Shaping inside IPSEC only possible by using Lan queues?
-
I've a similar problem. Did you reset the states after the rules change?
-
Yes! Everytime.
-
This thread could be useful:
http://forum.pfsense.org/index.php/topic,34059.msg176689.html#msg176689
Regards,
Stenio -
Thanks Stenio,
So this is the solution for openvpn.. that's nice!
But what about ipsec tunnels, where you cannot assign an extra interface? How would I shape them? From out the lan queues only?
-
Afaik it should work ok even with queues on wan.
I am not sure why it is not working for you but you still have not given any screenshots and such for it.BTW, you have to upgrade to latest snapshot to retest the results and after send the screenshots.
-
Thank you ermal!
I will do the upgrade and post the screenshots. Might take a little since production box.
-
Hi Ermal,
I now set this up at my home pfsense box to test:
It's running latest snapshot (i386, built on Sun Mar 13 06:53:56)
There's exactly 1 ipsec tunnel. 2 WAN ifs and 1 Lan.
Wan interfaces: "WAN" and "AON". "AON" is used for the ipsec tunnel.
I just created the (hfsc) shaper using the single lan multi wan wizard. Pretty much everything default (except for the individual up/down rates of my wan interfaces and "qOthersHigh" is my default queue)
I tested using scp from a remote host connected via the ipsec tunnel to my local network.
local ip with the ssh server: 192.168.1.65
remote host ip: 192.168.0.239I created the following floating rule:
action pass, quick, no interface selected, direction:any, protocol tcp, src ip any, dst ip:192.168.1.65, dsp port:22, queues: qACKs/qP2P
on 192.168.0.239: "scp 192.168.1.65: <large_file>."
The behaviour was exactly the same as a few days back with the pfsense host I referred to when I started the topic: everything went into the default queue (now qOthersHigh in this case)
I tried different options for the floating rule: action:queue, action:pass without quick. Each with direction in/out/any, ipsec interface selected or no if selected..
I also tried specifying the queues in the ipsec fw tab (only have one rule there see image) and then I even tried the same in the lan tab (but lan doesn't have queues set up in the shaper).
Everytime I reset the states…BTW: only when I used action:pass (quick or not) in the floating rule, it was logged in the firewall log. Action:queue wasn't, but I suspect this is intended since it's no real firewall action?
Please see attached images.
Thank you very much!
Max
</large_file>
-
Will this only work with Lan queues?
If so, would the following work?
For sake of simplicity let's assume I only have one WAN if and vpn clients are accessing servers on the "Lan":
Assign the downstream rate of my wan interface through which "lan" accesses the internet to the Lan root queue + add the upstream rate to this value (of the wan interface).And then split it apart by adding a qInternet and limit it to the actual downstream rate of the WAN if + add qAck et.c. queues as children of qInternet.
Then add an "upstream" queue to the Lan root on the same level as qInternet with the limit of the actual upstream rate of the wan interface + add some queues as children of "upstream".
Couldn't I then shape the OpenVPN traffic just by making use of that queues? -
So, does anyone think this Lan queue approach could work? Or is that complete nonsense?
Ermal, what do you say about the things I tried and the screenshots? Do you need more info?BTW: Should threads concerning the shaper in 2.0 go into the 2.0 forum or should I post them in the traffic shaper subforum?
-
@mxx:
Hi Ermal,
I now set this up at my home pfsense box to test:
It's running latest snapshot (i386, built on Sun Mar 13 06:53:56)
There's exactly 1 ipsec tunnel. 2 WAN ifs and 1 Lan.
Wan interfaces: "WAN" and "AON". "AON" is used for the ipsec tunnel.
I just created the (hfsc) shaper using the single lan multi wan wizard. Pretty much everything default (except for the individual up/down rates of my wan interfaces and "qOthersHigh" is my default queue)
I tested using scp from a remote host connected via the ipsec tunnel to my local network.
local ip with the ssh server: 192.168.1.65
remote host ip: 192.168.0.239I created the following floating rule:
action pass, quick, no interface selected, direction:any, protocol tcp, src ip any, dst ip:192.168.1.65, dsp port:22, queues: qACKs/qP2P
on 192.168.0.239: "scp 192.168.1.65: <large_file>."
The behaviour was exactly the same as a few days back with the pfsense host I referred to when I started the topic: everything went into the default queue (now qOthersHigh in this case)
I tried different options for the floating rule: action:queue, action:pass without quick. Each with direction in/out/any, ipsec interface selected or no if selected..
I also tried specifying the queues in the ipsec fw tab (only have one rule there see image) and then I even tried the same in the lan tab (but lan doesn't have queues set up in the shaper).
Everytime I reset the states…BTW: only when I used action:pass (quick or not) in the floating rule, it was logged in the firewall log. Action:queue wasn't, but I suspect this is intended since it's no real firewall action?
Please see attached images.
Thank you very much!
Max</large_file>
Hi Ermal,
I have posted all the screenshots I thought might be useful, please tell me if I should post any additional info.
And please forget about my last posts about the Lan queues ;)
Thank you!
-
Any update/reaction? ;)
-
I have been looking into implementing shaping within an IPSec tunnel as well and I can find nothing clear on how it should be configured. What I have found are a lot of references to the shaper in 2.0 being able to shape within IPSec, but no one confirming that it works and no one giving examples or instructions. I am seeing results similar to mxx when using the wizard - IPSec traffic seems to be classfied from the WAN side and gets placed wherever in the default queue unless there is an ESP/AH rule which can place it in another queue. This doesn't work since I need to shape within the tunnel, not the tunnel itself. Can someone just give an example that works since it appears that Ermal has no interest in this subject? It seems to me the traffic should be classified from the LAN side (as the title of op's thread suggests), before it enters the tunnel, if that is even possible.
Any help is appreciated.
-Kevin
-
It cannot be classified from LAN side for the outgoing packets.
You have to classify it on the IPSec tab of rules. -
Thanks for the reply, though I am still a little confused. Are you saying I can simply run the wizard and then copy/create any rules specifically for traffic through the IPSec tunnel under Firewall>Rules>IPSec instead of under Firewall>Rules>Floating?
-
I put every rules for IPSec traffic shaping in the floating rule.
I do not select any interface, I only set the source and/or destination and it's working.
I have MS RDP going through an IPSec and it works perfectly. No limiter, nothing special in the IPSec tab.
See the attachment showing my configuration of the Floating Rule for RDP connections. You have to understand Source and Destination… When you initiate an RDP session from the LAN to an IPSec host, the destination is port 3389. When the reverse happen, an IPSec host connect to a LAN host RDP server the destination is still port 3389.
 -
My statement is true for LAN rules doing queue-ing as well.
For floating rules no they should just work for ipsec as long as the latest matching firewall rule, the one that actually lets traffic pass through, is on the ipsec tab.