Someone clarify the pfSense traffic shaper



  • Good afternoon, all day I'm trying to understand how the traffic shaper pfSense works, not for the creation of queues but in the creation of firewall rules. The wizard creates some rules but seems very abstract.
    My question is, which direction to apply the rules, assuming I want to prioritize or not pages http and https, VOIP, DNS? create outbound rules on the LAN and the WAN inbound rules?
    Use the Floating tab or not?
    what action? Pass or Queue or Match?
    Assuming I have a vpn (openvpn, and there goes my scenario and that in parts have to do with pfSense) and wanted to give priority to VoIP traffic within the tunnel, it is possible? interface in which I create the rules?
    I believe that traffic inside the tunnel, being encrypted, it is not possible, therefore, how give priority to the tunnel itself.
    I've tried to setup a rule, for the traffic coming from the vpn to an IP (192.168.0.240) but as the status_queue_lan.png shows, there is no match (qVoip_in).

    Edit:Assume that "Source" should be the internal networks of branches connected by VPN, the screenshot I had already changed the rule.

    this may help not only me but like many other people, so please try to explain more than the FAQ pages.





  • There is 100 Views until now so, perhaps people wants an explanation. I've been digging into this matter for quite sometime.. What did I found, What I've done:
    You can shape all the openvpn traffic  (If you have more then one) or you can shape at specific interface… how?
    Assign another interface in Interface -> Assign to the vpn that u want..
    I've a 2Mbps symmetric link and here is altq configuration I've done until now.

    queue root_ovpnc1 on ovpnc1 bandwidth 1.93Mb priority 0 cbq( wrr root ) {qDefault_mat, qVoIP}
    queue  qDefault_mat on ovpnc1 bandwidth 432Kb priority 3 qlimit 500 cbq( red ecn borrow default ) 
    queue  qVoIP on ovpnc1 bandwidth 1Mb priority 7 cbq( red ecn borrow ) 
    queue root_bge0 on bge0 bandwidth 1.93Mb priority 0 cbq( wrr root ) {qDefault, qVPN}
    queue  qDefault on bge0 bandwidth 500Kb priority 3 cbq( red ecn borrow default ) 
    queue  qVPN on bge0 bandwidth 1.43Mb priority 7 cbq( red ecn borrow ) 
    

    This is the firewall rules from the openVPN client:

    pass out quick on bge0 reply-to (bge0 wan_gw) inet proto udp from any to openVPN_Server keep state label "USER_RULE: Queue VPN" queue qVPN
    pass in on re0 inet proto udp from 192.168.8.0/24 to 192.168.0.240 keep state label "USER_RULE: Tag VOIP" tag VOIP
    pass out quick on ovpnc1 inet proto udp from 192.168.8.0/24 to 192.168.0.240 keep state label "USER_RULE: Forward/Queue VoIP tagged VOIP" queue qVoIP tagged VOIP

    What I expect to accomplish with this rules and queues?
    Guarantee 1.43Mb for the VPN itself and 500k for bulk data.
    Guarantee 1Mb for VideoOverIP through the tunnel and 432Kb for bulk data.

    From what I can tell, there is no way to guarantee 1.43Mb for incoming VPN traffic on WAN since the openVPN is running on the Firewall box itself, right?
    I believe I'm applying traffic shape one way out (upload) since I'm using "out" on vpn interface rule. Does it makes sense to create a rule using pass "in" to shape download?
    Sorry about my poor English.



  • Easiest way to shape incoming OpenVPN is to assign the appropriate queue on the allow rule on the WAN interface. The whole tunnel will be shaped



  • @georgeman:

    Easiest way to shape incoming OpenVPN is to assign the appropriate queue on the allow rule on the WAN interface. The whole tunnel will be shaped

    Thank you for your time @georgeman!
    I believe that you can't shape incoming openVPN traffic because the traffic has already hit the WAN and won't be processed further, but, I've read somewhere that the outgoing traffic could be shaped because the state created early.
    Anyway, with only this rule I couldn't shape the traffic inside the tunnel, I believe that I would need to create rules to the openVPN interface as I did.
    The attachment show the RRD graph; I believe it's working although I don't have a feedback yet.

    Ps.: Why RRD graphs reset every time you change the traffic shape?



Log in to reply