PfSense 2.4 Shaping for Cisco VPN workstation, & general Roku/Fire/Apl streaming



  • I have a single lan, single wan interface. Internally, I have to work related PC's that should take the highest priority for any network traffic. The workstation connects via Cisco Anyconnect VPN. I know the target network/mask for the work PC's VPN client if that helps, and of course it's source IP.

    Work PC's have the range of 1.5 - 1.10.
    The media devices all have the IP range of 1.96 - 1.110.

    Priority 7:  Work PC's:  172.16.1.5 - 172.16.1.10
    Priority 6:  Media Devices:  172.16.1.96 - 172.16.1.110  (Roku's, Amazon Fire TV's, Apple TV's)
    Priority 6:  Media Severs::  172.16.1.200
    Priority 3:  default traffic
    Priority 2:  Low priority

    The Work PC's should take priority above all others (excluding any traffic that must be always routable, if any)
    The media devices will sometimes stream from the local Plex media server (172.16.1.200), and sometimes from the internet for various sources like Sony VUE, Netflix, Amazon, etc). This traffic (including traffic from the Plex media server) should be right under the Work PC priority, and above the 'default' traffic queue.

    I know some of the shapers do not use priority in this sense, but i list it this way so it's easy to understand importance of the traffic.

    I've been banging my head trying to get this working consistently for 2 weeks and I rarely manage to capture anything in a floating rule using any combination of source, destination, WAN/LAN, network IP/mask, etc.

    Really need help with this at this point. Any suggestions? I'd like to get HFSC working, but will take anything at this point that gets me a little closer.



  • With your setup, PRIQ is likely never going to be optimal. Use CBQ, HFSC, or FAIRQ so that you can allocate bandwidth amounts.

    Though, you did not give us enough details to even begin helping you. What exactly have you tried? What were the expected results and the actual results?

    First you need to get your firewall rules to grab the proper traffic, which should be easy. Read the pfSense wiki.
    Once that is worked out you can move on to setting up your traffic-shaping queues and testing them.



  • I've tried the built in wizard, using a single LAN/WAN for PRIQ, and HFSC, and then tried assigning floating rules to the resulting queues, but not much luck. I also have a set of fairly broad floating rules to match traffic using a quick rule and assign it to a queue, but when looking at the actuals STATUS–> QUEUES, I see no traffic in those.

    I don't see a way to export these rules so that you can examine them offline.

    The irritating part is this seems relatively simple. Capture traffic to/from various IP's locally or from the WAN interface, and assign it to a queue, and my rules keep coming up empty.



  • @DJRumpy:

    I've tried the built in wizard, using a single LAN/WAN for PRIQ, and HFSC, and then tried assigning floating rules to the resulting queues, but not much luck. I also have a set of fairly broad floating rules to match traffic using a quick rule and assign it to a queue, but when looking at the actuals STATUS–> QUEUES, I see no traffic in those.

    I don't see a way to export these rules so that you can examine them offline.

    The irritating part is this seems relatively simple. Capture traffic to/from various IP's locally or from the WAN interface, and assign it to a queue, and my rules keep coming up empty.

    Scroll down to the bottom of this page on the pfSense wiki.



  • Ok, I've turned off quick match on all of the floating rules that I'm using to assign a queue.

    Let me start with a basic one. Netflix.

    23.246.0.0-23.246.63.255 or 23.246.0.0/18

    I want to capture traffic from that source range to my WAN or LAN interface, and assign it to my streaming queue.

    I've setup two rules, with both interfaces selected. One rule with the Source set to that network/mask, and the other rules with the destination set to that network/mask.

    I could also go in and assign my aliased network streaming devices with a source to/from that mask as well, and I should see it capturing some traffic, yes?



  • Did you go into the Advanced options and direct the traffic into a predefined queue in the Queues section?



  • Yes I also reset the states, but no luck so far



  • I do see an error reloading the filters.

    Checking for filter PF hooks in package /usr/local/pkg/miniupnpd.inc
    There were error(s) loading the rules: pfctl: linkshare sc exceeds parent's sc - The line in question reads [0]:

    I'm not sure where to start on this one.



  • Ok. That problem is tesolved. I trashed the shaper and started over. Removed any quick rules, and still no luck seeing any captured data from the rules.



  • @DJRumpy:

    Ok. That problem is tesolved. I trashed the shaper and started over. Removed any quick rules, and still no luck seeing any captured data from the rules.

    Post a screenshot of your rules.



  • Screenshot of the floating rules.

    ![Screen Shot 2016-12-06 at 7.46.52 AM.png](/public/imported_attachments/1/Screen Shot 2016-12-06 at 7.46.52 AM.png)
    ![Screen Shot 2016-12-06 at 7.46.52 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-12-06 at 7.46.52 AM.png_thumb)