[HOWTO] Multi WAN Traffic shaper with bandwidth limits per interface
-
Hello.
I'm Frederique and, even if i've been reading your contributions for some time now, I'm a new member on this forum.
First of all, I would like to thank all of you for sharing your experience and tutorials. As always I'm amazed by the generosity ;) I am a recent user of Pfsense solutions and have actually only implemented "out of the box" configurations for the moment. We are now facing several challenges and one of them lead me to your discussion. I stumble upon your message while researching a solution to my client current situation and I would really care for experts advice on this matter.The curret client architecture is the following
- 1 LAN which supports data + VoiP
- 3 WAN on 3 different ISP
- 1 inside server which needs to synchronize with a distant server. No VPN
Today each WAN is dedicated to 1 usage (Data /VoiP/Replication), 2 of these 3 links are underused and the client wants to use the maximum of the available bandwith. We would like to implement a PFSense configuration with load balancing on all 3 WANs. The problem is that we need to protect VoIP bandwith (in and out) and also leave available bandwitch for the daily ongoing replication of both distant servers. We still need to assign a particular gateway to VoiP and server Synchro (since there is no VPN implemented).
I was wondering if the traffic shaping you're presenting in your post could be implemented with load balancing in odrer to resolve our client's issue ?
I woud really appreciate you advise on this matter before modeling the solution in my lab.
Thanks in advance. -
@Ma_Fabulette: The floating rules described in the post are only matching ones. So basically you could make failover rules on the LAN side using routing groups, as long as you don't specify any queues there.
You might also merge the LAN queues in one if all the WAN lines have the same download capacity, so you can use priority queues easily. -
Thank You for your answer Dejean.
After testing, it seems then that I cannot limit bandwith from the WAN to avoid congestion without limiting drastically the gateway group total bandwith (since I need to shape traffic on the LAN interface)
It seems then that if I want to shape specific traffic I need to have it limited to a specific GTW and eventually create a group wuith the remaining GTW from the rest of the traffic.
-
@Ma_Fabulette What exactly are you trying to setup ? Could you make a schema and explain what you're trying to do ? Would make it easier to understand.
-
Very well done how-to deajan. Thank you. Have you tested what happens when 2 LAN clients eventually end up downloading at full speed from the same WAN? Is the BW of that WAN shared evenly between the 2 or does one get to have a huge chunk and one starves? I'm using limiters to achieve fair sharing of BW on my LAN and I'm VERY SATISFIED[1] but I'm not sure if limiters and queues can be combined [2] and my health bar is low for the moment[3]
NOTES:
[1] I'm using limiters to based on foxale08's how-to found here from https://forum.pfsense.org/index.php?topic=63531.msg364520#msg364520 and an excellent explanation of limiters by reddit user drakontas https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/[2] This question came up before in the forums but it was on a more complex setup and there is no answer https://forum.pfsense.org/index.php?topic=88627.0
[3]I've spend dozens of weeks reading, experimenting and learning traffic shaping first on IPfire then (when I've hit its limits) on pfsense. I need some time to recover and my co-workers need a few weeks of NO-EXPERIMENTS-DURING-WORK-HOURS :-)
-
AFAIK, you'll depend on the bandwidth share algorithm of the HFSC scheduler. If you want totally fair bandwidth sharing, CODELQ / FAIRQ are good alternatives but I'm not sure they might be implemented toghether with HFSC as of new pfSense releases. And you'll have to stick with HFSC in order to have sub queues on LAN lines.
Maybe an explanation of a scheduler expert might fit better here than mine. @pfSense community: someone ? :)
-
Hello,
I am trying to make my shaper working. I have only one WAN and one LAN (simple case :)), I would like to limit HTTP download and reserve bandwidth for VOIP, RDP and PCOIP. I followed approximately the howto, but it seems that download traffic is stuck in default download queue (except for voip, I don't understand why).
In the howto it is written
- Action: Match
- Interface: WANx where x is the WAN number
- Direction: out (yes, it is outgoing direction !)
- Address Familiy: IPv4 and IPv6
- Protocol: Any
- Gateway: default
- Ackqueue / Queue: none / qDownloadLowWANx
Why for download the direction is out from the WAN ?
In my floating rules I set out on WAN interface for upload (and it seems to work) and out from LAN interface for download.
Another question : If a connection (for example HTTP) is established by a user and used to download, will TCP packets be queued in download or upload queue ?
So I'm quite lost about these traffic directions, and how I must write my floating rules to match traffic. You can find attached my floating rules and queues.
Thank in advance for you help.
-
@tho: I don't see any HTTP rules, so it goes to the default queue.
I've setup a full system for hotels where I used squid in order to limit http downloads too.btw: Je viens de voir que tu as une règle "serveur tse", donc j'imagine pas me tromper en te parlant fr. Si tu veux j'ai écrit ma doc en FR à la base si ca peut t'aider, contacte moi par mail direct si tu veux :)
-
First of all, thanks a lot Deajan, the way and the time you take to write this post is to thank.
I have a problem on the upload, if i didnt misunderstood this shape limit the upload of the wans:Go to Firewall > Traffic Shaper
Remove any traffic shaper queues if some are configured.
For every WAN interface listed in the Traffic Shaper:- Click on "Enable/disable discipline and its children"
- Keep the HFSC scheduler as HFSC is the only scheduler allowing children queues without any errors in pfSense 2.3-2.3.2 so far. Also, mixing different schedulers isn't working yet on pfSense. So even if you don't need any special subqueues on WAN links, you'll still need them on the LAN interface later.
- The bandwidth parameter to set here is 95% of the measured upload speed:
WAN1 = 9.8x0.95 = 9.3Mb
WAN2 = 920x0.9 = 828Kb (we use a lower multiplier because the line isn't stable)
WAN3 = 3.8x0.95 = 3.6Mb - Queue Limit and TBR Size are left empty unless you know exactly what you're doing
- Click on Save
Configuring the bandwidth parameter here is sufficient to enforce the upload speed of pfSense to the WAN modems.
The others shapes works fine, the download are limit, but not the upload.
The only floating rules necessary are the download ones, right?Does it have anything to do with the version of the pfsense?
Thanks in advance!
-
@tho: I don't see any HTTP rules, so it goes to the default queue.
I've setup a full system for hotels where I used squid in order to limit http downloads too.Thank you for replying, the first rule sould match with HTTP and send it to DownloadLow queue, not the default LAN queue qLink. Am I right ?
-
@allen34
Do you think Policy-based routing would solve the issue of Multi-WAN/Multi-LAN?
Assuming that we have rules on each LAN interface tagging the traffic types, they can then be classified into outgoing queues on the WAN(s) side via floating rules.
-
@Ma_Fabulette: The floating rules described in the post are only matching ones. So basically you could make failover rules on the LAN side using routing groups, as long as you don't specify any queues there.
You might also merge the LAN queues in one if all the WAN lines have the same download capacity, so you can use priority queues easily.How do you setup in LAN rules of firewall? Some screenshot might be help.
Currently i'm using grouping my two WANs that i setup in system->gateway groups and name it as LoadBalancing. I use it in LAN rules as gateway.
Thanks. Your configuration makes me want to learn this.
-
@allen34
Do you think Policy-based routing would solve the issue of Multi-WAN/Multi-LAN?
Assuming that we have rules on each LAN interface tagging the traffic types, they can then be classified into outgoing queues on the WAN(s) side via floating rules.
Apologies for the late reply. Unfortunately have no experience of multiwan and multi lan.
The approach outlined in my post works only because the WAN incoming traffic all ends up in the same queue on the same LAN interface.
Maybe there are possibilities
a) Assign multiple WANS to to each LAN
i.e. 2 wans for LAN1 and 2 separate wans for LAN2b) Split each WAN into equal amounts for each LAN
e.g. if you have 2x WAN links and 2x LAN, then split bw of each WAN in half and assign a half from each WAN to each LAN.But I do not see a way of balancing all LAN traffic across all WANS. This is because you will have separate queues for each LAN.
In the end, buy more WAN links and divvy your users up across them. Pretty sure that is what sensible people do and why I believe not so many posts about this problem is found. Simply have a "WAN budget" per employee, so if you get 100 users you pay N $$, and if you have 200 users you pay 2x N $$. Unfortunately we are in a remote location and this is not possible so we try to squeeze as much as we can out of the 2x DSL lines we have and pay a small fortune for the privilege where others buy 10x the bandwidth at 1/4 the price.
Cheers A
-
HI,
i'm on version 2.3.4 and upload limit seems not to work( https://forum.pfsense.org/index.php?topic=145500.0).
Also after create the qLink and the qDownloadWANX queues the tutorial sayIf you only need to limit the bandwidth, we're done here.
to apply them i needed to create the rules on firewall/floating as described below, don't know if pfsense behavior changed or i misread the instruction ( to me is sounded like "If you only needed limiters you are done" ).
-
how create queue for upload? I tried creating queue on wan interface like on lan interface and apply it to floating rules, direction is IN but not working.. thanks