[pfSense] Traffic shaping query

Daniel Davis Daniel.Davis at lasseters.com.au
Thu Oct 13 20:14:03 EDT 2011 

Hi all.

I am in the process of replacing a Fortinet firewall with a nice shiny pfSense virtual appliance and am trying to plan our traffic shaping/qos but I'm having trouble getting my head around it.

We currently have 11 LAN segments and a single WAN. We are not really interested in shaping/prioritising the inter-LAN traffic, just inbound and outbound WAN traffic. My idea so far is to simply use limiters for inbound traffic (as we cannot influence the order that packets arrive from the ISP so HFSC does not seem any better for this purpose, just more complicated) and use HFSC to prioritize and shape outbound traffic. This configuration means I only need to create one set of limiters for inbound traffic (as opposed to a set of queues for each interface with HFSC) and one set of HFSC queues on the WAN interface for outbound traffic. We have a 10Mb/10Mb connection which is shared between users internet access, web/dns/mail hosting and guest internet access, so I really want to get my QoS right to make the most of this connection.

The configuration I am thinking of implementing is:

Inbound traffic (Downloads)
	3Mbit Limiter (For all data requested by the outside world, i.e. served by us)
		Priority traffic (e.g. VoIP traffic & DNS requests) highest weighting
		Standard traffic (e.g. FTP, HTTP requests) medium weighting
		Low Priority traffic (e.g. SMTP, POP3 & IMAP connections) lowest weighting
	7Mbit Limiter (For all data served by external systems, i.e. requested by us)
		Priority traffic (e.g. VoIP traffic, DNS requests) highest weighting
		Standard traffic (e.g. VPN, Remote Desktop, FTP, HTTP) medium weighting
		Low Priority traffic (e.g. SMTP, POP3, IMAP etc.) low weighting
		Penalty traffic (everything else not classified above) lowest weighting

Outbound traffic (Uploads)
	9700Kbit Root Class (97% of Max WAN upload)
		Ack Traffic - Priority 7, Bandwidth 15%, Qlimit 500, Realtime 10%
		DNS Traffic - Priority 6, Bandwidth 5%, Realtime 5%
		Served Traffic (e.g. traffic sent by our servers) - Priority 6, Bandwidth 50%, Upperlimit 80%, Realtime 50%
			VoIP - Priority 6, Bandwidth 10%, Upperlimit (35% 30ms 10%), Realtime 10%
			RDP/VNC - Priority 5, Bandwidth 20%, Upperlimit (50%, 200, 10%), Realtime 15%
			HTTP/HTTPS/FTP - Priority 4, Bandwidth 50%, Realtime (75%, 10000, 40%)
			Mail - Priority 3, Bandwidth 20%, Realtime 10%
		Client Traffic (e.g. Client uploads, VoIP traffic, VPN traffic etc.) - Priority 5, Bandwidth 20%, Upperlimit 50%, Realtime 25%
			VoIP - Priority 6, Bandwidth 10%, Upperlimit (35% 30ms 10%), Realtime 20%
			RDP/VNC - Priority 5, Bandwidth 30%, Upperlimit (50%, 200, 10%), Realtime 15%
 			HTTP/HTTPS/FTP - Priority 4, Bandwidth 50%, Realtime (75%, 10000, 40%)
			Mail - Priority 3, Bandwidth 10%, Realtime 10%
		Unclassified Traffic (Anything that wasn't caught by the above rules) - Priority 3, Bandwidth 10%, Upperlimit 30%, Realtime 10%

Does anyone see any problems with this configuration? Feel free to shoot me down in flames if this won't work for any reason, I want to get this right.

Cheers,

Daniel

More information about the List mailing list