1. Home
  2. pfSense® Software
  3. Traffic Shaping
  4. OpenVPN and QOS - can't catch it by floating rule

OpenVPN and QOS - can't catch it by floating rule

  • Z

    Hi guys!

    Need to catch OpenVPN client traffic by floating rule and send it to shaper queue.

    I've tried various setups, googled, read forum. Nothing. It goes to default queue no matter what I did.

    My setup
    2.3.2-RELEASE-p1 (amd64)
    2 WAN
    4 VPN Clients
    1 LAN

    OpenVPN client
    Peer-to-peer
    UDP
    tap
    interface WAN1
    server headquarters_WAN1
    server port 11930
    //Interface need to be here. Can't setup LAN, localhost etc. There are few clients from/to different wans and ospf routing.

    States
    WAN2(?) udp WAN1:6442 -> headquarters_WAN1:11930
    //bug? Diagnostics - States show interface WAN2, but source WAN1. Also in status - OpenVPN (local and reote) and remote state I see WAN1 ip address.

    Floating rule
    Match
    int WAN1
    out
    IPv4
    UDP
    dst port 11930
    Ackqueue / Queue qDlAckWAN1 / qDlVpnWAN1

    Tried catch it by dest address, dst port, src port. No luck - it goes to qLink.
    What I'm missing?

    Appreciate any help.

    0
  • N

    Unless you require a floating rule, just use an interface rule.

    0
  • Z

    @Nullity:

    Unless you require a floating rule, just use an interface rule.

    I can't use interface rule. OpenVPN is in client mode and it should use specific interface (WAN1).
    Correct me if I'm wrong.

    Upd
    Just changed action of floating rule to reject and vpn blocked. Then floating rule applies to VPN and it is correct i think.
    Changed it to match and again all vpn goes to qLink (default queue).
    All other traffic (ack, web, voip, p2p) goes to queues without problems.
    I'm stuck.

    0
  • D
    Banned

    You can use the interface rules as soon as you assign the OpenVPN client to a new interface (Interfaces -> Assign).

    0
  • C

    I've gone rounds with traffic shaping too on pfSense.  What I've learned is that pfsense is going to shape the traffic related to the state created with the connection.  So if a client connects to your WAN interface on your vpn server port 11930 all traffic will be assigned to the traffic shaper queues for the rule that creates that state.  Once I understood this myself it all became clearer.  Think according to states.  And always go to the diagnostic tabs and reset the firewall states after you change shapers, or they won't take and you'll be scratching your head.

    So, I would assume you have a rule on your WAN interface tab that allows port 11930 through to your VPN server correct?  I would go into that rule and go to Advanced Options and set your Queue/Ack Queue settings there.  This is how I have all of my vpns setup and it seems to work well.  The bandwidth shaping you want to do for your uploads with go on the right side selecting a "Queue".  You can leave the ACK queue blank if your connection uses UDP because there are no ACK packets returned.

    I hope this helps.

    0
  • Z

    @churchtechguy:

    So, I would assume you have a rule on your WAN interface tab that allows port 11930 through to your VPN server correct?

    Thanks for suggestion churchtechguy. But it's vpn client connection, not server. So there are no rules in fw for that.
    About UDP - thanks, my bad.

    @doktornotor:

    You can use the interface rules as soon as you assign the OpenVPN client to a new interface (Interfaces -> Assign).

    So I should assign each OpenVPN interface, and then… Sorry, not understand. It's download queue (on LAN interface).

    0
  • C

    I'm sorry, my bad.  I misunderstood your question.  :(  I think I understand now.

    Shaping traffic going out is difficult with the floating rules and I feel like its hit or miss that I've gotten it working.

    By VPN Client you mean that you're using OpenVPN to create a site to site tunnel to your main headquarters?  If so, I have some shaping setup like that on my servers and I can look and let you know.

    0
  • Z

    So.

    To be clear. pfSense is OpenVPN client. I want to shape tunnel's download and place it in LAN out queue.

    Queue applies to the state.
    Then floating rule should look like that:
    LAN out
    source - remote private network
    destination - LAN net
    queue - qVpn

    But I have 2 WANs, 2 queues on LAN for that WANs and redundant VPN connections.

    So I see options
    1. Place OpenVPN clients on another PC on LAN. Then shaping will be easy. But I need dynamic routing on vpn clients, so OSPF need to be moved too. Bad.
    Quesition - maybe I can do that logic some way without 2nd PC on pfSense itself?
    2. Limit VPN speed on VPN options and subtract this from WAN speeds on QOS. Better then previous, but still bad.
    3. Use single VPN connection on single WAN. No failover, no redundancy.
    4. Don't use shaping
    5. I'm doing something wrong.

    0
  • N

    There are likely a few ways to accomplish your goal.

    You could try creating a firewall rule on both WANs to catch the incoming OpenVPN packets and mark them (it's in the Advanced section of the rule). Then match these marked packets with a LAN firewall rule and assign them to the appropriate queue.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy