Shape Lan Interface Traffic coming to pfsense from the lan

  • I would like to be able to prioritize traffic with UDP 10000-10020 and tcp/udp 5060 coming IN on the Lan Interface.

    The reasoning is this. I have an HQ router and Five branch offices. All of the branches have UDP tap OpenVPN tunnels going back to HQ with OSPF to route everything.

    Each branch has VoIP phones. Each branch also has to access our HQ servers via AFP and SMB. I need to make sure the VoIP phone packets are always sent down the tunnel FIRST. I can't shape directly on the OpenVPN interface, so this is the only way I have can think of making this work.

    I have tried floating rules on the lan interface to assign a Queue for all Inbound Traffic to those ports above, clear the states, and make a call. I check the queue status page and none of the lan queues are being used.

    If anyone has had any success traffic shaping before hitting the OpenVPN tunnel, I'd appreciate some help.

  • After gaining the absolute that queues only apply on outgoing traffic period, I may have found a solution, and so far so good. I shaped all of the tunnels to have their fair share and I shaped the traffic going out the lan interfaces on both sides from all traffic originating from one of the other branch subnets. All of my major issues vanished. All of the TCP is taking the hit while the UDP have enough room to make it through. Not the most ideal, but I'm going to continue to work on it. How I long for the days when fiber connections will be readily available everywhere…

  • I take it back, this turned into the most ideal setup. After a week of bashing my head against the wall and stumbling across 6 bugs in pfSense (I'll check on them when I get some time and submit them if they haven't been submitted already), everything has been working perfectly. After sitting down and rethinking this entire thing, shaping on the outgoing lan interface at all the routers is the only way to accomplish shaping with OpenVPN tunnels on pfSense. I will detail my findings if requested.

  • @awesomo:

    I will detail my findings if requested.

    I'm interested in your findings.

  • HQ Router SPEED 50/5, static ip:
    Floating Rules to send the UDP OpenVPN tunnel to qRemote_Site_#
    Floating Rules to send VoIP udp to realtime voip queue for that remote location.
    Floating Rules to sort all other udp and tcp data to the data queue for that remote location.


    • qACK 15%
      qDefault 5%
      qP2P 1% Max capped
      qOthersHigh 5%
      qOthersLow 2%
      qRemote_Site_1 14.4%
      qRemote_Site_2 14.4%
      qRemote_Site_3 14.4%
      qRemote_Site_4 14.4%
      qRemote_Site_5 14.4%


    • qLink
      qACK 20%
      qP2P 5%
      qOthersHigh 10%
      qOthersLow 5%
      qRemote1_Data 400Kb min 700Kb Max
      qRemote1_VoIP 115Kb realtime
      These values below are all based on the 30/4 connections at all of my other remote sites.
      qRemote2_Data 3000Kb min, 3500Kb Max
      qRemote2_VoIP 256Kb Realtime
      qRemote3_Data 3000Kb min, 3500Kb Max
      qRemote3_VoIP 256Kb Realtime
      qRemote4_Data 3000Kb min, 3500Kb Max
      qRemote4_VoIP 256Kb Realtime
      qRemote5_Data 3000Kb min, 3500Kb Max
      qRemote5_VoIP 256Kb Realtime

    Remote Router SPEED 15/1, static ip as you can see, I don't care much about them doing things on the internet, that 1mbit upload I was stuck with is very precious here:
    Floating rules to queue all traffic from all remote subnets coming from the tunnel in FROM_HQ_TUNNEL
    Floating rules to queue all traffic going to the tunnel to queue in HQ_TUNNEL_OUT (Set the rule for UDP traffic on whatever port you are using for openvpn for that tunnel on the HQ router)

    • qACK 10%
      qDefault 2%
      qP2P 1% hard
      qOthersHigh 5%
      qOthersLow 2%
      qHQ_TUNNEL_OUT 80% Realtime


    • qLink
      qACK 20%
      qP2P 5% HARD
      qOthersHigh 10%
      qOthersLow 5%
      FROM_HQ_TUNNEL 1.25mbit realtime 4mbit max

    That's the jist of it. I am open to any constructive feedback. I am always looking for a way to improve. But thus far, the complaints about timeouts and choppy voice have ceased since Wednesday.

  • This was working and I think I hit a bug, but I am not sure exactly what it is or why it happened.

    I had the initial 5 remote sites and their respective queues. I had floating rules to direct all the traffic to the queues for each site. I added in a 6th site, a 6th set of queues and a 6th set of floating rules, and now ALL open vpn traffic destined for HQ's lan is ignoring the queue assignments in the floating rules. All traffic is going to qlink or qack on the lan interface and I haven't found out why just yet.

    Floating rules that apply to traffic going out the wan, or going out the lan with traffic from the lan, are still categorized to the correct queues.

    I am absolutely stumped right now and this is a network in use 24/7 so I can't constantly try things to fix it. I am going to have to setup a lab on VSXi and try to figure out what the heck is going on.

    That is, unless someone else out there knows?

    I still haven't found a way to prioritize OSPF packets yet either since they never touch the wan. I don't think there is a way. The way I have delt with ospf packet loss was raising the dead timers to 5 minutes, far from optimal, but it works for this setup.

Log in to reply