QOS per Interface
-
I'm thinking that using PRIQ's might work. I did find this link (http://forum.pfsense.org/index.php?topic=39894.0), but I am unsure of how to do it.
-
In the link you posted, I think it was possible because all VLANs are physically going through the same interface, so you would create the 3 queues under the same physical interface on the traffic shaper. Anyway I am not sure if PRIQ considers priorities among different interfaces, it might be worth a try
-
Do you have a WAN interface for Internet access in addition to the above LAN/OPT interfaces? Balancing a single WAN between multiple LAN/OPT interfaces is not directly possible since the queues on each of the LAN/OPT interfaces are independent of each other.
You need need to pass the traffic from the WAN interface through an additional bridged mode firewall and perform traffic shaping there based on the IP addresses of each LAN/OPT interface. Then you can balance the traffic between each LAN/OPT subnet as you please.
If you're running it as a VM it should be possible to create virtual NICs and configure the vSwitches appropriately. On a dedicated box with an additional NIC you could probably use vLANs on your switch and a bridge interface on pfSense to do it. -
@KurianOfBorg:
Do you have a WAN interface for Internet access in addition to the above LAN/OPT interfaces? Balancing a single WAN between multiple LAN/OPT interfaces is not directly possible since the queues on each of the LAN/OPT interfaces are independent of each other.
You need need to pass the traffic from the WAN interface through an additional bridged mode firewall and perform traffic shaping there based on the IP addresses of each LAN/OPT interface. Then you can balance the traffic between each LAN/OPT subnet as you please.
If you're running it as a VM it should be possible to create virtual NICs and configure the vSwitches appropriately. On a dedicated box with an additional NIC you could probably use vLANs on your switch and a bridge interface on pfSense to do it.I'm not running a VM (though that may be a solution). The machine currently has 2 physical NIC's, 1 for the WAN and 1 for LAN, OPT1, OPT2 & OPT3 with VLAN tagging.
From what I understand the setup you suggest would look something like this: http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/. Though in my case I don't think I need to use floating rules. But Rules on the WAN to shape upload traffic and rules on the LAN to shape download traffic.
Are you telling me that the same pfSense box will be able to work as you say with the addition of some NIC's or do I need another box?
-
I'm not running a VM (though that may be a solution). The machine currently has 2 physical NIC's, 1 for the WAN and 1 for LAN, OPT1, OPT2 & OPT3 with VLAN tagging.
From what I understand the setup you suggest would look something like this: http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/. Though in my case I don't think I need to use floating rules. But Rules on the WAN to shape upload traffic and rules on the LAN to shape download traffic.
Are you telling me that the same pfSense box will be able to work as you say with the addition of some NIC's or do I need another box?
You don't really need an additional NIC. I only mentioned it because a vLAN would reduce your WAN throghput. I haven't tested this but this is basically what you should do:
Trunk your 2nd NIC to two vLANs (WAN & Outer WAN). The 1st NIC is already trunked to four vLANs (LAN, OPT1, OPT2, OPT3).
Create a bridge between the WAN and Outer WAN interfaces.
Connect your Internet cable to the Outer WAN vLAN.
Set the Outer WAN interface's type to 'None'.
Configure your public IP address on the WAN interface. The type can only be 'Static' or 'DHCP'. PPPoE cannot be shaped like this (it can but is too complex to explain here).
Keep in mind that when you create a queue under an interface in the 'By Interface' tab, it is for traffic leaving that interface. That means the queue on the WAN interface is for download and the queue on the Outer WAN interface is for upload. Set your connection's download and upload bandwidth on the root interfaces WAN and Outer WAN in the 'By Interface' tab.
You can use the WAN interface in the firewall rules to apply the queues or create floating rules on Outer WAN for the 'Out' direction. If you have only one public IP address you'd need to figure out how to identify packets from from each subnet. Maybe use different port ranges for outbound NAT for each subnet and check the source port to identify OPT1 packets and apply the appropriate queue. You cannot compare the private source addresses since NAT has already occured. If you have multiple public IP addresses then you can use a separate public IP address for each subnet and simply check for that address to apply the queue.
Learning how to create proper HFSC queues is too big to explain here. I suggest you setup a test box with a single LAN and WAN interface and fully understand how it works first. The wizard might be broken and won't help you understand anyway.
-
Thank you for bringing this up. I have never thought about QoS with more than 2 interfaces on pfSense before. I haven't set up more than 2 interfaces needing QoS yet on pfSense. I just assumed there was a way to have a queue be shared among multiple interfaces somehow or another. According to this information I would have to split the WAN download bandwidth between the multiple inside interfaces and it would not be shared.
I guess I have been spoiled with Checkpoint QoS. You define an interface and it's bandwidth. The QoS rules are placed on an interface. The firewall limits upload and download based on the rules for that interface. If you setup QoS only on the external interface (10mbit down, 10mbit up) then it doesn't matter if the traffic goes out interface 2, 3, or 4. It will restrict download bandwidth to 10mbit (traffic coming in WAN and out anywhere) and upload to 10mbit (traffic going out WAN) to what you set on the WAN interface.
Is there really no way to share download WAN bandwidth between multiple inside interfaces or is it a limit of the pfSense GUI? I find it hard to believe the developers didn't think of this scenario when developing the QoS implementation.
UPDATE: After doing some research I wonder if this an be achieved by using limiter for the WAN and then use the normal queues with weights to prioritize the traffic. I haven't used limiters yet so that is new to me.
-
Is there really no way to share download WAN bandwidth between multiple inside interfaces or is it a limit of the pfSense GUI? I find it hard to believe the developers didn't think of this scenario when developing the QoS implementation.
I think it's possible and easy on pfSense too. There are many ways I would think, this is how would do this:
Create one queue for each OPT interface on the WAN interface (these will limit uploads) and one queue on each OPT interface (these will limit download). Remember to give the same name for each pair: eg, queueOPT1 on WAN and queueOPT1 on OPT1, queueOPT2 on WAN and queueOPT2 on OPT2 and so on.
For each of these pairs create one floating rule like this:
Action: Queue
Interface: WAN
Direction: out
Protocol: any
Source: WAN address
Destination: not WAN subnet
Advanced > match by tag (eg, "T_OPT1", see below)
Advanced > Queue: queueOPT1Finally, tag the traffic. You could just tag all traffic that comes in on the OPT1 interface as "T_OPT1" and do the same for the other interfaces.
Why do I use tags? Well, I like to have just one queueing rule per actual queue. Keeps the whole queueing business a little bit more manageable IMO, especially when dealing with many interfaces, mixing floating and interface rules etc.
-
I don't think that would work how you think it does going by what was said earlier in this thread.
The queues on the wan interface will be for upload. That will work fine. The queues on the opt interfaces will apply for download data from WAN and will have independent queues. Opt1 limits will not share bandwidth with opt2 queues even if they have the same name. It works fine with only a wan and LAN interface. When you have more than 2 interfaces though it isn't so simple.
Example with goal of limiting upload to 2mbit and download 10mbit. You would have to split LAN and opt1 to half the download bandwidth which is not ideal. LAN or opt1 would never be able to use more than 5mbit each. This is a simplified config to make it easy to understand.
Wan:
WanQueue 2mbitLAN:
WanQueue 5mbitOpt1:
WanQueue 5mbitAssuming you assign all wan traffic to WanQueue.
-
Hmm, yeah, I understand. Sorry for posting false information. This even was one of the reasons why I use a bridged setup for my two local-, one wan-nic setup: to be able to shape and share the wan traffic between both local nics. facepalm
-
So, anyone knows if will this work on 2.1 then?
For the original poster: using a bridge will solve your traffic queueing problem (as stated earlier already). If that is an acceptable solution is up to you to decide. Might be worth a try, since the whole queueing thing is one of the best things a router can do for you. -
I am just now starting to need QoS for a cluster with 4 different security zones where I need to find a solution without bridging. I am still experimenting with Limiters to see if I can get by using them but I am afraid they might have big performance issues (based on reading the forum not from experience) and I know they don't have all the features that I want to use with the normal queues.
I have been using 2.1 on a few non critical systems and I haven't dound anything that would make it better for this. I think it might be a limitation of the QoS implementation on FreeBSD.