pfSense Support Subscription

Author Topic: Shaping upload of DMZ network to give priority to LAN.  (Read 132 times)

0 Members and 1 Guest are viewing this topic.

Offline jtl

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Shaping upload of DMZ network to give priority to LAN.
« on: November 25, 2017, 07:26:53 pm »
Hello

First I should explain some things.

Interfaces concerned are LAN, WAN, and DMZ interface (hereby referred to as DMZNET). Now DMZNET is a VLAN interface I use for hosting publicly available services from my server. Firewall rules are used to prevent hosts on the DMZ network from connecting out to other hosts on my LAN(s) and hosts on other networks are allowed to connect in. Due to ISP shenanigans I use an IPSec tunnel to a datacenter terminated on one of my servers connected to DMZNET (not my main router)



[REDACTED] is the datacenter host that IPSec tunnel terminates to.

I want to shape my WAN upload, so traffic from LAN->WAN gets priority over DMZNET->WAN traffic, and so LAN can borrow from the DMZNET queue when needed. I have a symmetrical connection and my ISP applies traffic shaping of their own in the download direction for their IPTV service so that's not as needed right now.

I don't need to shape individual applications to how the traffic wizard does it, just need to give outgoing LAN traffic priority over DMZNET.

Thanks
pfSense 2.4.2 - virtualized with PCIe passthrough on whitebox - 150/150 FTTH

Offline jtl

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Shaping upload of DMZ network to give priority to LAN.
« Reply #1 on: November 25, 2017, 10:43:40 pm »
Figured it out to satisfaction. I will generalize steps below.

Traffic Shaper->Create WAN shaper type CBQ with ~95% of WAN upload bandwidth
Create WAN_OUT queue, priority 1, set as default queue and allow borrowing from other queues
Create DMZNET_OUT queue, priority 2, set as required, allow borrowing from other queues.

On the DMZNET out rule (for IPSec tunnel) edit the rule, go to advanced and set DMZNET_OUT as the queue.

Reset states.

Test by doing various iperf3 tests and watching queue status
pfSense 2.4.2 - virtualized with PCIe passthrough on whitebox - 150/150 FTTH