Traffic Shaping with OpenVPN



  • Hello.  I have a Traffic Shaping question. I am hoping there is a simple solution to my need. All of the routing/vpn/firewall rules are already setup and working as we currently expect them to work today. This question is strictly on Traffic shaping. I have a corporate office which has some IPTV servers and Internet users located at it . We have 50/50mb Internet Circuit. We also have several remote sites with 25/25 internet and  have IPTV Receivers and Internet Users.(Pfsense-1.jpg)

    Our IPTV are HD UDP unicast about about 10mbs. We have 2 televisions at our remote site and about 25 workers. Our corporate office has about 50 internet. The issue is we want to guarantee that our iptv televisions are not negatively affected by the random, normal internet browsing at either our corporate or remote sites. We thought about just putting a "hard limiter" on the Internet users (5mbs for internet users limiter at remote sites, leaving 20mb free for iptv) connections but that would prevent the internet users from using the extra 20mb bandwith if the IPTV isnt in use actively.  (Pfsense.jpg)

    What we are looking for is a way to say, if traffic is going over the OPENVPN TAP, that is considered real time traffic and needs all the bandwidth it requires(somewhere between 3mbs and 20mbs) and whatever is left over the internet users can split up. We want this type of rule at both our corp and our remote locations.  I know this is a difficult topic because there are so many options available. Can you provide some detailed guidance to help make this work?





  • This is a very simple description, but would pretty much do what you want. You want the traffic shaper to set to ratelimit with some buffer below your actual rated connection.

    WAN Root - 49Mb
    –VPN LinkShare: 1% RealTime: 21%
    --ACK LinkShare: 1% RealTime 20%
    --EverythingElse LinkShare: 92%
    LAN Root - 49Mb
    --VPN LinkShare: 1% RealTime: 20%
    --ACK LinkShare: 1% RealTime 20%
    --EverythingElse LinkShare: 92%

    WAN Root - 24Mb
    --VPN LinkShare: 1% RealTime: 42%
    --ACK LinkShare: 1% RealTime 20%
    --EverythingElse LinkShare: 92%
    LAN Root - 24Mb
    --VPN LinkShare: 1% RealTime: 42%
    --ACK LinkShare: 1% RealTime 20%
    --EverythingElse LinkShare: 92%

    This assumes your VPN link is only used the TV stuff. If the link is used by more than just TV, then you'll need to increase the realtime bandwidth until it has enough for your VPN traffic. Mind you, if you increase your VPN traffic queue too large, it will drown out all other internet traffic when in use.

    If you need to shape within the VPN tunnel, then you will need to create a new set of queues on the VPN TAP interface. Just remember, you can only shape data leaving an interface.



  • I thank you very much for your reply.

    What you posted is pretty much what i expected it to look like once i am finished. I guess my question was one of more specifics, such as which settings should i be using, specifically items like scheduler type, Queue Limit, TBR Size, Priority, Queue limit, Scheduler options, and Service Curve.

    I understand the theory, and if this was a Cisco Router/Switch i would know the commands in my sleep But I don't know the details on how to implement this via the GUI on PfSense.

    If you could provide me a little bit more details and a another good push in the right direction, i would be eternally grateful.



  • Unless someone has more experience, I would just say to set your queues to 2500 and use Codel. Codel is an interesting algorithm that starts to statistically drop packets once packets have been queued for more than 5ms. For ever packet that has been in the queue longer than 5ms, it keeps upping the rate at which it drops packets until it it finds a packet that has been queued for under 5ms. It also does head drop, instead of tail drop, which has some interesting characteristics, one of them being it's more fair to smaller transfers and harder on bigger ones.

    HFSC can be more complicated, but just keep it simple. Don't use burst, just realtime and link share.

    Link share comes from the parent and cannot be more than 100% when added with all sibling queues. Real time comes directly from the root interface, so realtime among all queues may not add up to be more than 80%. HFSC is really link of a ratio based traffic shaper. All you're doing is tell it how much bandwidth each queue will have when your connection is fully saturated.



  • I appreciate your help, but is there another forum member who might be able to help me a little bit further? possibly with more specific instructions?

    I guess my question at the remote site is "if SOURCE interface X, guarantee up to 20mbs via wan. otherwise provide full bandwidth (25mbs) to all users"

    and my question at the central office is "provide this OpenVPN tap connection guarantee up to 20mbs via wan,otherwise provide full bandwidth (50mbs) to all users"



  • anyone care to assist?

    bump


  • LAYER 8 Netgate

    All you can really do is shape the OpenVPN tunnel in relation to other traffic.  You can only do this in one direction - outbound.

    You would identify the traffic on the client with connections on WAN OUT to server on UDP/1194.  This would put traffic into a queue to shape from client to server.

    You woule identify the traffic on the server with connection on WAN IN from client to UDP/1194.  This would put traffic into a queue to shape from server to client.

    Default OpenVPN ports used in this example.



  • @mcamino:

    I appreciate your help, but is there another forum member who might be able to help me a little bit further? possibly with more specific instructions?

    I guess my question at the remote site is "if SOURCE interface X, guarantee up to 20mbs via wan. otherwise provide full bandwidth (25mbs) to all users"

    and my question at the central office is "provide this OpenVPN tap connection guarantee up to 20mbs via wan,otherwise provide full bandwidth (50mbs) to all users"

    I have a rudimentary understanding of HFSC so I can help with that, but I am very inexperienced with firewall rules and OpenVPN.

    If you want to use 2-part service curve (decoupled bandwidth & delay) you, or myself, will need to know the packet size for a particular traffic type to determine the burst duration.

    If just want linear service curves then use link-share and upper-limit.

    It is late and I am having trouble finding motivation, but I am willing to help… :)



  • @Derelict:

    All you can really do is shape the OpenVPN tunnel in relation to other traffic.  You can only do this in one direction - outbound.

    That is the part which i am having a difficult time understanding. I want to protect the upstream and downstream bandwidth for the vpn connection. For example, if a user downloads or uploads a 20gb file to the internet, i want to be sure in either scenario that the internet user does not negatively affect the vpn connection for the IPTV streams.

    I understand if we have a 50mb connection into dividing it into different ques with different priorities. Attached is what i am trying right now, but it doesnt seem to still be the right configs.

    can you take a look and tell me if what i have so far LOOKS like i am on the right track? And if you could give me some advise on what else i should look at and configure so i can investigate those next steps.













  • LAYER 8 Netgate

    That is the part which i am having a difficult time understanding. I want to protect the upstream and downstream bandwidth for the vpn connection. For example, if a user downloads or uploads a 20gb file to the internet, i want to be sure in either scenario that the internet user does not negatively affect the vpn connection for the IPTV streams.

    You can shape both directions, you just have to shape sending at each end.



  • How does shaping the remote client side (which is downloading the iptv streams) prevent someone from performing a large download on the central server side (which is uploading the iptv streams) causing the circuit to have over subscription issues? Am i misunderstanding this or What am i missing?


  • LAYER 8 Netgate

    You're misunderstanding.  I am talking about shaping the tunnel.

    You shape sending out WAN by putting the OpenVPN connection into a queue and other traffic into other queues.  What you can't easily do is shape different traffic within the OpenVPN tunnel or shape how much is received by the tunnel.

    OpenVPN traffic is different from other traffic.  You cannot shape the state of the received traffic all the way through to LAN because:

    On the WAN side all pfSense sees is an OpenVPN tunnel - it cannot see inside it.  The only state on WAN that exists is the connection to the other VPN server itself.

    pfSense will allow you do set queues on the OpenVPN assigned interface itself, but doing so eventually makes my OpenVPN process spin at 100% CPU.

    I'm probably making this more difficult than it needs to be but shaping OpenVPN traffic is really complicated due to the fact that there are never states from LAN to WAN and WAN to LAN.  Even if you do try to shape on the OpenVPN interface, you're now running a shaper inside a shaper and adding yet more complexity.



  • @Derelict:

    You're misunderstanding.  I am talking about shaping the tunnel.

    You shape sending out WAN by putting the OpenVPN connection into a queue and other traffic into other queues.  What you can't easily do is shape different traffic within the OpenVPN tunnel or shape how much is received by the tunnel.

    Okay. I know i dont need to shape within the tunnel. I just want to give the vpn tunnel on both the client and server side a higher priority. So lets simplify my original question, lets forget the specific bandwith numbers.

    If i have an openvpn connection between two sites, how do i give that vpn connection higher priority on the outside (wan) interface then all other (default que) traffic for both upload and down over-subscription ? I guess my question is even more specifically now, how do i setup a traffic shaper rule for both upload (outgoing) and download (incoming) on the wan interface?


  • LAYER 8 Netgate

    You don't shape download on WAN.  That's what I've been trying to tell you.  And you can't set a queue on LAN to shape downloads either.

    Assumes the following: OpenVPN Server running on UDP 1196

    On the server (This rule will shape traffic from server to client):

    Create a floating rule on interface WAN in Match IPv4 UDP source any dest WAN address destport 1196 set queue qVPN

    On the client (this rule will shape traffic from client to server):

    Create a floating rule on interface WAN out Match IPv4 UDP source any dest VPN Host destport 1196 set queue qVPN

    ![Screen Shot 2015-03-01 at 8.17.00 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-01 at 8.17.00 PM.png)
    ![Screen Shot 2015-03-01 at 8.17.00 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-01 at 8.17.00 PM.png_thumb)


  • LAYER 8 Netgate

    You might have some luck placing rules like this on your OpenVPN assigned interface or OpenVPN tab.  This will govern connections coming from the remote site into your firewall over OpenVPN.  There should be queues matching these names on LAN.

    Similar rules can be set on the LAN interface for traffic from LAN net to the remote OpenVPN network(s).

    ![Screen Shot 2015-03-01 at 8.24.36 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-01 at 8.24.36 PM.png)
    ![Screen Shot 2015-03-01 at 8.24.36 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-01 at 8.24.36 PM.png_thumb)
    ![Screen Shot 2015-03-01 at 8.30.32 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-01 at 8.30.32 PM.png)
    ![Screen Shot 2015-03-01 at 8.30.32 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-01 at 8.30.32 PM.png_thumb)



  • You could also try to make a tunnel specifically for the IPTV traffic –- Then you could shape traffic based upon which tunnel the traffic was received from.


Log in to reply