How to direct traffic to the correct traffic shaping queue when using policy routing?

  • Hi,

    I'm having some trouble setting up traffic shaping when also combined with policy routing, and would appreciate any pointers.

    I have two WAN's:

    WAN_VSAT : 6Mb up / 50 Mb down, high latency VSAT connection
    WAN_P2P: 2Mb up / 7Mb down, low latency point-to-point microwave link

    I have one LAN ( on which there are two sets of users each in their own subnet ( and

    I have set up policy routing and have added a default firewall rule to prefer the WAN_VSAT interface by default and fail over to the WAN_P2P. This works as expected.

    I wish to use traffic shaping to guarantee each set of users 50% of the WAN bandwidth in each direction (and use more if available) on each WAN interface. I can achieve this with HFSC when using just one WAN as follows.

    For upload traffic (LAN to WAN), I first have a floating rule for each user group on the inbound LAN interface which matches traffic from a specific subnet and tags it. Then on the outbound WAN interface I match the tag and route the traffic to the specific queue on the outbound WAN interface for that user group.

    For download traffic (WAN to LAN), I have a floating rule for each user group on the inbound LAN interface which matches traffic sourced from the specific user's subnet and sets the correct queue to use on the outbound LAN interface.

    This works when I just have one WAN. However, when I use policy routing (i.e. to prefer WAN_VSAT and fail over to WAN_P2P) then there is a problem caused by the fact that the rule doesn't know which WAN is active. The method for directing upload traffic works as before, because this is applied on the specific WAN interface (if traffic appears on WAN_VSAT, then that interface is obviously being used and traffic is assigned the correct queue). However, for download traffic, which is matched on the inbound LAN interface, there is no way to know whether the traffic will be sent out via WAN_VSAT or WAN_P2P, so we can't assign the correct queue. There is no option to also match the outbound physical interface (i.e. WAN_P2P) and therefore write a rule for each. We can only match the gateway group, but that doesn't help.

    I could, conceivably, just have two outbound queues - one for each user group, regardless of the WAN interface that is being used. That would allow me to guarantee 50% to each, but is not ideal (and is likely problematic) because the available bandwidth would vary according to which WAN was active at the time. This would especially be a problem with more advanced policy routing that I intend to add later (i.e. prefer the higher bandwidth WAN_VSAT as default, but force certain applications to use the higher quality WAN_P2P link).

    Ideally, I'd set up a rule on each inbound WAN interface for each destination LAN subnet. However, this can't work because the NAT masks the destination subnet.

    Is it possible to achieve my traffic shaping goal of fairly sharing each WAN link between each user group while also using policy routing? If so, how would this work?

    Thanks in advance for any pointers.

  • Solved!

    I had misread the options in the "gateway" field of the rule. It is, indeed, possible to match on the physical interface being used (not just on the gateway group as I had previously thought).

  • I spoke too soon :( Apparently the gateway field is not a matching field, but instead it forces traffic out that gateway. So, back to square one!

Log in to reply