The pfSense Store

Author Topic: Guarantee VPN Bandwidth - possible?  (Read 2248 times)

0 Members and 1 Guest are viewing this topic.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Guarantee VPN Bandwidth - possible?
« on: April 11, 2012, 01:38:19 pm »
We are planning to replace our WatchGuard equipment with pfSense, yeah!  A specific feature that I need is the ability to shape traffic so that I can dedicated 80% of our traffic to a specific VPN connection (we have multiple VPN connections) and everything else gets 20% of the traffic.

My question is: Can I setup a traffic shaping profile/rule so that I can dedicate a certain amount of bandwidth to a specific VPN connection when using pfSense 2.x?

Thank you in advance for your time and consideration of my question.

Offline saxonbeta

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: Guarantee VPN Bandwidth - possible?
« Reply #1 on: April 11, 2012, 04:18:28 pm »
I have tried to do the same with 2 pfsense boxes running a site2site vpn without success  :(.

After searching in the forum, I only found one working solution: you have to put your vpn server/client behind pfsense and shape the incoming or outgoing ports of your vpn server/client.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Guarantee VPN Bandwidth - possible?
« Reply #2 on: April 11, 2012, 04:24:46 pm »
@saxonbeta:

Thank you for responding.  That sounds like a fairly complicated setup and the use of a second pfSense box. :(  Am I correct?

Offline dreamslacker

  • Hero Member
  • *****
  • Posts: 808
  • Karma: +0/-0
    • View Profile
Re: Guarantee VPN Bandwidth - possible?
« Reply #3 on: April 12, 2012, 05:49:19 am »
It depends on the type of connection.  Site to site or Road Warrior?  If it's site to site, then you either use the specific IP of the remote end or a hostname alias.
Use the alias/ IP as the source or destination address in the shaper rule depending on whether you're shaping for upload or download.

You will likely need to shape using floating rules.  As an example, if you have the remote VPN endpoint (server) at abc.com.

Then you will need to setup a host alias with abc.com.
Setup a floating rule with 'WAN' as interface and direction 'OUT'.  Select Destination host as the alias or IP (for static IPs).
Select the protocol and destination port as per the type of VPN connection you have.  If it's OpenVPN, it's UDP 1149 by default.  Then set the traffic shaper queues accordingly and you'll have your upload shaper rule.

For download, set another rule.  This time using 'WAN' as interface, direction 'IN'.  Select the protocol but this time set the alias & port for 'source' instead.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Guarantee VPN Bandwidth - possible?
« Reply #4 on: April 12, 2012, 07:33:27 am »
@dreamslacker:

Thanks, I apologize, I should have specified the type of VPN connection; in my case it will be OpenVPN S2S.  I will use a spare laptop I have here to test your suggestion and see how it goes.  I will report back soon.  Thanks!

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Guarantee VPN Bandwidth - possible?
« Reply #5 on: August 03, 2012, 06:52:52 am »
dreamslacker:

Thank you for your great reply.  I have the new router in place and am finalizing my plan to shape the bandwidth properly but I'd like to run some things by you, and others, to create a bit of a brain-trust on this before I actually try it.

I'm thinking of creating limiters as follows:

VPNInLimiter -> 10 Mbps -> Mask:None -> Delay:0 -> LossRate:0 -> Queue:empty -> Bucket:empty
VPNOutLimiter -> "all the same settings as above"
GeneralInLimiter -> 5 Mbps -> Mask:None -> Delay:0 -> LossRate:0 -> Queue:empty -> Bucket:empty
GeneralOutLimiter "all the same as settings above"

So basically, I'd be providing the VPN a dedicated 10 Mbps and everything else would go to the GeneralXLimiter pipes.  I'd would then like to add standard shaping to the GeneralXLimiter pipes to ensure QoS is working properly within that 5 Mbps.

I think what dreamslacker said would work by using the alias and firewall rules to assign the VPNs to the specified limiters.  Any thoughts out there on this?