Traffic shaping with VPN client



  • Hi all,

    I use AirVPN as my VPN provider and have pfSense run the client so that most of my traffic goes through the VPN.

    Now that I am "playing" with Traffic Shaping, I am unsure how to treat the VPN. After all, the VPN Client uses the WAN.

    0_1535120585684_Screen Shot 2018-08-24 at 16.16.10.png

    How should I be setting up traffic shaping? I have about 11Mbit Upload bandwidth so would I

    • Set both WAN and VPN to a Root queue of 11Mbit each?
    • Put 5.5Mbit on each?

    How would I handle my traffic going over the VPN? A floating rule on both WAN and VPN and a queue on WAN and VPN knowing full well traffic will be restricted to VPN?

    Any help or documentation that could help me understand would be welcome! ;)

    Thanks!



  • It's quite difficult to use ALTQ-based shaping when you have VPN client connections involved. I would suggest using limiters instead. Check out this thread:
    https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4

    I run with VPN client connections and shape with limiters myself, so if you need more information I'd be glad to help.



  • Thanks a lot for your help. I saw a good video about traffic shaping and wanted to give it a go.

    I'll read the article and follow your suggestion.

    Thanks again!



  • No problem. It's a very long thread though, I wish I could link to something more concise. I can easily tell you my setup:

    • Two limiters (one for upload, one for download). Mask set to None on both. Obviously, the upload limiter should have a bandwidth limit slightly below your ISP's upload cap, and the download limiter should be slightly below the ISP's download cap. It may take some experimentation to determine how far below the ISP's caps you need to go before getting consistently good bufferbloat measurements.
    • Optionally, you can add queues underneath each pipe. This is mostly if you want some sort of quasi-prioritization. There seems to be some debate over how well this works. But I have two queues under each pipe, just high and low priority. The Weight is what determines the de facto priority. So I have my low priority queue weighted at 30 and high at 70. The weights don't need to sum to 100, they're just applied proportionally (I could use 3 and 7 too). I just find it more intuitive to make them sum to 100. Also of note, the weights aren't hard limits (i.e. if no traffic is going through the low priority queue, the high priority queue will be allowed to use 100% of the bandwidth). I also have 32-bit masks on my queues, which means that each host will get its own queue. This is an area where I'm honestly a bit fuzzy as to the usefulness, but I was following guidance from that thread too. Again, it's something you may want to experiment with. If you do set masks though, you want a Destination mask on your download queue(s) and a Source mask on your upload queue(s).
    • Install the Shellcmd package so that you can automatically re-apply fq_codel on reboots and filter reloads. I believe that the need for this will go away when 2.4.4 is released with official fq_codel support, but for now you need it. Add the same command twice, once as type "shellcmd" and once as type "afterfilterchangeshellcmd". Here is the command that I use. It's specific to my setup with 2 child queues under each pipe, but I think you can parse the syntax and adapt as required:

    ipfw sched 1 config pipe 1 type fq_codel limit 4096 quantum 300 noecn && ipfw queue 1 config sched 1 pipe 1 mask dst-ip 0xffffffff && ipfw queue 2 config sched 1 pipe 1 mask dst-ip 0xffffffff && ipfw sched 2 config pipe 2 type fq_codel limit 4096 ecn && ipfw queue 3 config sched 2 pipe 2 mask src-ip 0xffffffff && ipfw queue 4 config sched 2 pipe 2 mask src-ip 0xffffffff

    • Assign traffic to your queues using LAN Firewall rules. From the perspective of LAN Firewall rules, remember that "In pipe" is upload and "Out pipe" is download.

    I realize that's a rather high level overview and there's a fair amount of complexity, but hopefully it will give you a place to start. And there is a lot of great information in the fq_codel thread too.



  • Wow, thanks for taking the time! I'll do this as soon as my wife stopped using instagram... don't want to slow her flow ;)


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy