Help please - three priorities - VOIP, RDP, ALL ELSE



  • Hi all, I have a transparent firewall setup with two NIC's both on the same subnet:

    ROUTER 192.168.0.1

    PFSENSE WAN: 192.168.0.2
    PFSENSE LAN: 192.168.0.3

    LAN - 192.168.0.X, GATEWAY 192.168.0.2

    I want to setup traffic shaping so that I have three levels of priority (I don't want these queues to have limited amount of bandwidth but to adjust when traffic exists - I think this is the default?).

    1. I want to be able to assign VOIP calls the highest priority over everything else, but I don't want to do this using protocols/ports I want to be able to add 7 or so static IP addresses to this queue and always give them priority.

    2. We use RDP to access a terminal server and this needs to operate as quickly as possible also so users don't get mad about slow screen refreshes etc. I presume this will have to be done for protocol TCP and port 3389.

    3. Everything else needs to have the lowest priority (which shouldn't be a problem as nothing else should be travelling between our branches anyway), but this could potentially be file transfers and will definately include printing traffic (in a raw format), it is very important that the printing traffic cannot burst and interupt the VOIP calls.

    Can someone please give me a hint on how to configure these queues, I am very excited to get this running as I could save my company NZ$6000 on a commercial solution and we could really do with the money to use on other IT upgrades. Thanks for your help I really appreciate it.

    Scott Thompson.



  • Create an alias for your phones.  In my case I created an alias called "Phones" and assigned it the network of 192.168.1.0/24 (yes our phones at work conflicts with the default ip in pfSense).

    Next, run the traffic shaping wizard.  When it asks about VOIP, select yes, then type in the red box "Phones".  Select an appropriate amount of bandwidth.

    Next skip the games screen and the p2p screen and finally when you arrive at the last screen you can mark protocols as higher or lower priority.  One of the options is MSRDP.    Tell it to prioritize this protocol higher.

    Click next, allow the wizard to reload the settings and you are basically done.



  • That sounds awesome! Thankyou so much for making that easy and clear, I have added all the individual IPs (192.168.2.210, 192.168.2.211, 192.168.3.210, 192.168.3.211, 192.168.1.210, 192.168.1.205, 192.168.2.205, 192.168.3.205) to a "Network(s)" Alias. I have also configured the wizard as you instructed. Thanks I will plug in the pfsense box hopefully tonight and see how it goes.

    Thanks again sullrich.



  • Just make sure you are on beta 2 and you should be golden.  Please report back how well it works as Bill is actively looking for positive and negative (positive is better) feedback.



  • @scotttiamit:

    That sounds awesome! Thankyou so much for making that easy and clear, I have added all the individual IPs (192.168.2.210, 192.168.2.211, 192.168.3.210, 192.168.3.211, 192.168.1.210, 192.168.1.205, 192.168.2.205, 192.168.3.205) to a "Network(s)" Alias. I have also configured the wizard as you instructed. Thanks I will plug in the pfsense box hopefully tonight and see how it goes.

    Thanks again sullrich.

    did you use network aliases with /32 subnets? You rather want to use a hosts alias



  • Woops, I just noticed you are bridging.  Currently our shaper does not support bridges.

    Sorry about that.



  • Yes I used /32 in "Network(s)"

    Oh OK, so I will need to disable bridging mode for it to work? At present when I try to view the status:queue or the packages list the web interface just sits there and times out and I cannot reconnect to the web interface without rebooting the machine (even if I restart the web configurator from the console I still cannot access) is this because both NIC's are on the same subnet and I am using bridge mode?

    What would you recommend my setup be considering the following:

    • My local LAN is in the range 192.168.0.X range (terminal server is 192.168.0.202)

    • Router that connects to other branches (192.168.1.X, 192.168.2.X, 192.168.3.X) has an IP of 192.168.0.1 and I cannot access this as it is looked after by Telecom.

    Should I change the WAN IP to a different subnet (e.g. 192.168.8.1) and add  static routes to the WAN side to connect to the 192.168.0.1/32 as well as the 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24? So my setup would become:

    LAN 192.168.0.X -> PFSENSE LAN NIC 192.168.0.3 -> PFSENCE WAN NIC 192.168.8.1 -> TELECOM ROUTER 192.168.0.1 -> BRANCHES 192.168.1.X, 192.168.2.X, 192.168.3.X

    Thanks for the help everyone.



  • That setup makes it a bit complicated as you need a lot of static routes for that, not only at the pfsense but at the gateway router your provider controls and at the other office branches routers as well. However, if you add all the routes everywhere it should work. In that case you want to shutdown NAT at the pfSense. Go to firewall>nat, outbound tab and enable advanced outbound nat. It will generate a rule at the bottom of that page. delete that rule and you have shut down natting.



  • How about if I set it up with both on the 192.168.0.X subnet, then "Disable the firewalls filter altogether" as per the System: Advanced functions. I would then only have to add static routes to the WAN side for the 192.168.1.1/32, 192.168.1.X/24, 192.168.2.X/24, 192.168.3.X/24 and also add the static route 192.168.0.X to the LAN side. This should work right?

    BRANCHES 192.168.1.X, 192.168.2.X, 192.168.3.X

    ROUTER: 192.168.0.1
    WAN IP: 192.168.0.2
    LAN IP: 192.168.0.3

    LAN: 192.168.0.X Gateway 192.168.0.2



  • No, that is not what this option does and by disabling all filters you shut down traffi shaping filter too. Read what the option says, it's "routing", not bridging with this checked.



  • So there is no way to run Traffic Shaping in bridge mode? This would make it quite easy. All I want to do is put a box into our existing network right before the router that can prioritize VOIP traffic before it is sent to the router. I don't have access to the routers settings here or at the branches so adding routes etc to them is not possible (hence why I wanted to use it transperently), I don't need any traffic blocking either so I don't need the firewall either.

    Thanks.



  • If you really only want a pure shaping bridge you might want to consider running m0n0wall. I have some m0n0s out that do nothing but shape traffic transparently for voip, high level apps and all the rest. m0n0s shaper needs some time to throttle traffic at the moment it occurs (the first  1 or 2 seconds of a voipcall can be choppy if the bandwidth is maxed out) but after that it works quite well. pfSenses shaper is much more rapid in reaction though but as routing is no choice for your scenario and m0n0's shaper can work in bridge mode give it a try. You should be aware that you need trafficshaper at every location if you really want to have good quality at the link where your traffic is hitting the "bottlenecks". Also do some real life measurements of your upstream and downstream and don't "trust" the bandwidth your provider promises.

    Oh, you need 3 interfaces for that as you only can bridge an OPTx to the WAN with m0n0. So you have one dead unused nic in there.



  • OK thanks I'll try that instead then, is there any plans to support traffic shaping in transparent mode, I imagine this would be quite a common use and would make install really easy? Thanks again for your help and pointing me in the right direction.
    Scott.



  • This is our 1.0 release. If it's doable we'll do it in an upcoming release. Expect MUCH more in the future  ;D



  • Sounds good to me Hoba! Hey I installed m0n0wall (so this isn't the right forum to ask but you said you had some boxes running in the same config I am wanting to use), In terms of the traffic shaping rules as I cannot use the wizard to setup and I cannot add multiple IP Addresses to an alias, how would I go about configuring the rules as this is pretty confusing to me. As per my first post this is what I want to achieve:

    I want to setup traffic shaping so that I have three levels of priority (I don't want these queues to have limited amount of bandwidth but to adjust when traffic exists - I think this is the default?).

    1. I want to be able to assign VOIP calls the highest priority over everything else, but I don't want to do this using protocols/ports I want to be able to add 7 or so static IP addresses to this queue and always give them priority.

    2. We use RDP to access a terminal server and this needs to operate as quickly as possible also so users don't get mad about slow screen refreshes etc. I presume this will have to be done for protocol TCP and port 3389.

    3. Everything else needs to have the lowest priority (which shouldn't be a problem as nothing else should be travelling between our branches anyway), but this could potentially be file transfers and will definately include printing traffic (in a raw format), it is very important that the printing traffic cannot burst and interupt the VOIP calls.

    **Im getting close now - all traffic is going through the box now prior to hitting the frame relay router so all I need to do now is add the traffic shaping rules. Also how do I view the queues and ensure that the traffic shaping is actually working correctly?

    Thanks guys.

    Scott.**



  • This isn't pfSense, so you don't have fancy hostgroupaliases, queuegraphs and so on. You have to set it up and simulate a maxed out line and do phonecalls and terminalsessions under that condition and tweak it until you are happy with it.  ;)
    I'll pm you something later when I'm at home. I don't think it makes sense to discuss that public as the m0n0 shaper is completely different compared to pfSense. I suggest closing this thread.


Locked