Traffic Shaping two interfaces that share bandwidth

  • I've had a search around but I may well be getting my search strings wrong though as it's (possibly) quite an esoteric thing I want.

    As it is I have a WAN link going into my pfSense box which is 2Mbit/0.5Mbit PPPOE this is the WAN interface.

    My LAN interface has a network behind it.

    I have setup OpenVPN to an external 100/100Mbit server ( and set OPT1 as the OpenVPN link and set it up as a secondary gateway on

    Using this setup I can route specific LAN machines or ports over the VPN as a gateway using firewall rules which is what I wanted :)

    However now i'm looking deeper and wanting to make my traffic over the VPN obey my shaping rules (because it's still all going out/in over my 2/0.5Mbit WAN link essentially) that I have setup on WAN/LAN but as OPT1 is it's own interface I need to add a shaper to it and seemingly have to carve out some of the WAN bandwidth to the shaper.

    Ideally I want to add OPT1 as some sort of child to the WAN shaper but it doesn't seem obvious how to go about this.

    Any ideas?

  • Hi,

    I'm having a similar problem. You also want to shape the traffic INSIDE the tunnel don't you?
    In my case I don't have an extra if configured for openvpn and I'd also like to shape the traffic inside my ipsec tunnels for which I can't assign an extra if.

    I tried to shape the traffic inside the tunnels just by adding floating rules (pass or queue, quick or not wuick), rules in the openvpn tab, but everything fails.
    It just works when I have set up lan queues..

    If that's the only way to do that (I hope it isn't) I thought of doing something like that:

    -assign the max. rate of the wan's downstream to the lanif in the shaper, just like you would usually do when you set up lan queues, + add the max. upstream traffic of the wan if (the one which is used by the vpn tunnel)
    -add a subqueue for the downstream limited to the actual downstream of the wan (qInternet)
    -attach the usual queues to (qInternet) for the Lan.
    -add a subqueue (same level as qInternet) limited to the actual upstream traffic of the wan interface which is used by all the vpn traffic (let's call it qVPNup)
    -add queues for shaping the upstream for your vpn tunnels to qVPNup.

    I don't know if this would work well, however because there can only be one default rule per interface I'd have to manually specifiy a queue for each fw rule I create..

Log in to reply