pfSense Traffic Shaping Before OpenVPN tunnel

A

awesomo

Gawd
Joined
Mar 20, 2010
Messages
528
I know a few of you have setup OpenVPN tunnels on pfSense with OSPF routing. I would like to tap on your knowledge to see if you ever found a solution for this.

I have an HQ office with 5 branch offices.

How did you manage to qos and shape the traffic entering the tunnel? I have tried shaping incoming traffic on the lan interface with floating rules and the traffic never hits the queue, I have tried to get dscp markings recognized entering the tunnel with floating rules as well, but the firewall log never showed the floating rule being matched. The only thing I have been able to successfully do is prioritize all OpenVPN traffic at both ends, which helps a little beating out all other wan traffic, but I need to be able to have my voice packets and DNS to enter the tunnel first, my RDP traffic to enter second, and my AFP/SMB packets to enter third All other traffic can wait it's turn, those types need to get first dibs.

If anyone has had any success with this, I'd love to hear about it.
 
Last edited:
I completely deleted everything and started over. I was approaching this the wrong way. All that had to be restated to me was "Queues are only used on outgoing traffic.". After I was told that by the programmer that wrote the traffic shaper for pfSense, everything clicked in my mind.

To control the traffic in the encrypted tunnel, I had to shape on the destination router lan port. I set aside a data queue and a VoIP queue for each remote router on my HQ. And I set up Data and VoIP queues on the outgoing interfaces of my remote routers. Setup some floating rules to direct traffic and bingo! VoIP always has enough room on the tunnel and data has as much room as possible without causing excessive loss or choking VoIP.

I could write pages on my new working setup but I'm too tired. If anyone is interested, just let me know and I can elaborate. If you require a setup like this and can't find any info, I know the feeling. There literally isn't a SINGLE POST ANYWHERE on the internet explaining a shaping setup like this at all. The only thing that saved me here was my CCNP ONT knowledge (Cisco gear CAN shape inside the tunnel... if only I had the budget), research, and persistence in testing.
 
I would have thought that it's common knowledge that you can't shape packets that already clogged the pipe.

What I find difficult is shaping OpenVPN tunnels that use compression since the effective bandwidth basically varies. I would think there's just no way, is there?
 
It is common. I wanted to be able to control the traffic BEFORE it entered the pipe. That was the wrong path
 
Could you give me an example of your running QoS setup? I try to prioritise the VoIP traffic between two office locations (OpenVPN Site-to-Site tunnel). Many thanks for your help!
 
Well, I thought I had it, but it seems very finicky. Whenever I make a change to the queues, stuff stops working and I need to start all over again. Still working on it...
 
You must log in or register to reply here.
Back
Top