Help With Traffic Shaping / Bandwidth Limiting 1 WAN 12 VLAN
-
I have a fairly simply (at least I think it is) scenario that I am beating my head against the wall trying to implement. We want to artificially cap the bandwidth from / the internet for 12 of or VLAN segments at 20 Mbps. I would like to share that 20 Mbps cap amongst the VLAN segments giving priority to some things like IPSEC, RDP, HTTP, HTTPS, SMTP. I want to guarantee those types of inbound service from the Internet take priority over other traffic, but I want to limit all traffic to a total of 20 Mpbs.
Now comes a couple concerns. On the WAN and all of the VLAN's we have CARP setup to provide HA failover so I need the qlink to be full speed or we have issue with CARP (based on what I have read the CARP traffic gets assigned to whichever queue is default on an interface).
I run through the wizard and generate the rules for 1 WAN and 12 LAN interfaces and traffic from the LAN to the internet appears to be properly limited, however traffic from the internet that is not classified otherwise is getting put into the qlink queue on the VLAN interfaces. We host a backup service for some of our clients and without throttling this a bit we get eaten up with charges for bandwidth usage.
How should I set up the queues? I am really struggling to find useful cases or examples of more complex setups on the net or in the PFSENSE BOOK. Something just isn't clicking for me and I am not sure what I am missing.
Can someone give me a basic example or point me to an example of what we are trying to do?
Summary:
- WAN - want to Limit Outbound to 20 Mpbs - working just fine
- VLAN 21-32 - Want to limit the total usage from the Internet to the entire segment of VLAN's to a total of 20 Mpbs between all of them, but still allow full speeds between VLAN segments and on the local network to ensure CARP traffic is not interfered with (i.e. - default q needs to be something like the qLink the Wizard generates).
Thanks in advance!
-
I was recently trying to do something similar so I feel your pain. What I can tell you is that at least as far as I can tell (I'm still experimenting) this is definitely possible…but information on how to do it is slim to none. In part it's because it's difficult and time consuming to fully explain. I don't have enough time to sort through all the details with you but maybe the summary below will give you enough to get it going...
What you need to know is that you can have parent and child queues where children inherit all of the bandwidth restrictions from the parent in addition to more restrictions you might specify. So for EACH VLAN interface you will want a default queue (probably whose parent is the default queue). You will then want something like "qInternet" which is a parent queue for "qAck", "qHighPriority" and "qBulk" or any other queues you want.
You will then setup qInternet to have your 20Mbps cap by setting the upperlimit m2 to 20Mb (I'm assuming you are using HFSC) which will put a hard cap on that VLAN at 20Mb for traffic in qInternet or it's children. Inside of the child queues of qInternet you can specify hard limits (upperlimit) or portions of a congested link (link shares) for each of the child queues.
Now you need to assign traffic to the queues. Do this using floating firewall rules. Set the action to "Match", the interface to your WAN interface (so you are limiting only packets originating from the WAN), the direction to "any", the Ackqueue/Queue to "qAck"/"qBulk" and you're set. This should place all your Internet traffic into the bulk queue (and the Ack queue). You can verify this on the queue status page (you may need to clear out your state table first). Now you can create additional similar floating rules except also define ports, etc. for them to put your high priority traffic into your high priority queue.