Trying to understand Traffic Shaping of OpenVPN tunnels and within the tunnel



  • I'm trying to get a better understanding of traffic shaping OpenVPN traffic.

    Correct me if i'm wrong here:
    To traffic shape within a tunnel:
    1: You have to assign interfaces to the OpenVPN tunnels. Example: RoadWarrior (opvpns1) becomes OPT1 and a Site2Site (ovpns2) becomes OPT2
    2: Copy the WAN queue to OPT1 and OPT2. In my case, set them up as PRIQ and give them the same bandwidth as the WAN(Would like to try FAIRQ but that is another topic all together since i don't think it works correctly)
    3: Now for the Rules: Traffic will be shaped based on what is assigned within the Floating Rules as long as a Interface is not assigned.
    For the most part I think I understand how to setup rules for the WAN/LAN.. If I want to add a Rule just to shape lets say SMB traffic. Would I add this to the Floating Rules section and select a OpenVPN assigned interface or would I put that under each OpenVPN(Opt1,Opt2) Interface Rules tab?

    To traffic shape the whole tunnel:
    I'm not really sure how rules should be setup after assigning interfaces to OpenVPN tunnels. I was able to get traffic into my WAN/LAN qOtherHigh queue by assigning this queue to the default Allow Any rule under the OpenVPN Rules Tab and creating 2 Floating rules. Both of the floating rules were assigned to the OpenVPN interface, one for TCP traffic and the other for UDP traffic. I did try to shape traffic based on the OpenVPN ports but that didn't seem to work.

    What is the preferred method to traffic shape the whole OpenVPN tunnel when they are not assigned to interfaces? and
    What is the preferred method to traffic shape the whole OpenVPN tunnel when they are assigned to OPTx interfaces?
    When you have OpenVPN interfaces assign, is the default OpenVPN interface and OpenVPN Rules tab used anymore? Do they become Floating Rules tab for all OpenVPN assigned interfaces?

    Sorry for all the questions, just trying to get a better understanding…. I remember in 1.2.3 this wasn't possible,well as least I couldnt get it to work.

    Thank you in advance! Ermal and the rest of the dev team have made some great progress on this feature-set.

    Stephen



  • I also have the same questions



  • @Cino:

    I'm trying to get a better understanding of traffic shaping OpenVPN traffic.

    Correct me if i'm wrong here:
    To traffic shape within a tunnel:
    1: You have to assign interfaces to the OpenVPN tunnels. Example: RoadWarrior (opvpns1) becomes OPT1 and a Site2Site (ovpns2) becomes OPT2

    Yes, if you really good results and not take into account the other interfaces. Though you can do the same with the general OpenVPN tab if you are careful enough.
    But it gets a little complex so assigning is a recommended way to do it.

    2: Copy the WAN queue to OPT1 and OPT2. In my case, set them up as PRIQ and give them the same bandwidth as the WAN(Would like to try FAIRQ but that is another topic all together since i don't think it works correctly)

    yes.

    3: Now for the Rules: Traffic will be shaped based on what is assigned within the Floating Rules as long as a Interface is not assigned.
    For the most part I think I understand how to setup rules for the WAN/LAN.. If I want to add a Rule just to shape lets say SMB traffic. Would I add this to the Floating Rules section and select a OpenVPN assigned interface or would I put that under each OpenVPN(Opt1,Opt2) Interface Rules tab?

    if you have already a rule for SMB on the openvpn rules just select the queues there. The other options/ways/tabs are to reduce the number of rules needed in shaping in general.

    To traffic shape the whole tunnel:
    I'm not really sure how rules should be setup after assigning interfaces to OpenVPN tunnels. I was able to get traffic into my WAN/LAN qOtherHigh queue by assigning this queue to the default Allow Any rule under the OpenVPN Rules Tab and creating 2 Floating rules. Both of the floating rules were assigned to the OpenVPN interface, one for TCP traffic and the other for UDP traffic. I did try to shape traffic based on the OpenVPN ports but that didn't seem to work.

    On an openvpn tunnel you know the port, protocol and the destination so on the interface you have created the tunnel just create the shaping rule with those parameters, or in the floating rules tab with the same parameters i stated before.

    What is the preferred method to traffic shape the whole OpenVPN tunnel when they are not assigned to interfaces? and
    What is the preferred method to traffic shape the whole OpenVPN tunnel when they are assigned to OPTx interfaces?

    Its the same method see previous comment. You have all the paramters to identify the flow of openvpn for the interfaces they do traffic. The interfaces on top of which the openvpn is running on.

    When you have OpenVPN interfaces assign, is the default OpenVPN interface and OpenVPN Rules tab used anymore? Do they become Floating Rules tab for all OpenVPN assigned interfaces?

    The order is FloatingRules, OpenVPN tab(its the same as interface groups) and specific rules from assigned interfaces.

    Sorry for all the questions, just trying to get a better understanding…. I remember in 1.2.3 this wasn't possible,well as least I couldnt get it to work.

    Thank you in advance! Ermal and the rest of the dev team have made some great progress on this feature-set.

    Stephen

    Hope it helps



  • To traffic shape the whole tunnel:
    On an openvpn tunnel you know the port, protocol and the destination so on the interface you have created the tunnel just create the shaping rule with those parameters, or in the floating rules tab with the same parameters i stated before.

    This was the key for me.  What I did was used the wizard to setup a standard voip shaper to see how it was done in pfSense.  Then I changed the floating rules to an any/any rule and set it to use the OpenVPN tunnel rather than the WAN interface.  This was in the interface droplist on the rule page in 2.0 RC3 even though I do not have a special interface setup for the OpenVPN link.

    I have tested it and the queues are working so it seems that the whole tunnel, including the VoIP traffic that is being passed through it,  is being shaped.



  • Thank you Ermal for taking the time to answer me questions :-)


Log in to reply