VPN Shaping



  • Hello all,

    I am using pfSense 2.3.1-RELEASE-p1.

    I have read that it is possible to shape VPN relative to non-VPN traffic.
    I have an OpenVPN tunnel with a remote OpenVPN server (listening on 1195/udp).
    I have added a floating rule as follows:

    • action: match

    • interface: WAN interface selected

    • direction: out

    • protocol: udp

    • source IP: any

    • destination IP: IP address of remote OpenVPN server

    • destination port: 1195

    • Ackqueue/Queue: none/qVPN

    I see that this rule does NOT match any VPN packets going to the remote OpenVPN server.
    When I checked the Diagnostics -> States page at different times, I saw either one of the 2 lines below:

    • lo0 udp 197.a.b.19:2296 -> 91.c.d.66:1195

    • WAN udp 197.a.b.19:2296 -> 91.c.d.66:1195

    1. Why is it that the OpenVPN tunnel states are bound to different interfaces at different times? Or, is that so?
    2. If the OpenVPN tunnel client endpoint is bound to the lo0 interface, I suppose it is normal that the floating rule will not match any VPN traffic. Isn't it?
    3. If the answer to #2 is yes, then should I conclude that it is impossible to shape the OpenVPN tunnel relative to non-VPN traffic?
    4. Otherwise, how should the shaping be done?

    Thanks for any help.

    PS: I have some other related questions, but I'll probably open a new thread for them..



  • Any help please?



  • you can't share bandwidth between interfaces when it comes to shaping. In order for shaping to work, you need to know how much bandwidth you actually have. If you assign your VPN to have 10Mb of bandwidth, then any shaping you do in your VPN tunnel must never go above 10Mb, otherwise shaping within your tunnel may not work correctly. Rule of thumb, in order to properly shape, you must never go above your guaranteed bandwidth.



  • Hello Harvy66,

    Thanks for your reply.
    However, I'm not sure I understood what you meant by "you can't share bandwidth between interfaces…".
    Am I doing that here?

    What I don't understand are:

    • why my floating rule, as described in my original post, is not matching the OpenVPN traffic at all (it would be great to get this one working),

    • why, once or twice, I found the OpenVPN tunnel connection states bound to the lo0 interface.

    Any idea on the above two queries?


Log in to reply