Fix bufferbloat for a VPN in a Gateway Group
-
My question is how can I address bufferbloat when I also have a VPN in a Gateway Group ?
My setup is running latest pfsense, I have several vlans some go out via WAN or the VPN Gateway Group.
I'm using Airvpn on three OpenVPN clients on UDP which are in the gateway group.
This all works great, however, when I do a speed test on Fast.com I see I have high latency loaded.
To address the latency I applied the approach from lawrence systems https://www.youtube.com/watch?v=iXqExAALzR8&feature=youtu.be and it works great for my WAN connections.
Now when I access my VPN vlan I can't browse however torrenting still works though I have no new floating rule applied.
So what needs to be done for my vlans exiting via the VPN Group Gateway to use the limiters, how should the limiters be set up, use the same queue as the WAN or add another nested queue (tried this and failed)? I know there was another thread on a similar topic but I couldn't determine what the solution was. I should also add I've tried to apply the limiters only to my VPN but this failed so there is something obviously wrong in my approach ... need a few pointers.
Is there anyone out there who has successfully configured pfsense using limiters for their VPN Gateway group and their WAN ?
-
@neogrid Hi, did you manage to solve the problem?
-
Actually yes.
What I did looking at my set up was to create the WAN up and down limiters applying my bandwidths.
Then I created two queues under each limiter one for the ISP and the other for the VPN.
I've got several vlans with gateways for the ISP or my VPN.
In the rules I also have a rule for WAN traffic where I select the gateway and now under advanced setting I select the corresponding in/out pipe for ISP or VPN which is pointing to one of the queues created earlier.
If I do a speedtest I can see it works for both gateways ISP and VPN.
-
@neogrid said in Fix bufferbloat for a VPN in a Gateway Group:
In the rules I also have a rule for WAN traffic where I select the gateway and now under advanced setting I select the corresponding in/out pipe for ISP or VPN which is pointing to one of the queues created earlier.
What kind of rules, an interface rules or floating rules?
-
@emikaadeo it won't work with floating rules when using two WANs, it will work when applied to the interfaces as I say with the appropriate pipes.
-
@neogrid
Is there a chance you can show on which interfaces and corresponding rules you've applied limiters? -
I've managed to solve the problem. I just forgot that I have a NAT port forwarding rules on my VPN WANs interfaces so I setup my limiters queues also on that rules.
Now I have stable latency on regular downloads/uploads and also on heavy torrent traffic. -
@emikaadeo Hi, can you show me your rules?
I have a similar setup with some traffic through the WAN and some through the load-balanced VPNs.
I would like to add traffic shaping to improve the overall internet experience in my home.
Thanks -
I have to bring this up :-)
Is there a chance to show your configuration for VPN Gateway-Group in combination with WAN?
Thanks!
-
@enjoyit
Hi, I'm not using Gateway Group anymore. I've switched from OpenVPN to WireGuard.
My current anti-bufferbloat config is a combination of this two guides:
https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html
https://isc.sans.edu/forums/diary/Securing+and+Optimizing+Networks+Using+pfSense+Traffic+Shaper+Limiters+to+Combat+Bufferbloat/27102/