Avoid Datacenter bandwidth overages

  • I have a pfSense at a datacenter that I'm getting bandwidth overages from.  On the pfSense I have an OpenVPN site-to-site to our main office.  I have setup limiters on the various rules that I think are causing our bandwidth overages to stem from.  I have a quite a few rules and am looking to simplify the setup.

    Is there a generic way to say that on the WAN connection (includes IPSec and OpenVPN connections) never go above XXMbps?


  • Use HFSC, and set your default queue to have an UpperLimit. Then you can make match rules to move other traffic out of the default queue that you don't want in there.

  • I have no experience with OpenVPN, but encapsulation overhead could be your problem. Like, for OpenVPN to emulate a 10Mbit connection may require 12Mbit of bandwidth including OpenVPN's encapsulation overhead.

    So, I would think you would want to rate-limit after encapsulation, if such a thing is possible.

  • Thank you for showing me about the HFSC.  I read a bunch last night and implemented a "first try" at limiting bandwidth at 20Mbps at one of the datacenters.

    Here is a screen shot of the queues.  I'm concerned about the "Drops" column.  That normally ins't a good thing - to drop packets.  Can someone give me a little insight on what is happening here?

  • Packet drops aren't "bad", per se, as they are used by TCP to handle flow control.  Drops are normal and expected, especially when you re using traffic shaping.

  • OK, thx.  I'll continue reading up on the subject.

  • LAYER 8 Netgate

    You are trying to avoid overages.

    That means you have to drop packets that will exceed your target.

    If you have to drop too many then you need more bandwidth or need to move less data.

  • 50 is the default. I recommend just enabling CoDel on each queue. Large buffers are bad because they cause bufferbloat, but they're great for high throughput(except in extreme cases, like more than 1,000ms of bloat).

Log in to reply