OPNsense Forum

Moin,

I just configured my shaper for VoIP traffic. Seems to work fine so far.

For the pipes I assigned the following upload rates:
VoIP:             10Mbit/s
default Uplaod:  350Mbit/s

Now from my Internet provider I got information about the max, average and guaranteed bandwidth:
Upload max:    500Mbit/s
Upload avg:    400Mbit/s
Upload min:    375Mbit/s

Now the shaper limits the traffice based on the configured upload pipe always to 350Mb/s sharp.
This is no good as I am wasting possibly available upload bandwidth. 350 vs. 500).

But configuring the shaper/ pipe to a higher value might lead to a saturated uplink without trafic shaping, right?

Is there any change to configure the shaper upload bandwidth based on some sort of automation? I like to have VoIP on top prio during the day but in the night the backup process should use all available bandwidth (500 instead of 350) to do the backups...

Thanks for ideas!

/KNEBB

Quote from: knebb on December 04, 2025, 03:10:14 PMBut configuring the shaper/ pipe to a higher value might lead to a saturated uplink without trafic shaping, right?

Depends on the scheduler. BUT! working with the BW you do not have is overall a bad idea as it will introduce problems.

Quote from: knebb on December 04, 2025, 03:10:14 PMIs there any change to configure the shaper upload bandwidth based on some sort of automation? I like to have VoIP on top prio during the day but in the night the backup process should use all available bandwidth (500 instead of 350) to do the backups...

Time based rules are not possible with the ipfw ruleset (FW > shaper > Rules) but they are possible when using the pf rules + Traffic shaping feature (FW > Rules (option Traffic Shaping)). However there is a BUG in regards of that feature for reverse-direction if NAT is involved see:
https://forum.opnsense.org/index.php?topic=47716.msg254051

Regards,
S.

Quote from: Seimus on December 04, 2025, 06:57:40 PMTime based rules are not possible with the ipfw ruleset (FW > shaper > Rules) but they are possible when using the pf rules + Traffic shaping feature (FW > Rules (option Traffic Shaping)). However there is a BUG in regards of that feature for reverse-direction if NAT is involved see:
https://forum.opnsense.org/index.php?topic=47716.msg254051 (https://forum.opnsense.org/index.php?topic=47716.msg254051)

Hmmm.. can you help me a little bit how this works all together?

I got it so far the pipes limit the bandwidth (upper limit) while the queues weight the traffic according to the rules. Queues can get oignoredd when a rule sends the traffic to a pipe immediately ( I do not know how any weight is then calculated). Got this so far.

But how are the (firewall-)rules coming into the game you mentioned above? Do I overwrite everything and directly assign traffic to pipes/queues? How are they different (except scheduling possibility) from the shaper rules?

Thanks a lot!

/KNEBB

Quote from: knebb on December 08, 2025, 04:56:22 PMI got it so far the pipes limit the bandwidth (upper limit) while the queues weight the traffic according to the rules. Queues can get oignoredd when a rule sends the traffic to a pipe immediately ( I do not know how any weight is then calculated). Got this so far.

Do not bind rules to Pipes, bind them to Queues.

Quote from: knebb on December 08, 2025, 04:56:22 PMBut how are the (firewall-)rules coming into the game you mentioned above? Do I overwrite everything and directly assign traffic to pipes/queues? How are they different (except scheduling possibility) from the shaper rules?

The pf rules "Traffic shaping" works similar way like the rules in Shaper > Rules. But in pf rules you can define both direction within one rule and set as well the rules to be time based.

Regards,
S.

Hi,

thanks for the hints. I am currently configuring it. Still not understanding how it all works together, especially the two rule types and the issue with the reported bug...


Created a FW-rule on the (NATed) WAN interface (outgoing, src: VoIP VLAN) to assign traffic to the VoIP Shaper Queue (which is bound to the VoIP pipe, limited to 10Mb/s). Queue weight is 90.
 
Then created a schedule for "office times" and used a FW-rule to assign any other traffic (excluding the VoIP) to the "default office time upload queue" which is assigned to a pipe and by this limited to 365Mb/s (guaranteed value of 375Mb/s less the 10Mb/s for VoIP). This sheduled rule is ordered before the above one. Weight of the queue is 10.

So I have:

• Pipe VoIP - Limit 20
• Pipe LAN daytime - Limit 365
• Pipe LAN nighttime - Limit 500

Queues:

• Queue VoIP - weight 90
• Queue LAN daytime - weight 50
• Queue LAN nighttime - weight 50

The queues and pipes are assigned as the names tell.

Disabled all Shapoer rules.
Created a FW rule on the WAN interface:

• Outgoing, src: LAN, DST: any, protocol: any, schedule: daytime, traffic shaping in rule direction: Queue LAN daytime

No other rule before this FW rule for outgoing traffic, acting as a "catch all".
(Tried to assign the reverse traffic to the same queue, same result)
 
My expection:
Outgoing traffic should be limited to 365Mb/sec.

My observation:
Outgoing traffic is NOT limited.


I even see in the FW-protocol the traffic is assigned to the queue.

Any idea?

You need to have properly the traffic shaping directions.
When you do OUT rule on WAN the direction is Upload and reverse direction is Download. You need to shape Upload as well Download related to your BW.

See #5 I provided an example
https://forum.opnsense.org/index.php?topic=47716.msg254051

Another point is, if you have a BW budget of 365 based on WFQ scheduler and weights, if no other flow is utilizing the Pipe ~ The VOIP will get all the BW from the Pipe. The weight ratio only applies in case the BW is being utilized.

Also keep in mind, NAT applies prior rule matching
https://forum.opnsense.org/index.php?topic=36326.0

Quote from: knebb on December 09, 2025, 11:05:18 AMStill not understanding how it all works together, especially the two rule types and the issue with the reported bug...

I think the BUG and his impact is pretty well explained. In regards of how pf traffic shaping vs ipfw rules work, from point of workflow they replace each other.

OLD rules shaping:
Shaper Rules (ipfw) > Queue > Scheduler > Pipe


New rules shaping:
FW Rules (pf) > Queue > Scheduler > Pipe

Regards,
S.

Hi,

thanks for your explanations and your patience! Very kind!

I am really trying to understand. And I think I got it in theory now.

So I have currently setup in the following way:

Line Download

• Min: 750Mbit/s
• Max: 1000Mbit/s

Line Upload:

• Min: 375Mbit/s
• Max: 500Mbit/s

Configured Pipes with the WFQ scheduler and CoDel activated:

• VoIP Upload -> 10Mbit/s
• VoIP Download -> 10Mbit/s
• LAN Upload (min) -> 365Mbit/s (the min available bandwidth reduced by the 10Mbit/s for VoIP)
• LAN Upload (max) -> 500Mbit/s
• WAN Download (min) -> 750Mbit/s
• WAN Download (max) -> 1000Mbit/s

No rules in Shaper

A rule on bottom of the WAN interface as catch-all:

• Action: Allow
• Interface: WAN (which is NATed to pulic IP)
• Direction: out
• First match: active
• IPv4
• Protocol: any
• Source/ SrcPort: any
• Dest/ DstPort: any
• Traffic Shaping:
• In RuleDirection --> LAN UploadQueue (min)
• In ReverseDirection --> LAN DownloadQueue (min)

Looks pretty fine for me...but!

As soon as I activate the rule on the WAN interface my traffic to any internet host drops completely.
But my traffic through Wireguard-VPN works pretty fine, but not limited to the above 365Mbit/s....

I have no clue what I am doing wrong...anyone an idea?
I think the bug is not related- as far as I understand it the bandwidth calculation is wrong and offers only half of configured values. But through Wireshark I do not have any limits (why not???) and to Internet all is blocked....
Thanks again!
/KNEBB

The config looks reasonable,

So if I understand it properly you have 3 Pipes per Direction
1. VOIP 10Mbit > based on WFQ (Queues with weight and/or MASK)
2. Min > based on FQ_C
3. Max > based on FQ_C

And for each of these Pipes per direction you have Queues.

Keep in mind the weights are applied per Queue. So if you have all VOIP traffic in one Queue it doesn't do anything.
FQ_C based Schedulers + its Queues on the other hand ignore any weight set to the Queues.

The rule seems okay, the directions are properly set, but keep in mind that specific rule you are showing is any any so all the traffic will by matched by this rule. That is under the condition its above all other rules.

Quote from: knebb on December 09, 2025, 02:26:15 PMAs soon as I activate the rule on the WAN interface my traffic to any internet host drops completely.
But my traffic through Wireguard-VPN works pretty fine, but not limited to the above 365Mbit/s....

I have no clue what I am doing wrong...anyone an idea?
I think the bug is not related- as far as I understand it the bandwidth calculation is wrong and offers only half of configured values. But through Wireshark I do not have any limits (why not???) and to Internet all is blocked....

Actually you are hitting the BUG. This is exactly the behavior  I described in the ticket. You have set a BW in a Pipe, so the shaper tries to push to that BW however due to the BUG you are capped at half which causes a back pressure. You need to set the BW in your Pipes x2 (if your original or tuned BW is 750Mbit you need to set it to twice the value for the Pipe that is in the flow for the reverse direction)

Regards,
S.

Hi,

meanwhile I used the Shaper-rules and it is working so far.

I re-checked the Shaper documentation and the provided examples. (https://docs.opnsense.org/manual/how-tos/shaper_prioritize_using_queues.html) I re-created my rules (and re-check pipes and queue settings).
Now the setup is as follows:
Pipes (low limits for testing purposes)

• Global Upload --> 70Mb/s
• Global Download --> 80MB/s

Queues

• VOIP Upload, weight 80 --> Global Upload Pipe
• VOIP Download, weight 80 --> Global Download Pipe
• LAN Uplaod, weight 15 --> Global Upload Pipe
• LAN Download, weight 15 --> Global Download Pipe

Rules (192.168.9.0/24 is the remote VPN LAN while 192.168.1.0/24, 192.168.30.0/24 are the local ones)

• Seq 3, WireguardGroup, SRC 192.168.9.0/24, DST any, IN --> LAN Download Queue
• Seq 4, WireguardGroup, SRC any, DST 192.168.9.0/24, OUT --> LAN Upload Queue
• Seq 10, WAN, SRC 192.168.30.0/24, DST any, OUT --> VOIP Upload Queue
• Seq 11, WAN, SRC 192.168.1.0/24, DST any, OUT --> LAN Upload Queue
• Seq 20, WAN, SRC any, DST 192.168.30.0/24, IN --> VOIP Download Queue
• Seq 21, WAN, SRC any, DST 192.168.1.0/24, IN --> LAN Download Queue

Now I can see the limits working fine on traffic between LAN and Internet, in both directions.

BUT!
Traffic to/ from Wireguard VPN is not limited at all. So I guess the weighting is not taken into account here. Which might interfere with the VOIP traffic beeing capped by a large VPN traffic...

Before going further (and trying to start with the FW rules) I need to know why the Wireguad traffic is not limited? Even when the interface (wireguardGroup) is wrong it should be limited by the default LAN rule, shouldn't it?

Confused,

/KNEBB

Do you see anything being classified under the Rules that should match/catch Wireguard networks? (check the rule counters)
This "WireguardGroup" this is a created interface for Wireguard or the default group?


Regards,
S.