OpenVPN and QOS - can't catch it by floating rule
-
Hi guys!
Need to catch OpenVPN client traffic by floating rule and send it to shaper queue.
I've tried various setups, googled, read forum. Nothing. It goes to default queue no matter what I did.
My setup
2.3.2-RELEASE-p1 (amd64)
2 WAN
4 VPN Clients
1 LANOpenVPN client
Peer-to-peer
UDP
tap
interface WAN1
server headquarters_WAN1
server port 11930
//Interface need to be here. Can't setup LAN, localhost etc. There are few clients from/to different wans and ospf routing.States
WAN2(?) udp WAN1:6442 -> headquarters_WAN1:11930
//bug? Diagnostics - States show interface WAN2, but source WAN1. Also in status - OpenVPN (local and reote) and remote state I see WAN1 ip address.Floating rule
Match
int WAN1
out
IPv4
UDP
dst port 11930
Ackqueue / Queue qDlAckWAN1 / qDlVpnWAN1Tried catch it by dest address, dst port, src port. No luck - it goes to qLink.
What I'm missing?Appreciate any help.
-
Unless you require a floating rule, just use an interface rule.
-
Unless you require a floating rule, just use an interface rule.
I can't use interface rule. OpenVPN is in client mode and it should use specific interface (WAN1).
Correct me if I'm wrong.Upd
Just changed action of floating rule to reject and vpn blocked. Then floating rule applies to VPN and it is correct i think.
Changed it to match and again all vpn goes to qLink (default queue).
All other traffic (ack, web, voip, p2p) goes to queues without problems.
I'm stuck. -
You can use the interface rules as soon as you assign the OpenVPN client to a new interface (Interfaces -> Assign).
-
I've gone rounds with traffic shaping too on pfSense. What I've learned is that pfsense is going to shape the traffic related to the state created with the connection. So if a client connects to your WAN interface on your vpn server port 11930 all traffic will be assigned to the traffic shaper queues for the rule that creates that state. Once I understood this myself it all became clearer. Think according to states. And always go to the diagnostic tabs and reset the firewall states after you change shapers, or they won't take and you'll be scratching your head.
So, I would assume you have a rule on your WAN interface tab that allows port 11930 through to your VPN server correct? I would go into that rule and go to Advanced Options and set your Queue/Ack Queue settings there. This is how I have all of my vpns setup and it seems to work well. The bandwidth shaping you want to do for your uploads with go on the right side selecting a "Queue". You can leave the ACK queue blank if your connection uses UDP because there are no ACK packets returned.
I hope this helps.
-
So, I would assume you have a rule on your WAN interface tab that allows port 11930 through to your VPN server correct?
Thanks for suggestion churchtechguy. But it's vpn client connection, not server. So there are no rules in fw for that.
About UDP - thanks, my bad.You can use the interface rules as soon as you assign the OpenVPN client to a new interface (Interfaces -> Assign).
So I should assign each OpenVPN interface, and then… Sorry, not understand. It's download queue (on LAN interface).
-
I'm sorry, my bad. I misunderstood your question. :( I think I understand now.
Shaping traffic going out is difficult with the floating rules and I feel like its hit or miss that I've gotten it working.
By VPN Client you mean that you're using OpenVPN to create a site to site tunnel to your main headquarters? If so, I have some shaping setup like that on my servers and I can look and let you know.
-
So.
To be clear. pfSense is OpenVPN client. I want to shape tunnel's download and place it in LAN out queue.
Queue applies to the state.
Then floating rule should look like that:
LAN out
source - remote private network
destination - LAN net
queue - qVpnBut I have 2 WANs, 2 queues on LAN for that WANs and redundant VPN connections.
So I see options
1. Place OpenVPN clients on another PC on LAN. Then shaping will be easy. But I need dynamic routing on vpn clients, so OSPF need to be moved too. Bad.
Quesition - maybe I can do that logic some way without 2nd PC on pfSense itself?
2. Limit VPN speed on VPN options and subtract this from WAN speeds on QOS. Better then previous, but still bad.
3. Use single VPN connection on single WAN. No failover, no redundancy.
4. Don't use shaping
5. I'm doing something wrong. -
There are likely a few ways to accomplish your goal.
You could try creating a firewall rule on both WANs to catch the incoming OpenVPN packets and mark them (it's in the Advanced section of the rule). Then match these marked packets with a LAN firewall rule and assign them to the appropriate queue.