Traffic Shaping WAN and also OpenVPN



  • I have my pfsense box working nicely now and like to move on to traffic shaping. I have tried the wizard and it creates a ton of rules and I am struggling to understand these and how traffic shaping works. I probably like to create a few simple queues and imagine I don't need most of the rules the wizard generates.

    I have a WAN connection of approx 10Mbps and within this also runs an OpenVPN connection.

    On the WAN I like the following priority: DNS, HTTP, HTTPS, OpenVPN, All Other.

    On the OpenVPN (on the understanding that it has the lowest priority in the WAN connection) I would like a similar set.

    What traffic shaping should I aim for? (I understand a limiter shouldn't be used as its a hard limit) and I like lower priority traffic to borrow higher priority if available.



  • First off, you can only shape traffic leaving an interface. You can shape your upload by shaping your WAN and you can shape your download by shaping your LAN. Download is a bit harder to shape because you can't stop senders from sending, but when packets start to get dropped because of your shaping, good actors will back-off, and backing off has a delay related to the latency between you and the sender.

    Now that's out of the way, next part.

    WAN is simpler because there is no notion of a "qLink". In my LAN setup, I don't do qLink either and I use a separate admin VLAN to communicate with PFSense. My examples will be under this assmption.

    HFSC is actually quite simple if you don't care about burst or realtime and it works just fine. I will also assume a symmetrical connection for qACK. I will also use values instead of percentages just to keep things more obvious and I will assume 10Mb of total

    WAN 9.5Mb
    –qACK Bandwidth: 2Mb
    --qCritical Bandwidth: 0.5Mb  DNS, ICMP, NTP, etc
    --qWeb Bandwidth: 2.5Mb
    ----qHTTP Bandwidth: 1.25Mb
    ----qHTTPS Bandwidth: 1.25Mb
    --qVPN Bandwidth: 2Mb
    --qDefault Bandwidth: 2Mb

    This is only an example. HFCS makes you think of traffic shaping in bandwidth and not priorities. Don't think about which traffic should "go before" other traffic, just think about ow you want your bandwidth distributed if your connection is fully loaded.

    Don't assign your interface to 100% of your actual bandwidth, it needs to be some value lower and depends on how stable your Internet connection is. I did 95% for the example, but depending on your internet quality, you may need something lower, like 80%. Personally, I do 99%, but I have dedicated bandwidth that I get 24/7.

    Your queues do not need to add up to 100% of your bandwidth. Unused bandwidth gets divided up among the queues based on their relative ratios, but you can never have more than 100% of your bandwidth assigned, even though they're effectively ratios.

    If you just want low latency and evenly distributed bandwidth, don't even do traffic shaping, try using FairQ.

    The general rule of thumb is latency doesn't kick in until about 80% utilization. For latency sensitive traffic like DNS, NTP, and stuff, giving them at least 25% more bandwidth than what you expect their max to be, should be enough to keep them from feeling congestion. 0.5Mb is probably overkill, but it doesn't matter, anything not used gets shared.



  • Thanks for the detail - I'll give this a go after I have read it a few times…...! Appreciate your time in response.


Log in to reply