One Host All Traffic to Certain Que



  • I have a one wan lan connection with Traffic Shaping working. However I have one host 192.168.2.20 which uses a openvpn to goldenfrog for all traffic. I want this host on my lan to get all traffic put into a a que qVpn for traffic. No matter what I do I can't get it to work. If I have qVoip all the traffic will get sent to that que remove that and it goes default. i have tried nearly all the combos I can think of to assign it to the que.
    My reason is I want to limit the Traffic when other things are needing bandwidth but it nothing needs it let it take up the whole pipe. Hope I explained this well.



  • If you're using floating rules, remember, last matches. With normal firewall rules, first matches. Just make sure you have a rule at the very end that looks at the source IP being  x.20, and have that go into the VPN queue.


  • Netgate

    You can't get it to work because pfSense cannot see the traffic in the tunnel.  You might look at shaping the tunnel instead.  Make a floating rule on WAN out that matches the tunnel setup from you to goldenfrog  (UDP/1194, for example - you could even limit it to the destination address(es) of the goldenfrog server(s) if you like) and assign that to qVPN on the WAN interface.  That will shape uploads.  You can't pass this to shape downloads on LAN because this state is between the VPN server and pfSense itself, and has nothing to do with the LAN interface.

    To shape downloads you have to match the traffic as the state is created on LAN in and assign that to qVPN on the LAN interface.  That will shape downloads.  Just let the queue above shape uploads by shaping the tunnel.

    It is not like a normal queue/state relationship where the traffic uses the queue with a matching name on the egress interface.  Because with OpenVPN the egress interface for those states is not WAN, but the VPN tunnel itself.

    If you use OpenVPN assigned interfaces it is possible to shape sent traffic in the tunnel by assigning queues to that but that gets even more complicated.



  • @Derelict:

    You can't get it to work because pfSense cannot see the traffic in the tunnel.  You might look at shaping the tunnel instead.  Make a floating rule on WAN out that matches the tunnel setup from you to goldenfrog  (UDP/1194, for example - you could even limit it to the destination address(es) of the goldenfrog server(s) if you like) and assign that to qVPN on the WAN interface.  That will shape uploads.  You can't pass this to shape downloads on LAN because this state is between the VPN server and pfSense itself, and has nothing to do with the LAN interface.

    To shape downloads you have to match the traffic as the state is created on LAN in and assign that to qVPN on the LAN interface.  That will shape downloads.  Just let the queue above shape uploads by shaping the tunnel.

    It is not like a normal queue/state relationship where the traffic uses the queue with a matching name on the egress interface.  Because with OpenVPN the egress interface for those states is not WAN, but the VPN tunnel itself.

    If you use OpenVPN assigned interfaces it is possible to shape sent traffic in the tunnel by assigning queues to that but that gets even more complicated.

    This sounds like what I need to do. If I didn't mention it the VPN Tunnel is created on the Linux box behind the pfsense firewall. And that host while downloading I see 2 states.

    LAN udp 209.xxx.xxx.xxx:443 <- 192.168.2.20:47603 MULTIPLE:MULTIPLE
    WAN udp 71.xxx.xxx.xxx:47790 (192.168.2.20:47603) -> 209.xxx.xxx.xxx:443 MULTIPLE:MULTIPLE

    So I am not sure how I would shape this with a rule floating or otherwise. Can you give more detail?


  • Netgate

    No.  You didn't mention that.  That makes it a lot easier.  You should see those states whenever the VPN is connected no matter what you're doing.  Uploading, downloading, etc.  That is a state for the tunnel, not anything inside the tunnel.  pfSense can't see that traffic.  it's just a router in the middle just like all the other hops between you and the server.

    Just create the queues on LAN and WAN and pass the OpenVPN connection with a rule on the LAN interface and put it into the right queue.

    Looks like:

    Pass IPv4 UDP source 192.168.2.20 port any dest 209.xxx.xxx.xxx port 443
    Set the queue to qVPN (or whatever you named them.)