• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[HOWTO] OPENVPN and traffic shaping GUIDE!

Scheduled Pinned Locked Moved Traffic Shaping
1 Posts 1 Posters 19.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    topnotchit
    last edited by Jul 17, 2013, 1:06 AM Jul 14, 2013, 3:30 PM

    I have made Traffic Shaping work!  Here is my Guide, I hope it helps others. 
    (This may need some tweaks for optimization, but this is working!)

    Assumptions:

    1. This guide traffic shapes WAN & OPENVPN traffic, but this guide can be used without an OPENVPN interface.  Just follow the same guidlines
    2. The rules are applied from the perspective of the interface, not the standard traffic shaping rules like dd-wrt has. (see note 1 below)

    Environment
    PFSENSE: 2.0.3
    WAN: PPPoE Single ADSL 3000/500 Mbs
    LAN: Single private LAN (192.168.1.x /24)
    OPENVPN Client: Enabled and Working

    • Keep in mind, the "WAN" in the diagram below is the same single PPPoE ADSL WAN link
    • I do not need VOIP or PS3 traffic encrypted, so I created a rule to run it to the WAN interface directly.

    Client –> LAN –> WAN –> Internet (this is the path for VoIP and PS3)
                    |
                      –---> OPENVPN –> WAN –> Internet  (this is the path for all other traffic)

    GOAL:
    Prioritize traffic as follows

    1. VOIP
    2. PS3
    3. Almost all remaining traffic
    4. Finally cloud Backup traffic

    Step 1:
    Here is how to accomplish this.  Run the traffic shaper wizard.  I choose 2 WAN interfaces.  1 for WAN and 1 for OPENVPN.  Obviously, select one if you only have a WAN and no OPENVPN.

    It should look like this:

    Step 2:
    Open each one and make the section look something like this.

    Here are mine
    Queue name/priority/linkshare%
    qACK-6/20%
    qDefault – 3/25% (checked as default also)
    qOthersHigh – 4/15%
    qOthersLow – 2/10%
    qVOIP-7/20%

    Step 3:
    Ensure your bandwidth is setup correctly: 
    WAN and OPENVPN interface should have the same bandwidth settings.  In my case, my 500 Mbps is actually 400Mbps (speedtest.net), so I choose 390 as my limit.

    Step 4:

    Now jump on over to Firewall rules. Go to LAN interface.
    In my case, I added a 2 simple rules to send my LAN source IPs to the WAN directly

    Step 5:
    Add a rule for your cloud backup provider.  Make sure you add it by destination IP or network to the OPENVPN interface.
    Now add the default LAN path to the openVPN interface.  Should look something like this when it is done.

    Step 6:
    Now jump on over to the floating rules.  Add them like this.  Pay special attention to the Note #1 & #2 below.  TCP with aQCK/Queue and UDP with just Queue. Now since this is bing applied to the WAN, local IP address will not work.  So add the internet IPs of your destination or ports for your destination services.

    Put your bulk cloud back up servers to low queue
    Put VOIP to the VOIP queue
    Put PS3 traffic to High queue

    Special notes

    1. Actions should be queue
    2. Make sure there are NO interfaces are selected
    3. Directions ANY
    4. Protocol  TCP or UDP, not both
    5. Destination is the internet IP, not your LAN addresses
    6. Select the queue

    Step 7:
    Now jump over to Diagnostics and States and reset the states.  It takes about 2 minutes for the router to come back to life.
    Results
    Cloud backup traffic and normal web traffic goes to the OPENVPN interface.  Cloud traffic is low priority compared to the regular traffic.
    All OPENVPN traffic dumps into the WAN qDefault queue.

    The VOIP and PS3 queues have a higher priority than the WAN qDefault, thus they take priority over all the other traffic.

    Notes:

    1) Rules must be from the perspective of the interface
    In DD-WRT you could set a rule like this
    VOIP LAN MAC address /IP address is priority Premium
    PS3 LANMAC address /IP address is priority Express
    All other LAN MAC address /IP address is priority Standard
    P2P/Backup LANMAC address /IP address is priority Bulk

    This would make those internal devices priority on all WAN connections.  SIMPLE!

    This simplicity does not work with PFSENSE!  This was a very frustrating part to learn.  Since rules are from the perspective of the interface, the internal IP or MAC addresses of your LAN devices do not exist on the outside of your NATed WAN interface.  Thus the rule will never get applied. 
    Your rules would need to look like this
    WAN IP address (source IP or port) ⇒ Internet address (source IP or port)
    Not like this
    LAN IP address (source IP or port) ⇒ Internet address (source IP or port)

    2) Must have separate Floating rules for TCP and UDP traffic
    So I learned that If you have a TCP/UDP rule that has a queue setup like qACK/qVoip and your traffic is UDP, all the VOIP traffic gets sent over the qACK queue.  You don’t want this.  So create 2 rules,
    UDP floating rule with a queue like none/qVOIP
    TCP floating rule with a queue like qACK/qVOIP
    Do NOT create a rule like
    TCP/UDP floating rule with a queue like qACK/qVOIP

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received