Mind sharing your traffic shaping rules with multiwan policy based routing?

  • Hello, does anyone here mind sharing their setup of a multiwan (1WAN static and 1 WAN dynamic) with policy based routing setup?

    Mine doesn't seem to work and clients get a big latency on gaming servers.

  • See my post in this forum. I have shared what I use. I use 2 WAN's - 50MB/5MB modems. I will send you the firewall rules , alias set , traffic shaper rules.

    You will need to make some changes as you will need to define your gateway group (s) and change that for the rules to work.

  • Hello, thanks for your help, can you send me your setup? Would this work with policy based routing, as in I will split my LAN into 2 external gateways (2WANS) for internet access?

  • Here is the link:

    Download it and unzip it.  It has my firewall rules , my alias set , and my shaper configuration.  You would need to make some changes:

    1. Either make a gateway group named the same as mine or make your own and change it in the rules under the LAN section.
    2. Adjust the speeds for your connection speeds.
    3. Adjust the DNS settings under the General tab and assign DNS to whichever gateway you want.  (System > General Tab - set DNS for each gateway otherwise it will not work)

    What are you trying to do with this policy based routing?  Do you mean like route all TCP / 80 traffic out one gateway and route all League of Legends gaming traffic out another? I have not really done alot of that type of setup.
    My setup here is not like that as I use round robin with sticky connections turned on and I set the firewall type to high latency so it does not expire idle timeouts as fast.

    Using policy based routing where you tell traffic to go use a certain gateway can be done but it is more complicated to setup.

    If you are using floating rules to do this , you will need to specify the gateway in the rule and then you will not be able to use Both for the direction type. This will mean you have to create both and IN and OUT rule , so effectively you will double your rules.  I dont recommend that. Floating rules should be used to classify the traffic into the correct queues.

    This leaves the interface rules. You will want to use the LAN interface and make sure these rules are above the default  any/any rule.

    So you would make a rule saying IPv4 / TCP / 80 use WANGW1 - this would send all TCP traffic on port 80 out WAN Gateway 1. 
    Next you would make a rule saying IPv4 / TCP / (using an Alias here ) LOLGAMINGPORTSTCP use WANGW2 - this would send all TCP traffic for League of Legends out  WAN Gateway 2
    Next you would need a rule for UDP for LoL  - IPv4 / UDP LOLGAMINGPORTSUDP use WANGW2 - this would send all UDP traffic for League of Legends out WAN Gateway 2

    You could also use the LoL server IP's since they are known as well and make alias's for those and make a rule saying IPv4 / TCPUDP / LOLGAMESERVERS for destination - use WANGW2 - then any traffic going from the LAN to those IP's would use that gateway.

    You could use Gateway groups as well and have  several gateway groups , this would enable traffic to still go out if a gateway went down.
    1. WANGWMAIN1 - WAN 1 is Tier 1 , WAN 2 is Tier 2 - set to down condition for failover
    2. WANGWMAIN2 - WAN 2 is Tier 1 , WAN 1 is Tier 2 - set to down condition for failover
    3. WANGWOVERALL  - both gateways Tier 1 - set to packet loss / high latency

    use these Gateway groups on your rules in the LAN section and then the last any / any rule set to the WANGWOVERALL.  This way even if you have a WAN failure traffic will still go out and any traffic not defined by your rules will be round robin across both WAN's.

    I dont use this type of setup so I might not have defined it correctly but there are some other forum posts about this as well.

    Hope this helps.

    I hope that helps . If you could shed some more light on what you are trying to accomplish with policy based routing it would help.

  • Thank you very much sideout, I noticed you are very active in this "Traffic Shaping" section and I think we all appreciate that, since we all consider time as gold.

    Now, I replaced my firewall rules, aliases and traffic shaper configuration with yours;  I didn't need to change gateway in the firewall rules section since it defaulted to default gateway I'm using, adjusted the internet speeds (upload/download) in traffic shaper. DNS already assigned to default gateway.

    The reason I'm using policy based routing is because I added a second WAN (dynamic IP) and since I only have one LAN, in order to use the second WAN, I had to route the traffic from some computers to second gateway.

    I used your setup as production today, so far I've got good latency in games, but I've got some questions though:

    a) The aliases LANLIMIT and LANSTATIC. I don't know what were they assigned to in your setup.

    b) First WAN seems to be perfectly traffic shaped, however I don't want to traffic shape the second WAN, since it's for downloads only, no need for gaming; and it's being limited to a painfully 27kbs download speed.

    c) Does this limit internal LAN files transfer? It's a gigabit network. I haven't got time to test it yet, just asking.

    d) I'm planning on building a LanCache (http://blog.multiplay.co.uk/2014/04/lancache-dynamically-caching-game-installs-at-lans-using-nginx/) setup, do you think you setup will interfere with it?

  • 1. LANLIMIT was used in the limiting rule on the LAN interface.  It defined the IP's in the DHCP scope.  LANSTATIC was going to be used to allow my static set of IP's to go out another modem (30mb/5mb) that would be used for our LAN party staff to download and to also allow the staff to not be limited on download speeds.

    2. The limiter does not limit the internal LAN or at least it shouldn't as that is why i used the NOT designation for the LAN Subnet on the rule.

    3. Using Nginx for caching will not impact this setup as you can give the cache server  a static and it will not be limited.  You will need to use the DNS Forwarded to spoof all DNS traffic to the cache server.

    When you say the 2nd WAN is being limited to a painfully 27kbs download speed , what exactly are you saying? If you want to use the 2nd WAN for downloads only or non shaped traffic then you would just need to only select  WAN 1 for all the rules in the floating rules section. Then nothing will be shaped on that connection.

    Also , I would make a LAN interface rule where you send IPv4 / TCP / 80 to WAN 2 for the gateway and put that above the other rules including the limiter.

    Remember PFSense processes rules top to bottom , floating to interface rules first.

    Glad you are getting good latency in gaming. Keep at it and remember if you always backup your rules / shaper before you apply a config change , pretty simple to just restore if you mess up.

  • Hello sideout, I did change all the floating rules to WAN1 only, but WAN2 still had very slow download speed and yes, I would like unrestristed connection in WAN2.

    I will try again by playing around with the LANLIMIT and LANSTATIC rules. Thanks for your awesome response.

  • Are you making sure you are not hitting the limiter under the LAN rules?  So I did some testing and here is what I found out on my setup:

    1. If I deselect WAN2 from the floating rule - I see the same results as you - crappy speeds on WAN2. 1.2MB down and .45MB up.  I selected WAN2 under my HTTP / HTTPS floating rule
    2. I made a new rule on the LAN interface that said - IPv4 TCP - any/any - Webtraffic Alias for ports - go out WAN2 and put that rule at the top right under the lockout rule.

    I tested and now HTTP going out WAN2 is not hitting the limiter at all. (I have mine set at 5Mbit / 2Mbit for testing and my overall settings are 15MB / 5MB)  I got 11MB / 4.3MB on multiple speed tests.

    So if you do that , I think you will find the traffic on WAN2 while it might be shaped , it won't be hitting the limiter if you are using my setup. Hopefully that will be somewhat of what you are looking for.

    The other thing to check is did you disable the shaping under the interface ?  Go to Firewall / Traffic Shaper / and uncheck the Enable box under WAN2.  Try that as well.

  • Hello, I switched to a managed switch, I can avoid traffic shaping now with VLAN's. Is there a way to see what the traffic shaping is doing? It's working like 95% of the time but sometimes there's these random lag spikes.

    In the firewall rules you have set the LoL servers IP's, shouldn't the ports already make it redundant?

  • I left the port rules in there in case LoL every changes server IP's or adds new ones or something to that effect. Since I have the quick option checked it will stop processing after it matches and I have the IP rules ahead of the port and protocol rules so if the IP"s ever change , the  other rules should work.

    Yes it is redundant so you can remove one if you wish.

  • Sorry to bother you again. The speed between all my VLAN's are so limited and I think it's because of the traffic shaper.

    Do you have a multi-lan setup? Because all my LANs (VLAN's + 1 loopback interface) have slow transfer between them.

  • If the speed on your LAN's are limited , I would check the floating rules and make sure that your WAN interface's are the only ones highlighted. Sounds like you have LAN highlighted as well potentially.  I haven't done much with VLAN's in PFSense or multiple LAN's.

  • Thanks for the assist, but I just solved it.

    I created a new queue under LAN called qLink, same hierarchy as qInternet, assigned 1Gbit to LAN and 993MBit to qLink.

    Defaulted queue to qInternet, created SMB floating rule for all interfaces (top of the list) with qLink queue.

    Getting a whooping 80MBit transfer speed between PC's under same network compared to 8MBit. Also getting 10Mbit between interfaces (one client has 100M NIC).

    Next thing to work on: LanCache  ;D