Dynamic multi LAN/NIC single WAN bandwidth sharing

xeiox4

Hello all, I was wondering if I can share unused bandwidth between different networks on different NIC's in the same pfsense box ? 2.0rc1

I have a 1.5mbit up/1.5mbit down WAN connection shared to office/home/guest networks. I have limited bandwidth to .3mbit/.7mbit/.5mbit to each network but would like to use the unused bandwidth from the other networks when not in use ( no one home / office is closed / there are no guests). is this possible ? can the unused bandwidth be evenly distributed to however many guests are using the connection (1-6 connections via dhcp).

can i set each network bandwidth limit to 1.5mbits and a guarantee min. of .3/.7/.5 and set hfsc priorities in the different network and let pfsense sort it all out ?

I do not like seeing idle bandwidth  :)

thanks very much.

stompro

I don't think this is possible without using two pfsense firewalls inline.  You need all the download traffic to be sent out one interface at some point so it can be shaped as a whole.  Queues on different interfaces do not communicate with each other, so there is no way to have a multi lan setup with queues that allow unused download bandwidth to be shared.

On one interface it should be possible to setup hfsc queues that guarantee each group a set amount of bandwidth, and allows them to share unused bandwidth with each other.  Here is a link to an example setup that is sharing a connection with multiple organizations. http://www.cs.cmu.edu/~hzhang/HFSC/tech.html

Traffic leaving the WAN (upload) shouldn't be a problem to share like that.

Hmm, maybe you could get a firewall with 5 interface, Send the traffic from Wan -> Opt 2 -> Opt 3 -> Lan/Opt1, and then shape at Opt 2 and Opt3.  It does seem a little silly to plug one interface of a firewall into another right next to it though.

Josh

pwipf

This is one area that pfsense seems to be able to handle that no other bw management software I have looked at can do: sharing bw evenly between users.  All kinds of firewalls say they do, but all they do is limit the total bw to each user, and within that total, one user can take an unfair share by simply making more connections, for example downloading 15 files at once instead of 1 or 2.  The only way I know to share evenly is to make an HFSC queue for each user, then each queue will get equal access to the bandwidth.

However like stompro said, the queues go on the interface, so multiple LAN interfaces can't share bw properly between them.  My question would first be, why do you need multiple LAN interfaces, couldn't you just use one LAN interface which goes then to a switch?  But that is the same thing as making a bridge between the physical LAN ports and then assigning the LAN interface to the bridge, as far as i know.

Anyway, this is the queues i have been using, seems to work well…
WAN(512k)
---->qDefault
---->qACK
---->qVoip
---->qUser50
---->qUser51
...
---->qUser75
LAN(1024k)
same as WAN

You can assign each qUser 1% linkshare bw, and upperlimit 100% or whatever you want. The linkshare bw functions like a weight--queues with equal setting share equally, a queue with 2% will get twice the bandwidth as one with 1%.  The priorities don't seem to make any difference that i can find.  Also i believe putting a number in the "bandwidth" box is the same as linkshare m2, and is overridden by linkshare m2.  You can give the Voip queue up to 80% realtime bw which will give it highest priority, up to 80%, then it will share the other 20% according to the linkshare "weight".  Not sure if the "priority" box is broken or what but it doesn't seem to do anything.

Rules to assign traffic to queues is easy...  LAN tab:
pass/block    Proto      Source        Destination    Queue

1. pass        UDP        any                any          qUDP
2. pass        TCP      192.168.1.50      any          qACK/qUser50
3. pass        TCP      192.168.1.51      any          qACK/qUser51
   …
4. pass        TCP      192.168.1.75      any          qACK/qUser75
5. pass        any          any              any          qAck/qDefault

or somthing.

stompro

pwipf, I think the usual reason for having multiple lan/vlan's is to separate different domains of network access.  One network for public users, one network for staff, one network for the Business Office, etc.  You don't want the various groups of machines to be able to directly connect to each other without the firewall controlling the access.  Don't think of it as using the firewall as the switch, depending on how fancy your switch is.
Josh

pwipf

Thanks that makes sense.  Seems to be like you said, Josh, without the queues on different interfaces somehow communicating with each other, they can't shape properly if given access to sort of "overlapping" bandwidth.  I might have to look into this a bit more :)  I do find it really interesting and confusing trying to understand exactly how TCP works in this kind of situation.  I think probably each network will end up getting bandwidth proportional to how many connections it has, and no way to specify "network 1 limit bw to .3k only if other networks are using 1.2k"

I like the idea of using 5 interfaces and pluging one into the other, should be able to do that with a little VLAN switch… which then makes me wonder if you couldn't do that somehow within pfSense using vlans and bridges somehow... have to look into this now...