Traffic Shaping multi lan difficulty



  • Ive been googling and playing around with traffic shaping recently as I am about to switch our phones over to VoIP.

    I need QOS as these phones will be business critical as well as our VPN. We also require fast uploads for large files to our AWS account however this should be sacrificed if the phones or VPN require it.

    What I have.

    I'm running pfsense 2.1-RELEASE

    WAN 20/20 (eth1)
    WAN ADSL2+ (eth2) (dont NEED this necessarily) - ignoring for simplicity
    LAN (VLAN2)  (lagg0 (eth3, eth4)) 192.168.2.0 /24
    Guest (VLAN3) (lagg0 (eth3, eth4)) 192.168.3.0 /24
    Tech (VLAN4) (lagg0 (eth3, eth4)) 192.168.4.0 /24
    VoIP (VLAN5) (lagg0 (eth3, eth4)) 192.168.5.0 /24

    What I want in terms of priority - voip being the #1 concern to begin with
    #1 VoIP UDP 5060 Out (and associated in) (VLAN5)
    #2 Google+ Hangouts / Skype (VLAN2, VLAN4)
    #3 VPN (OpenVPN, IPSEC - WAN?)
    #4 HTTP/S (VLAN2, VLAN4)
    #5 Everything else

    I am having a lot of trouble understanding both what I should be doing and what is / is not possible. Ive read alot of pfsense 2+ statements saying you CANT shape across multiple interfaces. This seems like an incredible deficiency of a incredibly powerful package - i really struggle to believe this is the case. Ive also tried to use the Wizard which names queues identically. Is naming them the same mean that they are shared across both interfaces ie:
    LAN ->
    –> qHttp
    Tech ->
    --> qHttp
    would push the packets into the same queue or is the name actually pointing at something different which wont link them together?

    What I am hoping for the queues is this:

    WAN
    --> qInternet
      --> qACK
      --> qVoIP
      --> qVPN
      --> qHTTP
      --> qSocial
      --> qDefault
    LAN
    --> qLocal
    --> qInternet
      --> qACK
      --> qSocial
      --> qHTTP
      --> qDefault
    Guest
    --> qDefault
    Tech
    --> qLocal
    --> qInternet
      --> qACK
      --> qSocial
      --> qHTTP
      --> qDefault
    VoIP
    --> qInternet
      --> qACK
      --> qVoIP
      --> qHTTP
      --> qDefault

    Now if I have gotten that correct i need to do the queue
    I think i want class based CBQ. but i think priority (priq) would also suffice but not be "perfect"

    Because my connection is 20/20 i think i should give each qInternet a bandwidth of 19.5 (my actual speedtest is 20.3/20.1

    then i want my local traffic to be given the full bandwidth which is 2Gb/s so qLocal should be given 1.9Gb/s

    after which:
      --> qACK 15%
      --> qVoIP 35%
      --> qVPN 15%
      --> qHTTP 10%
      --> qSocial 15%
      --> qDefault 5%
    = 100% of the 20/20
    however I want these to all borrow from each other so if no one is using anything except uploading a large file it gets full 19.5Mb/s upload speed.

    So I think I've got the queues figured but the firewall rules are now another story. From what I understand I should be using floating rules to "Match" a rule and assign it a queue. This should have no effect on the actual "firewall" correct?

    so in my floating rules i should have
    interface    proto        source port  destination    port    gateway queue
    WAN, VoIP  IPv4 UDP  *        *      *                  5060  *            qVoIP
    WAN          IPv4 UDP  *        *      WAN Address 1194  *            qVPN
    WAN, LAN,  IPv4 TCP    *        *      *                  80/443*            qACK/qHttp
    Tech, VoIP
    WAN, LAN,  IPv4 *      *        *      *                  Social  *          qACK/qSocial
    Tech

    The problem is, i just cant seem to get it working properly in my VM image. If i use the Wizard to try and build any rules all internet access dies (same with my actual office physical server)
    If i try to build this from scratch when I look at the queue graphs in status i basically only see one interface queues being used and showing double the amount of traffic im expecting.

    Can someone verify what that I'm either doing the right thing or that I'm way off and thats why its not working. Basically if this is supposed to work then I will wait till the office is empty at night and try to put in on our actual box and see if my testing is just failing me.

    Thanks for all the help in advance



  • Hey All,

    Im still having problems setting this up in my virtual image - we are getting close to needing this to be implemented in the real thing so any help would be extremely appreciated.

    Am I just doing it all wrong? Is PFSense even able to do what I want it to?

    Cheers



  • You'll be able to do it as long as all the VLANs are hooked to the same physical interface. That way, you will have the same queues applying to all download traffic, no matter that VLAN originated it. Shaping will be done over the physical interface

    The rest should be doable with any scheduler, with varying grades of difficulty to set up. I would do HFSC (but just because I would always do HFSC!) and properly configure realtime and linkshare values.

    Now, I have no clue on how to shape Google Hangouts, and Skype could be trickier than you think (easiest way is to use a fixed port on every device, unless you want to deal with some obscure L7…)



  • You'll be able to do it as long as all the VLANs are hooked to the same physical interface. That way, you will have the same queues applying to all download traffic, no matter that VLAN originated it. Shaping will be done over the physical interface

    Well that makes sense about why my VM wasn't working - because I set up multiple virtual interfaces, rather than my actual server using a bonded interface with VLAN's. I assume pfsense will see a bonded interface as a single physical interface, so I should be all good.

    Now, I have no clue on how to shape Google Hangouts, and Skype could be trickier than you think (easiest way is to use a fixed port on every device, unless you want to deal with some obscure L7…)

    The fixed ports was how I was thinking of going about it, My main concern immediately is the VoIP.

    The rest should be doable with any scheduler, with varying grades of difficulty to set up. I would do HFSC (but just because I would always do HFSC!) and properly configure realtime and linkshare values.

    The HFSC looks more complicated than it is worth. From reading a few how-to's / forum posts I don't think I understand the benefits of it vs the configuration / testing time - with the other queues I think I know what I should expect out of a configuration.

    Could you give the equivalent HFSC config amounts (bandwidth/m1/d/m2) that you would use for the following?

    I think i want class based CBQ. but i think priority (priq) would also suffice but not be "perfect"

    Because my connection is 20/20 i think i should give each qInternet a bandwidth of 19.5 (my actual speedtest is 20.3/20.1

    then i want my local traffic to be given the full bandwidth which is 2Gb/s so qLocal should be given 1.9Gb/s

    after which:
      –> qACK 15%
      --> qVoIP 35%
      --> qVPN 15%
      --> qHTTP 10%
      --> qSocial 15%
      --> qDefault 5%
    = 100% of the 20/20
    however I want these to all borrow from each other so if no one is using anything except uploading a large file it gets full 19.5Mb/s upload speed.

    Cheers!



  • Forget about m1 and d for now. Take m2 as the value you want to set. HFSC works with the same structure as CBQ, so you can use the same values and structure you posted, on linkshare m2. The benefit here will be the possibility of setting realtime values as well (which is a minimum guaranteed bandwidth for the queue)