Shaping Queues by Subnet on Interface… Possible?



  • Hi All, I have a bit of a tricky one (I think, hopefully I'm just missing something obvious and it's actually easy)

    Short version:
    I need to setup queues per destination subnet on a single interface, is this possible?

    Detailed version:
    I have a situation whereby I want to setup traffic shaping / QoS for some MPLS (more of a private IP setup) links between our datacentre and clients, but we have a single interface per client even if they have multiple links, each of which will have different speeds.

    So the scenario is

    Our Router <–> WAN provider handoff  at DC (/29 subnet) <--> WAN provider core routers <--> WAN provider handoff at site/office (/29 subnet per site) <--> Site router

    All subnets are non-public (i.e. in the 10.0.0.0/8 range)

    Where we have a client with multiple sites we only have a single handoff VLAN (and subnet) on the datacentre end but mulitple handoff subnets on the sites (one per site). The handoff on the DC end basically has one IP on our side and one IP on their side for routing (plus HA IPs etc but they arent important). So the site's default route hits our IP on the handoff and we route anything destined for the sites to the WAN provider's IP on the handoff (i.e. the LAN side subnet for the site).

    So we'll have static routes pointing (for example), 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24... 10.10.15.0/24 to an IP on our handoff, the WAN provider takes care of the rest and ensures that traffic ends up on the required site.

    We have around 15 links terminating on a single handoff, ranging from 50meg synchronous, through a couple of 25/10 links down to a 6meg sync link. QoS/shaping on the upload (from site to DC) is handled on the CPE which is managed by the WAN provider so I only need to worry about the download (DC to site) traffic.

    The problem here is that, from my understanding, the speed needs to be set on the interface itself, which wont work in this case as taking a % of the total will still flood a single link, and using the lowest will mean a faster link will be throttled which isn't desirable.

    Is there any way I can setup the queues per destination subnet?

    Thanks



  • You match queues with firewall rules. You assign traffic to a queue the same way you block or allow traffic. Just create a rule that matches the traffic you want and assign it to a queue.



  • Hi
    I was thinking that, and yes I can use source networks on the firewall rules, but the simplest way to configure things is using a % of bandwidth (otherwise I'm going to end up with a very large number of queues for different bandwidth links) and the total bandwidth is set per Interface not per queue which makes this not possible.

    The only way I can think of would be to create sets of queues (at the moment I have 5 queues plus the ACK queue, so 6 in total) for each link speed, using actual speeds rather than percentages…. but then one interface which has multiple links of different speeds would have multiple sets of queues and it wont let you have more than 100% of the bandwidth assigned across all queues, unless I dont set a speed on the interface... so things are starting to get a bit confusing here.



  • @mattbsyd:

    Hi
    I was thinking that, and yes I can use source networks on the firewall rules, but the simplest way to configure things is using a % of bandwidth (otherwise I'm going to end up with a very large number of queues for different bandwidth links) and the total bandwidth is set per Interface not per queue which makes this not possible.

    The only way I can think of would be to create sets of queues (at the moment I have 5 queues plus the ACK queue, so 6 in total) for each link speed, using actual speeds rather than percentages…. but then one interface which has multiple links of different speeds would have multiple sets of queues and it wont let you have more than 100% of the bandwidth assigned across all queues, unless I dont set a speed on the interface... so things are starting to get a bit confusing here.

    The interface speed (root queue) must loosely match the actual speed of the link. You cannot have the interface set to a higher speed.

    Percentages are not a requirement when preparing for dynamic link-rates. HFSC's link-share values are proportional depending on the amount of available bandwidth. See https://forum.pfsense.org/index.php?topic=90512.msg505122#msg505122

    Notice that qTEST1 & qTEST2 are set to 1kbit and 6kbit respectively but they are using 10x that amount. Also notice that when I set my interface to 250mbit, traffic-shaping no longer functioned.

    I am a little unclear about your goal though.



  • @mattbsyd:

    Hi
    I was thinking that, and yes I can use source networks on the firewall rules, but the simplest way to configure things is using a % of bandwidth (otherwise I'm going to end up with a very large number of queues for different bandwidth links) and the total bandwidth is set per Interface not per queue which makes this not possible.

    The only way I can think of would be to create sets of queues (at the moment I have 5 queues plus the ACK queue, so 6 in total) for each link speed, using actual speeds rather than percentages…. but then one interface which has multiple links of different speeds would have multiple sets of queues and it wont let you have more than 100% of the bandwidth assigned across all queues, unless I dont set a speed on the interface... so things are starting to get a bit confusing here.

    "but then one interface which has multiple links of different speeds " How does a single interface have multiple "links"? You really need to define what you mean by "link". To me, an interface has only one link, which is why an interface has a "link rate", like 1Gb.

    Shaping subnets is as easy as creating a queue for each subnet and setting up your per queue settings.



  • Hi guys, sorry I've been a bit flat out and off the air for the last few days.
    Firstly, thanks heaps for the help so far :)

    To answer "How does a single interface have multiple "links"" and to clarify my goal for Nullity, what I mean by that is that we have one interface for each client, but a single client might have multiple remote sites. In that case, we have multiple MPLS/PrivateIP tails being routed into one interface at the carrier/ISP level.

    So I'll have (as a loose example of what's happening, made up subnets etc.), OPT1 having an IP address of 10.1.2.6/29 which is a "hand-off" to our provider. the 10.1.2.1 IP is their side of the handoff.

    We'll then have three sites,
    Site 1: 20/20Mbit, LAN Range 10.100.1.0/24, WAN side is Hand-off to ISP on 10.1.3.0/29
    Site 2: 8/8MBit, LAN Range 10.100.2.0/24, WAN side is Hand-off to ISP on 10.1.3.8/29
    Site 3: 25/10MBit LAN Range 10.100.3.0/24, WAN side is Hand-off to ISP on 10.1.3.16/29

    On each handoff the first IP is the ISP end, last is the site end.

    On the site routers their default route is the ISP end of their handoff, the ISP then has a routing table on the VRF for that client which points everything back at the 10.1.2.6 IP on OPT1 on our router, and points each of the site's subnets back at the relevant router.

    On our router we have a static route for each of the site's LAN range (10.100.[1,2,3].0/24) pointing at 10.1.2.1, the ISP then routes that to the router on the relevant site.

    So my issue is that I have three sites/links, each with different speeds, terminating on the one interface on our end and I need to do some sort of QoS to each of them so the root queue speed is the issue I guess.

    Just thinking out loud… if the interface/root can be set to "100%" (or total of links), then have a second level per site, then the queues under it, that would probably work, but I don't see it letting me create a multi-level hierarchy...