Shaping inside IPSEC only possible by using Lan queues?



  • Hi,

    Update: figured it out for OpenVPN (thanks to Stenio for pointing me to his thread), but IPSEC remains mysterious ;)

    I'm having difficulties shaping any outgoing traffic through ipsec tunnels. It only works for me by using Lan queues..

    I'd really like to not have any downstream shaping, so I don't have any Lan queues..
    but when I only have queues for wan interfaces, shaping traffic inside ipsec doesn't work. No matter how hard I try traffic is sent to the default queues.. note I want to shape outgoing traffic.. just like it's possible to do with floating rules for the wan interfaces…

    Shouldn't it be possible to shape that traffic within the limits of the wan interface the tunnels are using? I suspect that I lack the knowledge of something very fundamentally about how this works ;)

    Thank you very much for some enlightenment ;)

    Max



  • Sorry for the bump masked as a question  ;D   but should I have asked that in the shaper forum (though it's regarding 2.0?)



  • Please give all details otherwise no answer can be given.



  • Update: sorry forgot it's Snapshot built on Sun Mar 6 03:05:44 EST 2011 (i386)

    Hi Ermal and thank you for taking your time!

    Here are all the details:

    I have 2 lan and 3 wan ifs.

    Wan1 is used exclusively for the ipsec and openvpn tunnels.
    Wan2 is used for internet access for lan1.
    Wan3 is used exclusively for a mailserver in the dmz (lan2).

    On lan1 there are a few servers which are being used by ipsec and openvpn clients on the other side.

    I removed the shaper that I had configured 10 months ago and went through the multi lan/wan wizard.
    The new shaper wizard didn't create any Lan queues which was fine for me.

    Directing traffic of services -for example http- into one of the queues works as expected for Lan1 -> Wan2 and Wan2 -> Lan1 by using floating rules.
    But the same didn't work for ipsec traffic (I don't want/need to shape ESP but the traffic inside the tunnels).

    I tried the following:

    -put a new floating rule (top of all floating rules): action pass, direction in, proto tcp, src <ipsec networks="">, dst <server1 on="" lan1="">, queue1,queue2
    -the same as above with 'quick'
    -same as above but with action "queue".

    -floating rule with the opposite:src: server1 on lan1, dst ipsec networks, direction out
    -again tried the same with pass quick, and queue

    • tried the same as above and direction <any>- the same floating rule and selected the ipsec interface (where's before I hadn't selected any interface)

    • finally I tried the same (src:ipsecnetworks,dst:server1 and vice versa) by adding a rule in the ipsec firewall tab (again on top)

    Nothing worked.. though when I enabled logging I saw that some of the rules I tried did match.
    But everything went into the default queue and not into the queues I selected…

    Would I need to do that via queues on lan1 if?

    Thanks again for your time Ermal!

    Max</any></server1></ipsec>



  • I've a similar problem. Did you reset the states after the rules change?



  • Yes! Everytime.





  • Thanks Stenio,

    So this is the solution for openvpn.. that's nice!

    But what about ipsec tunnels, where you cannot assign an extra interface? How would I shape them? From out the lan queues only?



  • Afaik it should work ok even with queues on wan.
    I am not sure why it is not working for you but you still have not given any screenshots and such for it.

    BTW, you have to upgrade to latest snapshot to retest the results and after send the screenshots.



  • Thank you ermal!

    I will do the upgrade and post the screenshots. Might take a little since production box.



  • Hi Ermal,

    I now set this up at my home pfsense box to test:

    It's running latest snapshot (i386, built on Sun Mar 13 06:53:56)

    There's exactly 1 ipsec tunnel. 2 WAN ifs and 1 Lan.

    Wan interfaces: "WAN" and "AON". "AON" is used for the ipsec tunnel.

    I just created the (hfsc)  shaper using the single lan multi wan wizard. Pretty much everything default (except for the individual up/down rates of my wan interfaces and "qOthersHigh" is my default queue)

    I tested using scp from a remote host connected via the ipsec tunnel to my local network.

    local ip with the ssh server: 192.168.1.65
    remote host ip: 192.168.0.239

    I created the following floating rule:

    action pass, quick, no interface selected, direction:any, protocol tcp, src ip any, dst ip:192.168.1.65, dsp port:22, queues: qACKs/qP2P

    on 192.168.0.239: "scp 192.168.1.65: <large_file>."

    The behaviour was exactly the same as a few days back with the pfsense host I referred to when I started the topic: everything went into the default queue (now qOthersHigh in this case)

    I tried different options for the floating rule: action:queue, action:pass without quick. Each with direction in/out/any, ipsec interface selected or no if selected..
    I also tried specifying the queues in the ipsec fw tab (only have one rule there see image) and then I even tried the same in the lan tab (but lan doesn't have queues set up in the shaper).
    Everytime I reset the states…

    BTW: only when I used action:pass (quick or not) in the floating rule, it was logged in the firewall log. Action:queue wasn't, but I suspect this is intended since it's no real firewall action?

    Please see attached images.

    Thank you very much!

    Max












    </large_file>



  • Will this only work with Lan queues?

    If so, would the following work?
    For sake of simplicity let's assume I only have one WAN if and vpn clients are accessing servers on the "Lan":
    Assign the downstream rate of my wan interface through which "lan" accesses the internet to the Lan root queue + add the upstream rate to this value (of the wan interface).

    And then split it apart by adding a qInternet and limit it to the actual downstream rate of the WAN if + add qAck et.c. queues as children of qInternet.
    Then add an "upstream" queue to the Lan root on the same level as qInternet with the limit of the actual upstream rate of the wan interface + add some queues as children of "upstream".
    Couldn't I then shape the OpenVPN traffic just by making use of that queues?



  • So, does anyone think this Lan queue approach could work? Or is that complete nonsense?
    Ermal, what do you say about the things I tried and the screenshots? Do you need more info?

    BTW: Should threads concerning the shaper in 2.0 go into the 2.0 forum or should I post them in the traffic shaper subforum?



  • @mxx:

    Hi Ermal,

    I now set this up at my home pfsense box to test:

    It's running latest snapshot (i386, built on Sun Mar 13 06:53:56)

    There's exactly 1 ipsec tunnel. 2 WAN ifs and 1 Lan.

    Wan interfaces: "WAN" and "AON". "AON" is used for the ipsec tunnel.

    I just created the (hfsc)  shaper using the single lan multi wan wizard. Pretty much everything default (except for the individual up/down rates of my wan interfaces and "qOthersHigh" is my default queue)

    I tested using scp from a remote host connected via the ipsec tunnel to my local network.

    local ip with the ssh server: 192.168.1.65
    remote host ip: 192.168.0.239

    I created the following floating rule:

    action pass, quick, no interface selected, direction:any, protocol tcp, src ip any, dst ip:192.168.1.65, dsp port:22, queues: qACKs/qP2P

    on 192.168.0.239: "scp 192.168.1.65: <large_file>."

    The behaviour was exactly the same as a few days back with the pfsense host I referred to when I started the topic: everything went into the default queue (now qOthersHigh in this case)

    I tried different options for the floating rule: action:queue, action:pass without quick. Each with direction in/out/any, ipsec interface selected or no if selected..
    I also tried specifying the queues in the ipsec fw tab (only have one rule there see image) and then I even tried the same in the lan tab (but lan doesn't have queues set up in the shaper).
    Everytime I reset the states…

    BTW: only when I used action:pass (quick or not) in the floating rule, it was logged in the firewall log. Action:queue wasn't, but I suspect this is intended since it's no real firewall action?

    Please see attached images.

    Thank you very much!

    Max</large_file>

    Hi Ermal,

    I have posted all the screenshots I thought might be useful, please tell me if I should post any additional info.

    And please forget about my last posts about the Lan queues ;)

    Thank you!



  • Any update/reaction? ;)



  • I have been looking into implementing shaping within an IPSec tunnel as well and I can find nothing clear on how it should be configured.  What I have found are a lot of references to the shaper in 2.0 being able to shape within IPSec, but no one confirming that it works and no one giving examples or instructions.  I am seeing results similar to mxx when using the wizard - IPSec traffic seems to be classfied from the WAN side and gets placed wherever in the default queue unless there is an ESP/AH rule which can place it in another queue.  This doesn't work since I need to shape within the tunnel, not the tunnel itself.  Can someone just give an example that works since it appears that Ermal has no interest in this subject?  It seems to me the traffic should be classified from the LAN side (as the title of op's thread suggests), before it enters the tunnel, if that is even possible.

    Any help is appreciated.

    -Kevin



  • It cannot be classified from LAN side for the outgoing packets.
    You have to classify it on the IPSec tab of rules.



  • Thanks for the reply, though I am still a little confused.  Are you saying I can simply run the wizard and then copy/create any rules specifically for traffic through the IPSec tunnel under Firewall>Rules>IPSec instead of under Firewall>Rules>Floating?



  • I put every rules for IPSec traffic shaping in the floating rule.

    I do not select any interface, I only set the source and/or destination and it's working.

    I have MS RDP going through an IPSec and it works perfectly. No limiter, nothing special in the IPSec tab.

    See the attachment showing my configuration of the Floating Rule for RDP connections. You have to understand Source and Destination… When you initiate an RDP session from the LAN to an IPSec host, the destination is port 3389. When the reverse happen, an IPSec host connect to a LAN host RDP server the destination is still port 3389.

    ![RDP FloatingRule.png](/public/imported_attachments/1/RDP FloatingRule.png)
    ![RDP FloatingRule.png_thumb](/public/imported_attachments/1/RDP FloatingRule.png_thumb)



  • My statement is true for LAN rules doing queue-ing as well.
    For floating rules no they should just work for ipsec as long as the latest matching firewall rule, the one that actually lets traffic pass through, is on the ipsec tab.


Locked