After you create the OpenVPN interfaces(Enabled and set as none) Go to VPN:OpenVPN and resave your tunnel setups. This should work, if not, reboot your box… Also, create allow rules under Firewall:Rules then select the Tab of your new OpenVPN interface name.
Thank you Cino, restarting openvpn server worked for me.
Regards,
Stenio -
@ermal:
Just go to the by Queue view and duplicate the queues of WAN to the Openvpn interface(YES you need to assign the Openvpn interface) and either change the scheduler to PRIQ or make the bandwidth adjustments, if any.
Hi Ermal,
I think that the second queue is not working properly. Please, see the image attached. It seems that voip traffic is shaped properly in the new queue OPENVPNQUEUE, but that it goes into the default WAN queue qDefault. Shouldn't it go to queue qVoIP instead?
Regards,
Stenio
-
Hi Stenio,
I'm still trying to get the shaper working for ipsec.
Regarding the solution for OpenVPN (with a dedicated interface + shaper), I don't really understand how this should work effectively..
Ok, that way you can shape inside the OpenVPN tunnel, but what about the WAN interface the tunnel is using?
How much bandwidth should one assign to the openvpn shaper "interface"?Whole wan upstream?Half of it? :D
What about other queues/services that use the WAN interface fighting for bandwidth?I don't know if I understand everything right, but I think that doing it this way one can only assign a rather fixed priority (queue) for the whole openvpn tunnel on the WAN interface and then decide how this bandwidth is distributed inside the tunnel.
I think that this way it's not possible to get the shaper/queues of the WAN interface to dynamically adjust and reserve more bandwidth depending on a particular service INSIDE the tunnel (something suddenly using a high priority queue of the openvpn interface).
Maybe that's what you are seeing.
Openvpn traffic as a whole will always go into the same queue on the WAN interface no matter what, but you can decide on what services inside the tunnel get how much of the cake..Please correct me if I'm wrong, that's just my guess..
-
Hi Mxx,
I have the same uncertainties of yours. I think that the bandwith assigned to the tunnel should be at least the same as the bandwidth assigned to the wan. Moreover, the packets should be handled by the wan queues in the way specified by the tunnel queues. But this is only my opinion. I don't know if it this the correct way to do it.
I don't know if I understand everything right, but I think that doing it this way one can only assign a rather fixed priority (queue) for the whole openvpn tunnel on the WAN interface and then decide how this bandwidth is distributed inside the tunnel.
I belive that you are right. From what I'm seeing we can only assign a fixed priority (bandwith) to the tunnel, but I'm wiiling to know if that depends by a wrong configuration or by a limitation of the system.
Regards,
StenioP.S.: Sorry for my English.
-
Haha sorry for my English too ;)
I don't think that this is possible with a dedicated interface for OpenVPN, but I hope I'm wrong.
I was thinking about trying that by using queues on the Lan interface… that way I could imagine that it's possible to achieve this.
I understand too little about all this.. for example I don't understand why in examples (IF you actually have Lan queues which aren't generated anymore automatically by the wizards as they are only needed in some scenarios) the Lan root queue gets the value for the wan if's downstream assigned when there are also queues (as children of "Lan") where upstream traffic flows into..
From my little "logic" I would split up and downstream queues on the lan interface by using parent queues with these respective limits..I was unsuccessful in shaping ipsec traffic by just using queues on wan.
In my thread about ipsec shaping I now posted screenshots to show what I've tried which was unsuccessful and I've asked this question about using Lan queues for that and provided an example..
http://forum.pfsense.org/index.php/topic,34132.msg178371.html#msg178371 -
Maybe this topic should be moved to the Traffic Shaping forum.