Ensure voip latency between 2 site with a dynamic link bandwidth

  • Hi all,

    I'm using pfsense (2.2.4) as a gateway for two offices located in different cities. Each pfsense acts as firewall, router (and other) and I used OpenVPN (routed) for Lan2Lan between offices. It all works very well, fast and reliable and I'm very happy.

    Now, I have to ensure a minimum bandwidth to VOIP traffic, both between Office1,2 <-> VoIP provider and between Office1 and Office2 (in the tunnel OpenVPN), and here I encountered some problems:

    • You can not shape traffic into OpenVPN tunnel, but only in a IPSec one, right? If so, i can switch to IPSec for Lan2Lan, and this would not be a big problem.

    • At the Office2 the Internet bandwidth is oversubscribed, with a nominal 34Mb that can easily drop under 1Mb unpredictably. This is my major concern, because I searched the internet for possible solutions but I haven't found any that does not include the knowledge of the available bandwidth (and obviously I do not want to limit myself strictly to 1Mb)

    From what I read, the new CODEL could help, but I found mixed opinions and I did not understand if in my situation could be of some help. Others says FAIRQ could do the trick, but i found very little documentation about, seems no one it's using it.

    How do you would approach this problem? I will be grateful to every suggestion that can point me in the right direction.

    Thank you,


  • Traffic shaping only helps when YOU control the choke-point. They way you do that is to make your connection the choke point. If your bandwidth drops down to 1Mb, then you need to set your bandwidth to 1Mb. Of course if it rarely drops to 1Mb, then you can make the decision if it's rare enough.

    I get 100% of my bandwidth 100% of the time, so I set my bandwidth to 99Mb and it's great. If you only get 100% of your bandwidth 70% of the time and you target 100% bandwidth, 30% of the time, shaping will be less or not effective.  You're only as strong as your weakest link.

    There are some ways to get around this, but not out of box. Some people have created scripts where they will ping and upstream device, and when they detect higher latency then normal, their script lowers the bandwidth of the Interface until it comes back into line. Very complicated stuff and is just a massive bandaid for poor internet service.

  • HI Harvy66,

    thank you for your clear answer, I got the point (although I don't like it  :)).

    You are right, I can have the shaping less effective (or not at all) when bandwidth drops down, but unfortunately is in that moments I need it most, so I figured another possibility. As VOIP traffic flows in the Lan2Lan tunnel, may be I can:

    • Office2 (bad internet)
    • On the WAN: PRIO on ipsec traffic for Lan2Lan without specifying the maximun bandwidth available
    • In Ipsec interface: PRIO on VOIP traffic, again without specifying the maximun bandwidth available
    • Office1 (good internet)
    • On the WAN: shape on ipsec traffic for Lan2Lan (HFSC or even simpler CBQ or CODEL or any of those mix) with bandwidth set to a reasonable value, let's say 20Mb or so
    • On Ipsec interface: shape on the VOIP traffic (HFSC or…) with a bandwidth set to sustain a bunch of concurrent calls, let say 512Kb or so

    Actually, the Lan2Lan tunnel is openvpn and serves traffic other than VOIP (smb, http, ssh...). May be is better to setup another Lan2Lan Ipsec just for VOIP (instead to substitute the openvpn one) to better try to guarantee low latency to VOIP (that is my only requirement at moment) with PRIO/shaping above.

    In my mind, this should at least help VOIP latency when bandwidth at Office2 falls down (PRIO), and the shaping on Office1 should help with queue starvation PRIO introduces when bandwidth at Office2 is not (too much) oversubscribed.

    Does this make sense to you?

    Thank you very much!