Traffic Shaping Queues Help for Single WAN/Dual LAN



  • Hi all,

    I'm attempting to do something like this [[url=http://elgwhoppo.com/2013/09/04/pfsense-lan-party-qos-1-3-individually-limited-tcp-streams/]link].

    My Config:
    pfSense 2.1
    Atom D525 / 3GB

    • re0 - WAN - 30 Mb/s / 5 Mb/s

    • re1 - LAN - 1 GbE

    • re2 - LAN2 - 1 GbE

    What I am trying to prioritize it by:

    • Messengers - MSN/Skype, etc

    • OpenVPN clients running on some boxes

    • Remote Management - RDP/VCN/TeamViewer/Telnet, etc

    • Games

    • HTTP/HTTPS

    • FTP

    • All other LAN traffic

    • All other LAN2 traffic

    • P2P - BitTorrent, etc

    I had a traffic shaping setup previously, but I guess it doesn't really work well for my new WAN bandwidth constraints.  Suppose before I had Verizon FiOS and due to the faster speed I didn't notice the obscene latency when I'm trying to download large files or use BitTorrent.  It's pretty noticeable on this slow TimeWarner Cable connection :(

    I'd like to try to keep latency as low as possible and still (hopefully) be able to download and seed torrents at a reasonable rate.

    I've read through a number of threads here and via Google, and in addition the wiki, but it sort of flew over my head.

    I'm not going as far as asking for hand-holding though that would be nice, but any replies that can help educate me on how I could approach this setup would be awesome!

    Thanks!



  • If I might add, the wizard-based setups I've tried thus far is throttling various types of queues at the limit entered into the wizard.

    While it would be nice to put a hard limit or guarantee of bandwidth to certain queues, I'm wondering is it possible to have ALL queues use up all available bandwidth if it's being underutilized?  This includes the P2P queue.



  • Going back to basics, even if the wizard offers a "dual LAN" scenario, it doesn't really work the way you would expect. The reason is that you cannot have a queue that applies to both LANs simultaneously, and since download is shaped on the LAN side, this means that it will only be effective at shaping upload…

    Unless you bridge both LANs and apply the shaper to it.



  • Really? :(

    I think generally a set of basic rules to shape upstream would be fine.  As long as the bulk queue(s) don't consume more than what's needed for ACK which I'm calculating at around 20% of upload bandwidth, I should be OK.  The latency to the ISP's gateway only increases about 100ms in these circumstances which is negligible for my purposes.

    When the bulk queues are doing connection-heavy stuff though (i.e. BitTorrent) that maxes  out the downstream, then stuff starts hurting pretty badly.

    So based on what you shared, there isn't any way to independently shape two LANs?  If I bridge both LANs to apply one set of queues to both LANs, wouldn't that also mean that now my segregated subnets can see each other without an additional methods such as a VPN between subnets?  That wouldn't be ideal for my use case…



  • The way you can get it to work is to specify a download cap to each of your downstream interfaces, so that the sum does not exceed the available bandwidth. If you have 30 Mbs for downstream, you could assign for example 10 to one interface and 20 to another. This is not efficient since that is a hard limit, it doesn't matter if the other interface is actually using bandwidth or not, this won't be exceeded.

    I believe the wizard will assign the full bandwidth to each LAN, but this means that at some given time you could have both LANs trying to download 25 Mb/s each (50 overall), exceeding the real bandwidth and violating the #1 principle for shaping to be effective (always limit bandwidth slightly below your real amount, so queuing occurs at your own router where you can control it, and not at some other device at your ISP's end)

    Real solutions to this at the time:

    • Use another pfSense in front of the other one, to shape based on the origin and destination subnets
    • Bridge the interfaces so you can apply the shaper to the bridge as a whole (you can still somewhat control traffic among them but it is more a clever hack than real networking stuff)
    • Use VLANs on the same physical interface

    As you can see, all of them are based on the principle of applying the shaper to a single physical interface



  • I'm not saying it works in PfSense because I haven't tried it.  But if I understand what your trying to do I would throttle the outbound WAN and ignore any LAN shaping.  Lan shaping only risks backing up data into your modem's buffer where shaping breaks down.

    Try setting your floating wan rules with a source LAN1 subnet or LAN2 subnet.



  • @markn62:

    I'm not saying it works in PfSense because I haven't tried it.  But if I understand what your trying to do I would throttle the outbound WAN and ignore any LAN shaping.  Lan shaping only risks backing up data into your modem's buffer where shaping breaks down.

    Try setting your floating wan rules with a source LAN1 subnet or LAN2 subnet.

    Bear in mind that download is only shaped on the LAN side. Upload can be shaped with no problems by applying the shaper to the WAN interface.

    As regards the floating rules, bear in mind that floating rules with direction "out" on WAN, will be matched after NAT takes place, so all packets seen by the rule will have its source IP already translated (so, no packets will match a rule with source "LAN net")



  • @georgeman:

    Real solutions to this at the time:

    • Use another pfSense in front of the other one, to shape based on the origin and destination subnets
    • Bridge the interfaces so you can apply the shaper to the bridge as a whole (you can still somewhat control traffic among them but it is more a clever hack than real networking stuff)
    • Use VLANs on the same physical interface

    As you can see, all of them are based on the principle of applying the shaper to a single physical interface

    Hi georgeman,

    My VLANs are well using the same physical interface, but how to apply the shaper to it while it is not used as an interface by itself (as recommended when using VLANs) ?
    I mean that I have VLAN1, VLAN2, VLAN3, etc. that are configured using the same rl0 physical interface but rl0 is not configured as an interface, it's strictly reserved for VLANs interface.
    So, how do I configure shaper in this case ?

    Regards,



  • On the shaper pages, only the physical interfaces will show up. Create the queues on them, and then apply them directly to the VLANs through regular rules, as if the queues belonged to the VLANs



  • @georgeman:

    Real solutions to this at the time:

    • Use another pfSense in front of the other one, to shape based on the origin and destination subnets
    • Bridge the interfaces so you can apply the shaper to the bridge as a whole (you can still somewhat control traffic among them but it is more a clever hack than real networking stuff)
    • Use VLANs on the same physical interface

    As you can see, all of them are based on the principle of applying the shaper to a single physical interface

    Hi Georgeman,

    I've a similar situation in which I would like to limit the download speed of my DMZ and LAN interfaces. Could the limiter be another option to solve the problem?

    Thanks,
    Stenio