Multi LAN/WAN QoS is limiting LAN to LAN bandwidth



  • Hi,
    I am looking for some advice / suggestions with regard traffic shaping.

    I currently have the following physical interfaces.

    WAN - 200Mbits up/down
    LAN1 - DMZ zone for mail/web servers
    LAN2 - internal network
    LAN3 - wifi access points
    LAN4 - VOIP sip gateway box

    I have setup QoS using the multi lan/wan wizard to make sure that the VOIP traffic has the bandwidth needed. It is configured for HFSC. This appears to be working well, however it appears to also be limiting traffic not going to the WAN, in particular between the various LAN interfaces . Traffic appears to be limited to around 200Mbits even though the interfaces are gigabit.

    Is there a simple way to not limit the LAN to LAN traffic while keeping the wizard generated queues or am I going to have to manually setup the queues myself.



  • I have never used the wizard to create QOS or traffic shaping settings. I always create them by hand, and very simple ones at that - speed of upload or download. My guess would be that the wizard "over-helped" you and has put limiters onto more than 1 interface.

    Have you checked your interface firewall rules. It's my understanding that you can make all the limiters you want, but unless you actually apply them in a firewall rule, they will do nothing. Check your rules and see if the wizard applied any limiters on the interfaces you DON'T want them in.

    Jeff



  • The wizard seemed the easiest/quickest way to setup QoS, especially given the number of interfaces.

    As far as I understand it, with HFSC scheduler there are no limiters, and none are listed.

    If I list the traffic shapper by interface I have the following

    WAN - BW 200Mbits/s
    ..qInternet - BW 200 Mbits/s
    ....qACK
    ....qDefault
    ....qVoIP

    LAN - BW 209715.2 Kbits/s
    ..qLink - BW 20%
    ..qInternet - BW 167772.16 Kbits/s
    ....qACK
    ....qVoIP

    DMZ - BW 209715.2 Kbits/s
    ..qLink - BW 20%
    ..qInternet - BW 167772.16 Kbits/s
    ....qACK
    ....qVoIP

    GUEST - BW 209715.2 Kbits/s
    ..qLink - BW 20%
    ..qInternet - BW 167772.16 Kbits/s
    ....qACK
    ....qVoIP

    SIPGATEWAY - BW 209715.2 Kbits/s
    ..qLink - BW 20%
    ..qInternet - BW 167772.16 Kbits/s
    ....qACK
    ....qVoIP

    Obviously the bandwidth on the WAN interface is set by the wizard and is as entered.
    I am confused though why the other interfaces show as 209715.2 Kbits/s when they are gig ethernet . Is this a limitation set by the wizard or a limitation on the traffic shapper. I assume the 209715.2 Kbits/s is actually 200 Mbits/s.

    The other confusing point is the qlink queues have a bandwidth of 20% Is that because 200Mbits is 20% of a gig ethernet interface ?

    I think I read in a post or the documentation that the queues on the interface are for data leaving (could be confused), not incoming, in which case would it be ok the change the bandwidth on the internal interfaces to 1 Gbits/s and set the qlink percentage to 100.

    Currently the qVoIP queue is on all interfaces, however the traffic is only on the SIPGATEWAY interface, so I guess it would be safe to delete that queue from the other interfaces.

    I guess I will have to go read through the documentation again and see if I can figure out what is happening. I am not sure where the queue sit in regards to the data passing through the firewall and the various firewall rules.



  • Yeah, see, it balanced (kinda) all internal interfaces to be at 20%. I don't know how exactly it did that, one of the pfsense guys most likely does.

    I would build the limiters by hand - you've only got 4 internal interfaces. You can set hard limits you want on each interface (I would skip the WAN and LAN2 interfaces) to max out at, say 80% or 85% of your WAN pipe bandwidth. You might want to allow wifi access points on LAN3 be a lot slower than that.

    I guess the answer to just how slow to make them depends on what you're doing on those 4 interfaces - LAN1 thru LAN4.

    You know where to make these, right? Under Firewall -> Traffic Shaper -> Limiters. At the least, you could make 2 limiters, 1 for upload, 1 for download, then test them on the "allow any to any" firewall rule on an interface. That would let you see how it works. For more fine grained control for the other interfaces, simply make more traffic shaper limiters.

    As an example, I've got a Guest VLAN for wireless access points. I have set 2 limiters - 1 for download, 1 for upload. In there I allow 10% of my entire WAN pipe and it works really well.

    Hope that helps!

    Jeff