Floating rule match queue for OpenVpn

  • Got plenty of working floating rules but can't seem to fully grasp what is required to shape outbound VPN traffic originating on the LAN destined to the OpenVpn package.  I see VPN traffic going to the default queue. The Lan is x.x.2.x/24 and the Vpn is x.x.99.x/24.  The VPN is encrypted udp but I don't think this matters for an outbound only rule.

    As I grasp it, Tcp or Udp traffic is outbound from the Lan to the Vpn adapter.  So as a start I should "Match, Lan, Out, Any, Lan subnet, x.x.99.x/24".  Is this correct since there isn't a destination Vpn subnet as a choice?  If so, then how are queues handled.  Rather than just udp, will I need two rules, a tcp and udp, the former with ack queue the latter none, since the match happens out the Lan?  If so would they be?

    "Match, Lan, Out, Tcp, Lan subnet, x.x.99.x/24, qAck/qHigh"
    "Match, Lan, Out, Udp, Lan subnet, x.x.99.x/24, none/qHigh"

    Suppose the source could be "any" rather than "Lan subnet" since the Lan adapter is defined.  Seems odd to define the vpn as an ip range rather than an adapter.


  • To shape all oubound OpenVpn I tried "IPv4 UDP * 1194 (OpenVPN) * * * qHigh" and no go, still to default bucket even after I reset states and rebooted.  This floating filter should work.  Every outbound packet I see coming from the Wan adapter has port 1194 as it's source port.  Why does source port filtering never seem to work, only destination IP or port filtering seems to work reliably?

    As a separate exercise I tried shaping just one of the services I use over the Vpn maybe I could get this to work as a temporary work-around. I set a floating rule Lan with a video server as a source port 556 (RTF) which never changes.  Then tagged the packet with a match word.  After this srcport rule another rule was set to match the tag word with a destination IP of the cellular network addy range all VPN goes through.  Again this was consistent with every packet capture at the Wan.  Not a complete solution but hey I get desparate getting rules to work right.  This didn't work either.

    Looks like this;
    IPv4 TCP/UDP LAN1 net 556 * * * none  (mark packet)
    IPv4 UDP * * * * qHigh (match mark word)

    Not a single matching packet in the firewall log or looking at nTop Label at all three rules. Back to the first rule, is a different approach needed because OpenVpn is being served local to PfSense?  I can' find many posts about pass-thru to a Vpn behind PfSense. And a client outbound to a remote vpn (most popular). And OpenVpn to OpenVpn applications.  But nearly nothing, certainly no details, about shaping all traffic out the Wan with OpenVpn package as the server.

    I can't be the only one doing this stuff.

  • Are you trying to shape the traffic flowing within the tunnel or just the overall tunnel itself?

    If you want to shape the tunnel itself, just go to Firewall -> Rules -> WAN.

    Look for the OpenVPN allow rule.  Edit it and scroll down to the queues section.  If you're using UDP, just fill in None/ qHigh.  Otherwise, fill in qAck/ qHigh.

    If you're looking to shape based on LAN -> OVPN subnet, then head over to the LAN tab instead.

    Create a rule above the Default rule.
    Protocol:  Any.
    Source: LAN subnet
    Destination: OVPN subnet (You might have to manually specify the subnet if you did not make an alias).
    Queue: qAck/ qHigh

    Now head over to OpenVPN tab.
    Create a rule above the Allow all rule.
    Protocol:  Any.
    Source: OVPN subnet
    Destination: LAN subnet
    Queue: qAck/ qHigh

    Edit the allow all rule to qAck/ qDef if you wish.

    I recommend simply setting the shaper for the overall tunnel instead.

  • Hi @dreamslacker,
        I was looking for the same question, I tried to shape the tunnel as you mentioned, but no packets arrived into the queue. I have not tried to shape LAN -> OPENVPN yet.

Log in to reply