Netgate SG-1000 microFirewall

Author Topic: how to not shape traffic for inter lan/subnet traffic?  (Read 283 times)

0 Members and 1 Guest are viewing this topic.

Offline tesna

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +0/-0
    • View Profile
how to not shape traffic for inter lan/subnet traffic?
« on: January 17, 2018, 10:22:11 pm »
Hi,

I have configured traffic shaping using the wizard in pfsense 2.3.5 and works wonder on LAN to WAN connections.  However I just noticed that it also affects inter LAN traffic, how do I exclude inter lan traffic from shaping?

I have 3 WAN, 5 LAN subnet configured in pfsense, some subnet still needs to acess other subnets, and I'd like to get full wire speeds.

Regards,

Tesna

Online Harvy66

  • Hero Member
  • *****
  • Posts: 2315
  • Karma: +212/-12
    • View Profile
Re: how to not shape traffic for inter lan/subnet traffic?
« Reply #1 on: January 18, 2018, 06:53:01 am »
I you use limiters instead of shapers, you can do all of your shaping on the WAN interfaces and let LAN interfaces go wire speed. I think this is the simplest.

Otherwise you will need to make sure that LAN to LAN traffic gets placed in queues with no restrictions.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5591
  • Karma: +688/-23
    • View Profile
Re: how to not shape traffic for inter lan/subnet traffic?
« Reply #2 on: January 18, 2018, 08:05:59 am »
Isn't it just a matter of picking WAN interface on your floating rules instead of LAN or both?

Offline tesna

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: how to not shape traffic for inter lan/subnet traffic?
« Reply #3 on: January 18, 2018, 09:26:59 pm »
So far I deleted the shaper on all local interfaces and left intact on the WAN interfaces (only has shaper rules in WAN interface) not sure I'm configuring this right. I do get full wire speed on between local interfaces using iperf tho.

Offline SirJohnEh

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +1/-0
    • View Profile
Re: how to not shape traffic for inter lan/subnet traffic?
« Reply #4 on: January 27, 2018, 12:51:01 pm »
I just started working on this problem this morning mostly as a challenge.  I don't need inter vlan routing too often (only 2 of my 4 vlans can talk to each other anyways) but when I do, I'd like it at wire speed. :)  Here's what I did, seems to be working, but is this the way to do it?  Am I over looking something?

Existing setup:

WAN (300/100 fibre; line over provisioned to a constant 320/115)
4 VLANs

I had no limiters, just shaping using PRIQ queues with the bandwidth on the queues set at 310/105.  All worked fine, except inter-vlan traffic also got caught up in the queues so inter-vlan traffic capped at 310Mbps.

I'm totally fine & happy with PRIQ queues as I'm absolutely ok with lower priority queues being starved when higher queues are saturating the link.

What I changed:

1. Added two limiters: WAN-UP: 105Mbps; WAN-DOWN 310Mbps

2. Modified the bandwidth settings on all queues to 10Gbps (my network is only 1Gb, I just set it to a number higher than 1Gb so that the queues are basically only prioritizing traffic, not throttling it)

3. Modified firewall rules such that internet bound traffic is put into the limiters & inter-vlan traffic skips the limiters

iperf tests across vlans now hit (near) wire speeds (905-920Mbps) and my internet traffic goes thru the limiters and seems to be limited as expected.  My only question is, by upping the bandwidth settings on the queues, am I breaking the prioritization of packets?  I feel like my strategy of increasing the queue b/w to a number larger than the actual speed of the link should just mean things are prioritized only and throttling left to the limiters, but I'm not 100% confident I'm right. :)

Offline SammyWoo

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: how to not shape traffic for inter lan/subnet traffic?
« Reply #5 on: February 10, 2018, 02:08:44 pm »
Not sure if this can be done.

If there is a way to configure the rules to say (on the LAN interfaces) if source=LAN IP, place in front of the queue, but then if have heavy subnet to subnet traffic, that will have priority over ALL traffic coming from WAN, would that be acceptable?