Guaranteed Bandwith to a VLAN
Hi at all,
I want to use pfSense to guarantee a VLAN a Internet Bandwith. For example: I have a total Internet Speed of 500 Mbit/s and want to guarantee VLAN 20 a Bandwith of 100Mbit/s and VAN 21 a speed of 50MBit. The other VLANs did´t need a guaranteed Bandwith. All users in all VLANS should be able to use the full 500 MBit/s. But when the internet speed gets slow, the vlan 20 and 21 should get the guaranteed speed.
I tryed different things with the traffic shaper but I dont know if my settings are correct.
Can anybody give me a step by step tutorial?
I use pfSense Version 2.4.2.
- There is no way for pfSense to know if the Internet is "getting slow"
- Probably need to use limiters on your WAN interface. I am not familiar with them, but I think you can have them share a pool of bandwidth, then you just need to figure out how to match the traffic to apply the correct limiter.
But pfSense knows how much traffic is in use. If not, how can a limiter work?
I can tell pfSense how much Internetspeed I have. And when the WAN usage is above this limit, it gives the bandwidth first to my desired VLAN.
Yes, I think this should be possible to setup with limiters and queues.
I assume what you want is VLAN 20 with a guaranteed bandwidth of 100Mbit, VLAN 21 with a guaranteed bandwidth of 50Mbit, and the rest (350Mbit) can then be used by other VLAN's you have.
Here's how I would set this up with Limiters.
1) Go to Traffic Shaping, Limiters.
2) Setup one upload and one download limiter.
3) Set the appropriate bandwidth under each limiter (e.g. if your connection is symmetric 500Mbit, setup 500Mbit for upload limits and 500Mbit for download limits).
4) Under BOTH the upload and download limiters, setup three queues under each.
5) For the download limiter, create one queue for VLAN 20, one for VLAN 21 and another for the rest of your VLAN's. For each of these download queues make sure to choose "Destination addresses" as Mask.
6) For the VLAN 20 queue, enter 20 for Weight under Advanced Options. For the VLAN 21 queue enter 10, and for the third queue (rest of your VLAN's) enter 70.
7) Now repeat this for the upload limiter. However, when creating the queues, make sure to choose "Source addresses" for Mask this time. Use the same weights as you did for the download queues above.
8 ) Once you have created the two limiters, and six queues, we need to apply the queues to your firewall rules.
9) For VLAN 21, go to the firewall rule that allows outbound traffic (e.g. your default allow all rule), and then go to Advanced Options, In/Out Pipe.
10) For In Pipe, choose the VLAN 21 queue that you created under the upload limiter. For the Out Pipe, choose the VLAN 21 queue that you created for the download limiter. For example, if the queue under the upload limiter was called v21_upload and the queue under download was called v21_download, you'd put v21_upload under In Pipe and v21_download under Out_Pipe.
11) Repeat Steps 9 and 10 for VLAN 20 and your other VLAN's. Keep in mind that you'd use the queues you created for VLAN 20 under the VLAN 20 firewall settings, and the third queues that you created for the rest of your VLAN's for the other VLAN's you might have.
This setup should hopefully guarantee 100Mbit to VLAN 20, 50Mbit to VLAN 21, and the rest of bandwidth would be available to the other VLAN's. If the VLAN 20 and 21 have no traffic, the other VLAN's should be able to use the full 500Mbit.
There is one caveat to this setup you should be aware of: If you do any routing of traffic between VLAN's internally, it will now also be limited with these settings. To get around that, setup another firewall rule right above the rule that allows the outbound (limited) traffic, to allow traffic pass between the desired VLAN's, but leave the In Pipe and Out Pipe sections empty to ensure full line speed.
Hope this helps.
Thank you very much for your detailed post.
What I don‘t understand is why do VLAN 20 and 21 gets the desired guaranteed bandwidth with this settings (20% for vlan 20, 10% for vlan 21 an 70% for all other vlans)?
By setting up a limiter with 500Mbit limit and weighted queues underneath that limiter you can ensure that traffic in those queues has access to the desired bandwidth in a scenario where the connection might be maxed out.
In your case, 20% of 500Mbit is 100Mbit, 10% of 500Mbit is 50Mbit, and 70% is 350Mbit. If your connection is connection is saturated this should guarantee that VLAN 20 gets 100Mbit, VLAN 21 gets gets 50Mbit, and the rest of the VLANs share 350Mbit (total = 500Mbit). In a scenario where there connection is not saturated, all VLAN's should have access to the full 500Mbit bandwidth (e.g. if there were only one users in VLAN 21 for instance).
Is this not what you are looking to accomplish?
Yes, I thik this is what I want. I had to read your post a few times more :D
When all vlans can download full speed when the bandwidth is not saturated it is cool.
thank you very much. I will try it
One more question. When I have 2 250Mbit wan connections and load balance it,I can use the same settings used for 1 500Mbit wan connection, because we only make changes in the vlan settings and not in any wan setting right?
Great! I think the key thing to understand here is that there is only one limiter with 500Mbit limit and multiple queues sharing that limit. In a scenario where the connection is saturated, the weights on the queues come into play ensuring that the desired bandwidth is available to traffic in those queues.
Now, if you instead wanted to ensure that VLAN 20 and VLAN 21 could never under any circumstances access more than 100Mbit and 50Mbit respectively (even if the 500Mbit connection is not saturated), you'd actually have to setup multiple limiters (one with 100Mbit limit, and one with a 50Mbit limit).
Regarding the WAN load balancing question- I don't have experience setting up limiters under such a scenario. However, I think it may still work for the reason you described. Go ahead and give it a try.
So, now I found time to test this scenario in our office.
I had now only 70MBit in down and 20MBit up, but the setting are the same except the weight settings. I have 20 Notebooks connected to several VLANs, and one Notebook that is connected to VLAN 53. This VLAN should have a guaranteed bandwith of 20MBit down/5 Up.
I configured pfSense as you write. Unfortunately it doesn´t work. I start a download of a linux distribution (1,8GB) on all stations, but the bandwith is on all machines the same (also the Notebook on vlan53). It seems that the queues doesn´t be enabled. I test it with a weigt of 99 (VLAN53) and 1 (all other VLANs.). Also no changes.
Only when I don´t use the queues it works with the limiter. For example: I make a limiter with 20MBit down for VLAN 53 and a other limiter with 1 MBit down for all other VLANs. Than the Notebooks in all other VLANs can download with 1 MBit (for each machine, they don´t share the 1 MBit) and the Notebook in VLAN 53 can download with 20MBit.
But this is not what I want. The Notebooks in all other VLAN should be able to download in full-speed when the Notebook in VLAN 53 does not use the Internetconnection.
Does anyone have an idea to fix this problem?
pfSense cannot shape across interfaces. (Man, I wish it could).
The only solution I found, was to have a floating rule that put each networks' traffic into a single queue, and put the weights on those queues. It allows for queue1,2,3... to have guaranteed bandwidths, but it does not allow for QoS of different types of data within each queue - so you would not be able to prioritize VoIP packets over HTTP data within queue1, for example.
thank you for your reply.
Can you give me a step by step instruction for this?
Not really, no. I don't currently have it set up in my current environment.
I can tell you to go through the HFSC wizard with as minimal options as possible. You should end up with a basic shaper with 2 LANs, and some firewall rules. You need to trim the basic shaper down to only two "internet" queues (one per LAN), and have those same two queues on the WAN. Then in the Firewall floating rules, remove all of the shaping-related firewall rules, and make two new ones (one for each LAN network) and put that traffic into it's respective queue.