SlingBox or VOIP highest priority

  • I've struggled to get this question answered and if someone knows a better place for this post to be placed can you please let me know. I think part of my problem my be my terminology. If you need clarification on terminology let me know. Here's what I have:

    Single WAN, single LAN, three OPT networks.
    Slingbox on one of the OPT networks and the MagicJack on the same OPT network as the slingbox.

    Here's what I want to accomplish:

    #1: I want to only allow access to the slingbox if they're on the same OPT network or a VPN that tunnels to that OPT network. I don't want even those on the LAN interface to access the slingbox unless they're connected via VPN.

    #2: I want to guarantee the highest bandwidth possible. I want VOIP to have a higher priority than the Slingbox, but I only want these guarantees to apply when there are active connections. So if I want to guarantee that the Slingbox uploads at 2 Mbps I don't want other services that need to upload limited when there are no Slingbox connections active. When a user is on the OPT interface not via VPN I would expect that it would not go through the WAN and thus the user's download speed would not be limited by the WAN upload speed. Also, since I currently cannot figure out how to solve number one I am able to access the slingbox via the LAN interface, but what I would expect is to see streaming at around 3 Mbps, but I typically don't. I rarely see speeds higher than 1 Mbps why is this? It shouldn't be going through the WAN should it. I figured they are both on this side of the router and thus should only be limited by the interface cards and since they're Gigabit cards I would expect 3 Mbps.

    Please help. I've been struggling for months to get this set up as desired.


  • First, what version of pfSense are you running.

    For the LAN accessing the OPT network, I am guessing that you have an allow all rule on the LAN? If so, then you need to modify that to say NOT OPT network. This will allow anything BUT the OPT network through the LAN.

    The shaper stuff depends on the pfsense version.

  • I'm running 2.0, but I just realized that there is the 2.0.1 maintenance release and thus will be upgrading to that release hopefully this evening.

    Can you explicitly write out the rule for blocking access from the LAN to the the OPT? I have tried rules in the past and can't seem to get the right one. I figured since the LAN would be the initiator of the connection that it would go under the LAN tab and the destination would be any OPT address. Shouldn't that work.

  • I realized there are two other things that I want to set up.

    #1 On a different OPT network I want to limit the upload and download speed. I have successfully done this using limiters in the interface rules, but I want this along with all other interfaces to have lower priority than active VOIP and Slingbox connections.

    #2 I want to be able to remote desktop into my home computer, but I only want those on the LAN interface (where my computer lies) and those on a VPN network that tunnels to the LAN interface to have the ability to RDP.


  • Okay … the block. On the LAN tab set any protocol from LAN subnet any port to OPT subnet any port --- block. This rule MUST be ABOVE the allow all rule otherwise it is useless. Everything but float is first matching rule wins.

    You can also modify the allow all with a not opt subnet - pass ... this will allow everything but the opt subnet to pass.

    #1 ... then you need source based QOS/Traffic Shaping. These rules go in the floating tab. So you can write a queue that set the priority to 3 and then write a floating rule to channel OPT2 subnet into that queue. I think you can still use limiters along with that.

    #2 ... If you block the entire subnet then you can write a rules above the block that allows just your computer's IP RDP access into OPT and then you VPN the rest. Note that once you have VPN on you will have a new tab with a default block rule that you will need an allow rule in to pass VPN traffic.

  • Sorry for being a newbie, but can you give me step-by-step examples to your #1 and #2 answers please.

    It will be greatly appreciated!