Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic Shaping - General Questions to Bridged Network and OpenVPN

    Scheduled Pinned Locked Moved Traffic Shaping
    2 Posts 2 Posters 780 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bonsai
      last edited by

      Attached my network how it should look like next month - what is currently running fine on my desk.

      All LAN Clients and the OpenVPN Clients are in the 172.17.172.0/24 subnet (And I need no discussion about sense or not sense of bridged network. I also would like routed, but it is not possible because one software really needs the broadcasts)

      My highest priority is, that VoIP runs without any trouble. VoIP traffic goes always directly from LAN to WAN -> Internet and never in a VPN Tunnel
      Second priority is, that our ERP system gets enough bandwith. But this runs inside the VPN Tunnel. So I am not sure how to get this right.
      Third priority is everything else in LAN
      Fourth priority is the Private LAN / DMZ (depending on which of the two pfseneses)
      It would be nice if the private LAN can use full bandwith, or at least most of the bandwith, but only if the LAN of the company doesn't require the bandwith.

      I read now a lot of different blogs, docs and threads in various forums, but I am still not sure what would be the best solution at all.
      Is it even possible with this mix of bridged / routed / vpn Tunnels.

      Could somebody push me in the correct direction here, please? Is HFSC a good idea for me? How to handle this ERP clients in Spain to access the server in Germany?
      Netzwerkdiagramm.PNG
      Netzwerkdiagramm.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        First off, the main issue of traffic shaping is you must set the interface to rate limit to just below the minimum amount of bandwidth you expect to have. I have a dedicated 100Mb connection, so I can safely set my bandwidth to 98Mb/s.

        If you have a 100Mb connection of lesser quality during peak hours, you need to rate limit to your lowest, so if you dip to 80Mb, you need to limit to 78Mb/s, or some value below 80Mb.

        Next problem. You cannot see into a VPN tunnel, PFSense will see a single encrypted flow. If you want to rate limit inside the tunnel, you need to set your tunnel interface to rate limit to the minimum rate you want to give the tunnel as a whole.

        This does mean in order to properly rate limit, you need to give it a maximum rate if you want to shape the bandwidth with something like HFSC inside the tunnel.

        If you don't want to artificially set a maximum, but instead want the tunnel to be able to use an "free" bandwidth, then you could probably use PRIQ or FAIRQ. I would recommend trying FAIRQ first. CoDel may also work. If we had fq_Codel or Cake, I would recommend those because they do well with fluctuating bandwidth where your interface is doing the buffering.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.