Traffic Shaping with OpenVPN

Harvy66

Unless someone has more experience, I would just say to set your queues to 2500 and use Codel. Codel is an interesting algorithm that starts to statistically drop packets once packets have been queued for more than 5ms. For ever packet that has been in the queue longer than 5ms, it keeps upping the rate at which it drops packets until it it finds a packet that has been queued for under 5ms. It also does head drop, instead of tail drop, which has some interesting characteristics, one of them being it's more fair to smaller transfers and harder on bigger ones.

HFSC can be more complicated, but just keep it simple. Don't use burst, just realtime and link share.

Link share comes from the parent and cannot be more than 100% when added with all sibling queues. Real time comes directly from the root interface, so realtime among all queues may not add up to be more than 80%. HFSC is really link of a ratio based traffic shaper. All you're doing is tell it how much bandwidth each queue will have when your connection is fully saturated.

mcamino

I appreciate your help, but is there another forum member who might be able to help me a little bit further? possibly with more specific instructions?

I guess my question at the remote site is "if SOURCE interface X, guarantee up to 20mbs via wan. otherwise provide full bandwidth (25mbs) to all users"

and my question at the central office is "provide this OpenVPN tap connection guarantee up to 20mbs via wan,otherwise provide full bandwidth (50mbs) to all users"

mcamino

anyone care to assist?

bump

Derelict

All you can really do is shape the OpenVPN tunnel in relation to other traffic.  You can only do this in one direction - outbound.

You would identify the traffic on the client with connections on WAN OUT to server on UDP/1194.  This would put traffic into a queue to shape from client to server.

You woule identify the traffic on the server with connection on WAN IN from client to UDP/1194.  This would put traffic into a queue to shape from server to client.

Default OpenVPN ports used in this example.

Nullity

@mcamino:

I appreciate your help, but is there another forum member who might be able to help me a little bit further? possibly with more specific instructions?

I guess my question at the remote site is "if SOURCE interface X, guarantee up to 20mbs via wan. otherwise provide full bandwidth (25mbs) to all users"

and my question at the central office is "provide this OpenVPN tap connection guarantee up to 20mbs via wan,otherwise provide full bandwidth (50mbs) to all users"

I have a rudimentary understanding of HFSC so I can help with that, but I am very inexperienced with firewall rules and OpenVPN.

If you want to use 2-part service curve (decoupled bandwidth & delay) you, or myself, will need to know the packet size for a particular traffic type to determine the burst duration.

If just want linear service curves then use link-share and upper-limit.

It is late and I am having trouble finding motivation, but I am willing to help… :)

mcamino

@Derelict:

All you can really do is shape the OpenVPN tunnel in relation to other traffic.  You can only do this in one direction - outbound.

That is the part which i am having a difficult time understanding. I want to protect the upstream and downstream bandwidth for the vpn connection. For example, if a user downloads or uploads a 20gb file to the internet, i want to be sure in either scenario that the internet user does not negatively affect the vpn connection for the IPTV streams.

I understand if we have a 50mb connection into dividing it into different ques with different priorities. Attached is what i am trying right now, but it doesnt seem to still be the right configs.

can you take a look and tell me if what i have so far LOOKS like i am on the right track? And if you could give me some advise on what else i should look at and configure so i can investigate those next steps.

Derelict

That is the part which i am having a difficult time understanding. I want to protect the upstream and downstream bandwidth for the vpn connection. For example, if a user downloads or uploads a 20gb file to the internet, i want to be sure in either scenario that the internet user does not negatively affect the vpn connection for the IPTV streams.

You can shape both directions, you just have to shape sending at each end.

mcamino

How does shaping the remote client side (which is downloading the iptv streams) prevent someone from performing a large download on the central server side (which is uploading the iptv streams) causing the circuit to have over subscription issues? Am i misunderstanding this or What am i missing?

Derelict

You're misunderstanding.  I am talking about shaping the tunnel.

You shape sending out WAN by putting the OpenVPN connection into a queue and other traffic into other queues.  What you can't easily do is shape different traffic within the OpenVPN tunnel or shape how much is received by the tunnel.

OpenVPN traffic is different from other traffic.  You cannot shape the state of the received traffic all the way through to LAN because:

On the WAN side all pfSense sees is an OpenVPN tunnel - it cannot see inside it.  The only state on WAN that exists is the connection to the other VPN server itself.

pfSense will allow you do set queues on the OpenVPN assigned interface itself, but doing so eventually makes my OpenVPN process spin at 100% CPU.

I'm probably making this more difficult than it needs to be but shaping OpenVPN traffic is really complicated due to the fact that there are never states from LAN to WAN and WAN to LAN.  Even if you do try to shape on the OpenVPN interface, you're now running a shaper inside a shaper and adding yet more complexity.

mcamino

@Derelict:

You're misunderstanding.  I am talking about shaping the tunnel.

You shape sending out WAN by putting the OpenVPN connection into a queue and other traffic into other queues.  What you can't easily do is shape different traffic within the OpenVPN tunnel or shape how much is received by the tunnel.

Okay. I know i dont need to shape within the tunnel. I just want to give the vpn tunnel on both the client and server side a higher priority. So lets simplify my original question, lets forget the specific bandwith numbers.

If i have an openvpn connection between two sites, how do i give that vpn connection higher priority on the outside (wan) interface then all other (default que) traffic for both upload and down over-subscription ? I guess my question is even more specifically now, how do i setup a traffic shaper rule for both upload (outgoing) and download (incoming) on the wan interface?

Derelict

You don't shape download on WAN.  That's what I've been trying to tell you.  And you can't set a queue on LAN to shape downloads either.

Assumes the following: OpenVPN Server running on UDP 1196

On the server (This rule will shape traffic from server to client):

Create a floating rule on interface WAN in Match IPv4 UDP source any dest WAN address destport 1196 set queue qVPN

On the client (this rule will shape traffic from client to server):

Create a floating rule on interface WAN out Match IPv4 UDP source any dest VPN Host destport 1196 set queue qVPN


Derelict

You might have some luck placing rules like this on your OpenVPN assigned interface or OpenVPN tab.  This will govern connections coming from the remote site into your firewall over OpenVPN.  There should be queues matching these names on LAN.

Similar rules can be set on the LAN interface for traffic from LAN net to the remote OpenVPN network(s).


MLIT

You could also try to make a tunnel specifically for the IPTV traffic –- Then you could shape traffic based upon which tunnel the traffic was received from.