Underpowered hardware for shaping?



  • Here's my network: https://drive.google.com/file/d/0B0mhOZUFTqv7ZUtLbVpTTUZtUkU/view

    In that diagram, the pfSense box is a Zotac CI323 (Celeron N3150, 4GB RAM, 60GB SSD).

    What I'm trying to accomplish:

    Anything on the network can utilize as much bandwidth as it likes whenever it likes, but when multiple devices are competing for b/w, I want to simply prioritize the traffic.  So based on this, I decided a series of PRIQ queues was in order.

    Eventually I want 5 queues (highest, high, default, low, lowest), but to start with I simply created 3 queues: high, default, low.

    To get my feet wet, I simply want to put all traffic routing thru the VPNC tunnel into the low queue, everything else can go to default.  I don't want to prioritize traffic within ovpn tunnels, I simply want to prioritize traffic going thru them.

    So created two floating rules:

    1. Match all outgoing tcp traffic on WAN and put the acks in high and everything else to default
    2. Match all traffic going out WAN udp/1194 to the VPNC destination address and put it in the low queue.

    The default queue is the default so everything else ends up there.

    Everything seems to be working.  The traffic going thru the VPNC tunnel is hitting the right queue, all looks good.  However, all traffic (thru the VPN or straight thru the WAN) is suddenly capped at ~5Mbps.  I remove the queues and immediately everything (VPN tunnels and WAN) starts to saturate my link again.

    Initially the queue sizes of 50 seemed to be too low as single hosts were causing drops on the queues so I increased the queue sizes until a single host was no longer causing drops, but this didn't increase the throughput.  With the queues on I top out at 5Mbps, once I remove the queues, I can fully saturate my link (50/50 FTTH which is actually over provisioned to ~60/60).

    I'm starting to get the idea that my little Zotac isn't capable of traffic shaping?  But I question that because as I monitor top output with the queues active, I don't see the CPU being pegged or even overly taxed.  So now I'm wondering if I'm just totally missing something with my configuration?  Again, I don't want to shape traffic in any vpn tunnels, I just want to prioritize traffic going thru vpn tunnels.

    Eventually, the end goal is something like this:

    1. Traffic from media devices on VLAN 44 = highest
    2. All other traffic from VLAN 44 = high
    3. Traffic from VLAN 55, VPNS or VPNx (remote managed networks) = default
    4. Traffic from VLAN 66 = low
    5. Traffic from VPNC = lowest

    VPNC will have a tendency to saturate the link at random times of the day and that's fine when nothing else is using b/w, but if VPNC and media devices on VLAN 44 are competing for b/w then I don't want the Netflix/etc. streams on VLAN 44 to drop quality, which is what currently happens.

    Is this looking like the Zotac is underpowered or am I just not configuring this right and that's why my link is capped at 5Mbps when I enable the queues?

    Help appreciated.



  • fwiw, got it all working.  Originally, I was setting the bandwidth in Mbps and that seemed to be misinterpreted.  I found an older thread on here talking about a bug when using Mbps and instead used Kbps to set the bandwidth and then all was good.  Once the b/w issues were resolved, the rest fell into place nicely.  Got all my PRIQ queues setup and functioning as desired.  Running all my "end goal" queues as desired.