Shaping traffic to pfsense itself

  • Ok this may well be unsupported, daft and esoteric but i'm giving it a shot anyway after much googling and forum trawling I cannot for the life of me find out whats going on.

    I've been messing about with pfsense for a while now and in a bit of a consolidation effort I decided to try and do away with leaving my HTPC on 24/7 that was taking care of some backup tasks and see if I can get my atom powered pfsense box to do it instead.

    I've got a full pfsense 2.0 dated 23rd March 2011 booting from an 8GB SLC CF card and I added a 500gb SATA drive which is formatted and mounted on /backup.

    Setup is as so:

    Dedicated box (178.x.x.x) -> INTERNET -> (78.x.x.x) 2mbit/0.5mbit ADSL pfsense WAN -> pfsense LAN IP

    I use rsync over ssh to upload files to the pfsense box and this works brilliantly.. except I can't seem to shape the traffic because it appears in the root ack queue at around 180pps but only displaying around 74Kb/s on the queue graphs.

    The remote side is pushing at 2mbit and the pfsense live traffic graph shows 2mbit coming in on WAN but  it isn't being shaped properly at all and I can't get it under control no matter what I try.

    All my other shaping works perfectly and i've been trying to use a floating rule just based on destination port 22 but even if I do force it into another queue its always the WAN queues not the LAN queues which have different total bandwidths as its an asymmetric connection.

    Is there any way to shape traffic that is hitting the pfsense box itself rather than a pc behind it?


  • I dont think it will work because the traffic isn't leaving your LAN interface…. Maybe take at look at the squid sticky and see if there are any hints there for your setup.

  • I've had a look at the squid sticky but can't really see anything in there that would help my situation. Would adding a 3rd NIC to the box with a LAN ip and forcing sshd to listen on that ip do the trick?

  • I've been trying to figure out a way to prioritize the open VPN tunnel terminated on my firewall in 1.2.3 and it looks like I'm in the same boat.

    Can someone verify that it is or is not possible to take a connection to the WAN interface on the firewall and have that put into a queue other than the default queue.

    Will this be possible in 2.0 when i upgrade?  I've gathered that I'll be able to prioritize traffic over the TUN interface in 2.0 but I'm worried that I still won't be able to prioritize all vpn traffic over other kinds a traffic on the WAN interface.

    Am I thinking about the problem wrong? is there another approach that works better?

  • I'm running 2.0 and I was able to prioritize the whole tunnel and shape traffic within the tunnel. Its still a work-in-progress but it can be done with 2.0… I did have to assign interfaces for the OpenVPN tunnels.

    Its been a while but i thought it if you assign interfaces to your OpenVPN tunnels within 1.2.3, you can prioritize the whole tunnel. But I can be wrong, been a while since I worked on 1.2.3

Log in to reply