Shaping with multiple LANs and different priorities.



  • I'm trying to set up a traffic shaper for three different internal networks all living on their own NIC and subnet for my backpackers hostel.

    On the WAN side I have around 8MB/s bandwidth (coming from another pfSense box with MultiWAN, two x 3 MB/s and one x 2,5 MB/s connections).

    On the internal side I have the office, "clients" and a WiFi.
    The office LAN should have priority over any other traffic.
    In the office LAN we have http/https traffic that should take priority over anything else, I need webmail and web based "online travel agency"-services (https) for reservations.
    One computer is used to stream sports events to the bar, that PC should get priority over everything else if it needs it, but does not need much traffic if it's not streaming.
    We connect our laptops to this LAN too, those Laptops use bittorrent and this bittorrent traffic should be fast when bandwidth is available, but browsing and skype traffic from other networks should take priority.

    The "clients" LAN is an "Internet Cafe Style" set up. Currently this consists of 7 PC running Windows XP and Windows 7, these PCs should generally have the 2nd highest priority.
    They should only be used for webbrowsing and Skype.
    Web browsing should include any webapplications and flash streaming (youtube or news websites streaming).

    The WiFi is for guests to access the web with their devices (currently looks as if I have some 120 DHCP leases on the WiFi, about 2/3 of them online).
    Anything should be allowed, p2p traffic should be throttled as much as necessary, Skype and webbrowsing (including youtube and similar) should be prioritized, bigger downloads should give away bandwidth if other connections need it.

    I ran the Traffic Shaping Wizard would need some help to tweak the queues to complete the above.

    The shaper set up queues for "LAN" (the office), "CLIENTS", "WIFI" and "WAN", the internal ones all with the children "qLink" and "qInternet".
    "qInternet" with the children of "qACK", "qP2P", "qOthersHigh" and "qOthersLow".
    The "WAN" queue has the childern "qACK", "qDefault", "qP2P", "qOthersHigh" and "qOthersLow".

    To succeed with my setup I think all children queues should have propper names according to which subnet they belong to, e.g.: "qLAN_Internet", "qLAN_ACK", "qWIFI_P2P" etc.
    I am not sure about the "qLink" queues, nor if I should change anything about the root level queues (LAN, CLIENTS, WIFI, WAN or about their default setup - Scheduler Type should be left at HFSC for all, but should I assign minimum "Bandwidth" here? Usually a minimum would be assigned with "Realtime" (?) but that's not availble.)

    Unfortunately the Wizard didn't send up many rules apart from sending loads of traffic to "qACK/qOthersHigh" in the "floating" part, including http, https, smtp, pop etc, others are only going to "qOthersHigh" without passing anything to the "qACK" Queue, eg "m_Other ICQ2 outbound".

    I am wondering:

    • if new rules I have to set up for traffic coming from a certain subnet should go into the floating tab or into the corresponding NIC tab ?
    • if I should set up special Queues for http/https - if I want to limit traffic on bigger downloads, I guess I have to to use the "Service Curve" and what this rule should look like ?
    • what a p2p rule would look like?
    • where I can find out about Layer7 shaping to make sure Skype traffic get's through as quick as necessary.

    Any help appreciated!

    Thanks



  • You cannot shape multiple LAN interfaces without setting a hard limit on each LAN interface. The set of queues on each interface are independent of each other and each set will assume it has the full downstream speed available to it.

    Either limit the downstream speed on each interface so that the total is less that your actual downstream speed, or use a separate bridged mode transparent firewall between your LAN and pfSense to shape the traffic as a whole.



  • I have a very similar problem (also a B&B) but simpler in what I want to create.
    One WAN and only 2 LAN physical connections, one to a SOHO and the second to a free open WiFi for the B&B clients.

    I only want to give priority to the traffic coming from and into the SOHO over the WiFi as a whole. without going into changing the priority of a single protocol. hopefully without starving the WiFi.

    If I set a hard limits on the WiFi then in times where there is no usage in the SOHO, I just give bad service.

    Is there no way prioritizing one LAN over the other, with maybe setting a minimum limit as to not totally starve the one who is given the low one?



  • No you can't directly do this using traffic shaping queues (it may be possible with other stuff like limiters but I don't know anything about those in pfSense). You need two routers for this (or simulate two routers by creating appropriate additional interfaces). All your queues should be defined between the WAN and Internet GW interfaces. You can check the source address on the Internet GW interface rules to identify LAN1 and LAN2 traffic and queue them appropriately.

    Your clients should all use LAN GW address as their default gateway and LAN GW should be routed not double-NATed to Internet GW. The Outbound NAT rules on WAN should allow traffic sourced from LAN1 & LAN2.

    
                                                 /====LAN1
    WAN====Internet GW====LAN GW1/2 VLAN/Physical
                                                 \====LAN2
    
    


  • Any hint on how to go about the "transparent bridge" to be able to shape?

    I put my 3 LAN connections all in VLANs now, so that they all connect to the pfSense box on one physical NIC.

    
                                                 /====VLAN2 = Internal LAN
    pfSense-NIC=== VLAN2+3+4 =Managed Switch  ====VLAN3 = Client LAN
                                                 \====VLAN4 = WiFi LAN
    
    

    So now I would need to bridge that NIC to another interface and then shape on that interface?
    What do I have to do to get that Bridge working?


Log in to reply