Time based Shaper?

Started by knebb, December 04, 2025, 03:10:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 04, 2025, 03:10:14 PM
Moin,

I just configured my shaper for VoIP traffic. Seems to work fine so far.

For the pipes I assigned the following upload rates:
VoIP:             10Mbit/s
default Uplaod:  350Mbit/s

Now from my Internet provider I got information about the max, average and guaranteed bandwidth:
Upload max:    500Mbit/s
Upload avg:    400Mbit/s
Upload min:    375Mbit/s

Now the shaper limits the traffice based on the configured upload pipe always to 350Mb/s sharp.
This is no good as I am wasting possibly available upload bandwidth. 350 vs. 500).

But configuring the shaper/ pipe to a higher value might lead to a saturated uplink without trafic shaping, right?

Is there any change to configure the shaper upload bandwidth based on some sort of automation? I like to have VoIP on top prio during the day but in the night the backup process should use all available bandwidth (500 instead of 350) to do the backups...

Thanks for ideas!

/KNEBB
December 04, 2025, 06:57:40 PM #1
Quote from: knebb on December 04, 2025, 03:10:14 PMBut configuring the shaper/ pipe to a higher value might lead to a saturated uplink without trafic shaping, right?

Depends on the scheduler. BUT! working with the BW you do not have is overall a bad idea as it will introduce problems.

Quote from: knebb on December 04, 2025, 03:10:14 PMIs there any change to configure the shaper upload bandwidth based on some sort of automation? I like to have VoIP on top prio during the day but in the night the backup process should use all available bandwidth (500 instead of 350) to do the backups...

Time based rules are not possible with the ipfw ruleset (FW > shaper > Rules) but they are possible when using the pf rules + Traffic shaping feature (FW > Rules (option Traffic Shaping)). However there is a BUG in regards of that feature for reverse-direction if NAT is involved see:
https://forum.opnsense.org/index.php?topic=47716.msg254051

Regards,
S.


Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
December 08, 2025, 04:56:22 PM #2
Quote from: Seimus on December 04, 2025, 06:57:40 PMTime based rules are not possible with the ipfw ruleset (FW > shaper > Rules) but they are possible when using the pf rules + Traffic shaping feature (FW > Rules (option Traffic Shaping)). However there is a BUG in regards of that feature for reverse-direction if NAT is involved see:
https://forum.opnsense.org/index.php?topic=47716.msg254051
Hmmm.. can you help me a little bit how this works all together?

I got it so far the pipes limit the bandwidth (upper limit) while the queues weight the traffic according to the rules. Queues can get oignoredd when a rule sends the traffic to a pipe immediately ( I do not know how any weight is then calculated). Got this so far.

But how are the (firewall-)rules coming into the game you mentioned above? Do I overwrite everything and directly assign traffic to pipes/queues? How are they different (except scheduling possibility) from the shaper rules?

Thanks a lot!

/KNEBB
December 08, 2025, 06:35:01 PM #3
Quote from: knebb on December 08, 2025, 04:56:22 PMI got it so far the pipes limit the bandwidth (upper limit) while the queues weight the traffic according to the rules. Queues can get oignoredd when a rule sends the traffic to a pipe immediately ( I do not know how any weight is then calculated). Got this so far.

Do not bind rules to Pipes, bind them to Queues.

Quote from: knebb on December 08, 2025, 04:56:22 PMBut how are the (firewall-)rules coming into the game you mentioned above? Do I overwrite everything and directly assign traffic to pipes/queues? How are they different (except scheduling possibility) from the shaper rules?

The pf rules "Traffic shaping" works similar way like the rules in Shaper > Rules. But in pf rules you can define both direction within one rule and set as well the rules to be time based.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Today at 11:05:18 AM #4
Hi,

thanks for the hints. I am currently configuring it. Still not understanding how it all works together, especially the two rule types and the issue with the reported bug...


Created a FW-rule on the (NATed) WAN interface (outgoing, src: VoIP VLAN) to assign traffic to the VoIP Shaper Queue (which is bound to the VoIP pipe, limited to 10Mb/s). Queue weight is 90.
 
Then created a schedule for "office times" and used a FW-rule to assign any other traffic (excluding the VoIP) to the "default office time upload queue" which is assigned to a pipe and by this limited to 365Mb/s (guaranteed value of 375Mb/s less the 10Mb/s for VoIP). This sheduled rule is ordered before the above one. Weight of the queue is 10.

So I have:
  • Pipe VoIP - Limit 20
  • Pipe LAN daytime - Limit 365
  • Pipe LAN nighttime - Limit 500
Queues:
  • Queue VoIP - weight 90
  • Queue LAN daytime - weight 50
  • Queue LAN nighttime - weight 50
The queues and pipes are assigned as the names tell.

Disabled all Shapoer rules.
Created a FW rule on the WAN interface:
  • Outgoing, src: LAN, DST: any, protocol: any, schedule: daytime, traffic shaping in rule direction: Queue LAN daytime
No other rule before this FW rule for outgoing traffic, acting as a "catch all".
(Tried to assign the reverse traffic to the same queue, same result)
 
My expection:
Outgoing traffic should be limited to 365Mb/sec.

My observation:
Outgoing traffic is NOT limited.


I even see in the FW-protocol the traffic is assigned to the queue.

Any idea?
Today at 11:54:11 AM #5
You need to have properly the traffic shaping directions.
When you do OUT rule on WAN the direction is Upload and reverse direction is Download. You need to shape Upload as well Download related to your BW.

See #5 I provided an example
https://forum.opnsense.org/index.php?topic=47716.msg254051

Another point is, if you have a BW budget of 365 based on WFQ scheduler and weights, if no other flow is utilizing the Pipe ~ The VOIP will get all the BW from the Pipe. The weight ratio only applies in case the BW is being utilized.

Also keep in mind, NAT applies prior rule matching
https://forum.opnsense.org/index.php?topic=36326.0


Quote from: knebb on Today at 11:05:18 AMStill not understanding how it all works together, especially the two rule types and the issue with the reported bug...

I think the BUG and his impact is pretty well explained. In regards of how pf traffic shaping vs ipfw rules work, from point of workflow they replace each other.

OLD rules shaping:
Shaper Rules (ipfw) > Queue > Scheduler > Pipe


New rules shaping:
FW Rules (pf) > Queue > Scheduler > Pipe

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Today at 02:26:15 PM #6 Last Edit: Today at 02:42:21 PM by knebb
Hi,

thanks for your explanations and your patience! Very kind!

I am really trying to understand. And I think I got it in theory now.

So I have currently setup in the following way:

Line Download
  • Min: 750Mbit/s
  • Max: 1000Mbit/s

Line Upload:
  • Min: 375Mbit/s
  • Max: 500Mbit/s

Configured Pipes with the WFQ scheduler and CoDel activated:
  • VoIP Upload -> 10Mbit/s
  • VoIP Download -> 10Mbit/s
  • LAN Upload (min) -> 365Mbit/s (the min available bandwidth reduced by the 10Mbit/s for VoIP)
  • LAN Upload (max) -> 500Mbit/s
  • WAN Download (min) -> 750Mbit/s
  • WAN Download (max) -> 1000Mbit/s

No rules in Shaper

A rule on bottom of the WAN interface as catch-all:
  • Action: Allow
  • Interface: WAN (which is NATed to pulic IP)
  • Direction: out
  • First match: active
  • IPv4
  • Protocol: any
  • Source/ SrcPort: any
  • Dest/ DstPort: any
  • Traffic Shaping:
  • In RuleDirection --> LAN UploadQueue (min)
  • In ReverseDirection --> LAN DownloadQueue (min)

Looks pretty fine for me...but!

As soon as I activate the rule on the WAN interface my traffic to any internet host drops completely.
But my traffic through Wireguard-VPN works pretty fine, but not limited to the above 365Mbit/s....

I have no clue what I am doing wrong...anyone an idea?
I think the bug is not related- as far as I understand it the bandwidth calculation is wrong and offers only half of configured values. But through Wireshark I do not have any limits (why not???) and to Internet all is blocked....
Thanks again!
/KNEBB






Print
Go Up Pages1
User actions