Guarantee VPN Bandwidth - possible?

  • We are planning to replace our WatchGuard equipment with pfSense, yeah!  A specific feature that I need is the ability to shape traffic so that I can dedicated 80% of our traffic to a specific VPN connection (we have multiple VPN connections) and everything else gets 20% of the traffic.

    My question is: Can I setup a traffic shaping profile/rule so that I can dedicate a certain amount of bandwidth to a specific VPN connection when using pfSense 2.x?

    Thank you in advance for your time and consideration of my question.

  • I have tried to do the same with 2 pfsense boxes running a site2site vpn without success  :(.

    After searching in the forum, I only found one working solution: you have to put your vpn server/client behind pfsense and shape the incoming or outgoing ports of your vpn server/client.

  • @saxonbeta:

    Thank you for responding.  That sounds like a fairly complicated setup and the use of a second pfSense box. :(  Am I correct?

  • It depends on the type of connection.  Site to site or Road Warrior?  If it's site to site, then you either use the specific IP of the remote end or a hostname alias.
    Use the alias/ IP as the source or destination address in the shaper rule depending on whether you're shaping for upload or download.

    You will likely need to shape using floating rules.  As an example, if you have the remote VPN endpoint (server) at

    Then you will need to setup a host alias with
    Setup a floating rule with 'WAN' as interface and direction 'OUT'.  Select Destination host as the alias or IP (for static IPs).
    Select the protocol and destination port as per the type of VPN connection you have.  If it's OpenVPN, it's UDP 1149 by default.  Then set the traffic shaper queues accordingly and you'll have your upload shaper rule.

    For download, set another rule.  This time using 'WAN' as interface, direction 'IN'.  Select the protocol but this time set the alias & port for 'source' instead.

  • @dreamslacker:

    Thanks, I apologize, I should have specified the type of VPN connection; in my case it will be OpenVPN S2S.  I will use a spare laptop I have here to test your suggestion and see how it goes.  I will report back soon.  Thanks!

  • dreamslacker:

    Thank you for your great reply.  I have the new router in place and am finalizing my plan to shape the bandwidth properly but I'd like to run some things by you, and others, to create a bit of a brain-trust on this before I actually try it.

    I'm thinking of creating limiters as follows:

    VPNInLimiter -> 10 Mbps -> Mask:None -> Delay:0 -> LossRate:0 -> Queue:empty -> Bucket:empty
    VPNOutLimiter -> "all the same settings as above"
    GeneralInLimiter -> 5 Mbps -> Mask:None -> Delay:0 -> LossRate:0 -> Queue:empty -> Bucket:empty
    GeneralOutLimiter "all the same as settings above"

    So basically, I'd be providing the VPN a dedicated 10 Mbps and everything else would go to the GeneralXLimiter pipes.  I'd would then like to add standard shaping to the GeneralXLimiter pipes to ensure QoS is working properly within that 5 Mbps.

    I think what dreamslacker said would work by using the alias and firewall rules to assign the VPNs to the specified limiters.  Any thoughts out there on this?

Log in to reply