Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    QoS with Limiters, prioritizing DSCP-classes

    Scheduled Pinned Locked Moved Traffic Shaping
    2 Posts 1 Posters 600 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seanomat
      last edited by

      I am experimenting with Pfsense at the moment and trying to prioritize certain traffic in all directions.

      After reading the docs, I had the impression, that Limiters is the way to go, since ALTQ is not as efficient and relies on certain network cards.

      I am not really interested in limiting bandwidth anywhere, just prioritizing traffic with certain DSCP values as we do on all our internal network equipment.

      Here is my approach, but I'm not sure if this will have the desired effect:

      I created one limiter, without mask and with a bandwidth-limit much higher then the physical network is capable of.

      I created four queues inside this limiter with weights 100, 90, 80, 20.
      Weight = 20 is the "default" queue.

      I created four firewall floating rules on LAN and WAN interface with action=match, that filter by DSCP-value and assign incoming packets to the corresponding queue. Everything without a matching DSCP value is assigned to the "default" queue (weight=20).

      Apart from the question, if this is a viable way to do this, there are still some questions I can't seem to find an answer to:

      Is it a problem to exaggerate the available bandwidth in the Limiter?

      Is the default queue actually necessary? I would assume since the limiter grabs all of the available bandwidth, no unclassified traffic could pass?

      Is it a problem for the weight of the queues to add up to more then 100 or is this just relative weighing?

      As of now you can see, I do not have any Limiter/queues for the "out"-direction. I understand that "in" and "out" is interpreted from the perspective of the pfsense. I assume, I would have to create a second limiter with identical queues and configure these as the "out"-pipe in the firewall rules?

      Your input is greatly appreciated ;)

      S 1 Reply Last reply Reply Quote 0
      • S
        seanomat @seanomat
        last edited by

        Here is the first finding:

        When these rules active, pfsense can not make any connection to internal or external endpoints.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.