Queue setup for Multi-WAN, Multi-LAN networks



  • Hi Everyone,

    Currently we have a generic queues setup for our multi-WAN, multi-LAN network, which looks like this:

    WANx (for each of WAN1, WAN2, WAN3)
    –qInternet (bandwidth limits set as *97% of respective actual ISP uplinks)
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow

    LANx (for each of LAN1, LAN2, LAN3, LAN4, DMZ1, etc.)
    --qInternet (??? what bandwidth limit to set for downlink since the 3 WANs have different downlink bandwidths ???)
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow

    Since the downlink bandwidths of each of the WANs vary, what should be the bandwidth limit of the LANs' qInternet queue?

    1. To address the different WAN bandwidths, do we need to setup one qInternet hierarchy for each different bandwidth? Like:

    LANx (for each of LAN1, LAN2, LAN3, LAN4, DMZ1, etc.)
    --qInternet1MB (corresponds to WAN1 and WAN2's bandwidth)
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow
    --qInternet2MB (corresponds to WAN3's bandwidth)
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow

    But in this case, is it not a problem to share same queues for two different WAN's downlinks?

    2. Or do we have to setup one qInternet hierarchy for each different ISP? Like:

    LANx (for each of LAN1, LAN2, LAN3, LAN4, DMZ1, etc.)
    --qInternetWAN1
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow
    --qInternetWAN2
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow
    --qInternetWAN3
    -----qACK
    -----qDefault
    -----qOthersHigh
    -----qOthersLow

    3. In both the cases, how to configure the queues for policy-based routing involving a failover gateway group? For example, for some traffic if we want to use a failover group of "WAN2failstoWAN3failstoWAN1", which of the child queues to specify if we intend to use qOthersLow? Or does it not matter and we can just pick aOthersLow from the drop-down list and it'll always correspond to the active WAN of that failover group? Will that work correctly despite being child of different qInternetWANx's or different qInternetxMB's?

    4. The assumption (please confirm) for the questions above is that child queues get governed by their parent qInternet's bandwidth upper limit setting, which has to correspond to respective WAN's downlink bandwidth. And the upper limits of the qInternet's are very important for the basic operation of queues and must match the actual downlink/uplink bandwidths. Is this right?

    5. Apart from the assignment of queues in the rules and thereby associating them with interfaces and/or gateways, is there any other way queues are inherently associated with any given interface (LAN or WAN)? Where is such association specified in pfSense? Or is it the case that no queue is inherently associated with any specific interface, it gets used by whichever interface is associated with it when defining rules? In that case, do the queues get instantiated per each queue-interface association based on the rules?

    Thanks for your responses....
    pubmsu



  • Desperately need the answers… please help!!  :'(



  • Here are my suggestions:
    1. I would not use qInternet on the WAN sides. I dont think the wizard puts it there.  I would set WANx as 97% of the upload bandwidth then designate percentages on the queues.
    2. I would set qInternet for each LAN to be what the download link speed is.
    3. You do not want seperate qInternet's under each LAN. If you want to direct traffic out to specific WAN's from a LAN interface , you will need to use the LAN rule with a gateway.

    All traffic shaping does is direct the traffic to the correct queue and then applys the limits or shaping you specify.  This is all done under the floating rules.  For policy based routing you are going to be looking LAN interface rules or creating an Interface group and making rules there.  (https://doc.pfsense.org/index.php/What_is_policy_routing)

    For that you need to create gateway groups.  I would recommend doing something like this:

    1. WAN1 , WAN2 , WAN3 in a group called ALLWANS with each WAN tier 1 failover on packet loss or high latency.  Put the ALLWANS gateway on all default rules for each LAN interface.
    2. Create the following gateway groups:
        a. WAN1Primary - uses WAN1 as tier 1 / WAN2 as tier 2 / WAN3 as tier 3
        b. WAN2Primary - uses WAN2 as tier 1 / WAN3 as tier 2 / WAN1 as tier 3
        c. WAN3Primary - uses WAN3 as tier 1 / WAN 1 as tier 2 / WAN2 as tier 3

    3. Use the above gateway groups on EACH LAN interface rule set to direct traffic to the specific WAN you want it to go out.  So if you want all HTTP from ALL LAN's to go out WAN2Primary then you would say IPv4 / TCP / HTTP / any / any  / Gateway WAN2Primary and put that above the default any/any rule on EACH LAN interface rule set. (you will also need to make sure you have a DNS server specified for each WAN under System > General Setup > DNS Servers.

    You would want the queues on the traffic shaper of each interface to be balanced for their speed and for the percentage you want assigned to the traffic.  If all HTTP is going out WAN2Primary then I would make a specific queue called qHTTP and give it a percentage along with a real time and link share. This way any HTTP traffic regardless of the LAN it comes from is going to get X amount of bandwidth with y amount of real time bandwidth and z amount of link share for the queue and then since it is all going out WAN2Primary whatever those percentages are , it will take that from whichever WAN is active in the group at the time.

    So the way it flows is :

    PFSense sees the traffic , it classifies it as to port / protocol  / interface  , assigns it to a queue based on floating rules ( remember to check the quick option to have it stop processing) then after it does that is processes the Interface rules. (This is where you are sending out the interface you want).

    There is another forum on here specifically for policy based routing that you might get better answers but this is my suggestions to you.



  • Hi sideout, thank you so much for your elaborate suggestions.

    We're experimenting with different approaches and will report back here which scheme gave best results.


Log in to reply