Traffic Shaping With OpenVPN Clients



  • I've added two persistent OpenVPN client connections to my single WAN, single LAN pfSense box and assigned each an interface.  Of course, both of those interfaces are logical "children" of my single physical WAN interface.  But to my knowledge, there is no way to capture this relationship for purposes of traffic shaping.  In other words, my single WAN has an upload of 5Mbps.  But there is no way I know of to share one set of traffic queues between my physical WAN interface and the two logical OpenVPN client interfaces, which is what I'd like to do since they are all sharing that 5Mbps of bandwidth.  I attempted to create an interface group, but the traffic shaper doesn't allow for shaping interface groups.  If I had a single OpenVPN interface, and all traffic went through it, then I could apply shaping only to that interface.  But some traffic (e.g. Netflix) needs to bypass the VPN and go straight to the WAN.  And furthermore, I have two OpenVPN interfaces configured as a load balancing gateway group.

    So, maybe my goal of traffic shaping this configuration is out the window, but I wonder if anyone may have any slick ideas for accomplishing this.  For example, I'm not well versed in limiters.  Are they also interface-specific, or could I somehow make a 5Mbps limiter and force traffic for all three of these interfaces through it?  The most conceptually straightforward solution I found for this problem involved running two separate pfSense boxes in serial, but for me that's not worth the additional expense.

    Any thoughts would be greatly appreciated, and I'd be glad to provide more details of my setup if I've left out anything that may be pertinent.



  • Quick update . . . I see that a known limitation of limiters is the inability to use them on firewall rules for interfaces where NAT applies (https://doc.pfsense.org/index.php/Limiters#Known_limitations).  It appears that there will possibly be a fix/workaround for this in 2.4, but presently it seems that using a limiter in the manner I envisioned is not possible.


  • Rebel Alliance Developer Netgate

    @TheNarc:

    Quick update . . . I see that a known limitation of limiters is the inability to use them on firewall rules for interfaces where NAT applies (https://doc.pfsense.org/index.php/Limiters#Known_limitations).  It appears that there will possibly be a fix/workaround for this in 2.4, but presently it seems that using a limiter in the manner I envisioned is not possible.

    FYI- The problem with Limiters and NAT has been confirmed fixed on 2.4.



  • I've run into similar issues trying to apply shaping to some site to site vpns that I have.  We also have 5Mb upload speed and the best I figured out was to create traffic shaping queues on my two VPN interfaces themselves.  I simply have a default queue and a high priority queue for that particuler tunnel/interface.  I cap the bandwidth at 2Mbps for each of my two outbound tunnels.  Then I feed those queues into a aVPN queue together that is alongside the other traffic shaping queuest on my outbound WAN.  Then the qVPN queue is shuffled into the needs of the other priorities on my WAN.

    VPN 1 - –------------------------------                    WAN Shaper
                                           
                                              \                qDefault
      -qDefault                             
      -qPriority                              /----------------qVPN
                                              /
                                            /                  qVoip
    VPN 2 -  -------------------------------                    etc.....

    -qDefault
      -qPriority

    Sorry for my crude drawing but I hope it helps.  You can work with the queues on your WAN to make this work.  The downside is that if both of your vpn 1 and 2 queues send 2Mb up and fill the queue on the WAN interface and there is also competing traffic on the wan, you might get packets dropped in places where you don't want them.  For me it has been working pretty well with the assumption that both of my vpns don't tend to get loaded up at the same time as everything else.

    If anyone else has further ways to make this better I'm open to them.


Log in to reply