pfSense + Traffic Shaping + logging


Background -
For my job I work remote 2 days a week and I use an Aruba device for a point-to-point VPN into the company. A lot of the company meetings use Bluejeans for VoIP and VTC. When not on a call, all is great. When using Bluejeans, it is hit and miss (Skype and Circuit are better). Some times even back to back calls will very in call/video quality. In watching the FreePBX video (thanks Tom) I thought about using Traffic Shaping to do QOS.

Status -
Today I’m remote and on multiple calls. So I turned on Traffic Shaping using the wizard (start out the easy way, right!). First call was garbage. Therefore, I added more bandwidth to VoIP the queues. 2nd call was better. Made more adjustments. 3rd call was using Circuit with screen share and it is almost dialed in. Just 3 times in a 1.5 hour call did I get some blips. All adjustments were made using the wizard. Thus the question…

Question -
I’ve only been using pfSense for 3 months and today is my first venture in to Traffic Shaping with the product. I’m used to Cisco QOS so I have a good background into marking and queuing. It looks like I’m getting close to the right numbers but I don’t see any logging info that would tell me if there are queues being starved (for the VoIP or otherwise). I’m also concerned as I’m not sure the pfSense box would see my traffic as VoIP as it is being encrypted by the Aruba device. So while I did make adjustments and saw improvement, since I would have good an bad calls before, it may just be a coincidence and not really related to my changes. Thus…

Is there a way to view logs to see what queues got used, how deep where they used and what queues got starved, if any? The graph is nice a guess but it doesn’t really give me the info I want to see.

Thanks (and yes, this is my first post).

I can try and help address the bandwidth issues you are having. I cant speak specifically to the logging and traffic shaping but can provide a broad stroke on what your expectations should be.

First, VPN’s require a fair amount of processing power and bandwidth on both ends of the connection. Since you require the connection itself, VoIP and Video all to be ran through the VPN you need to have the hardware to support that connection. The VPN bandwidth between the two should be tested first to establish whether you even need QoS. For instance, my home internet is Gigabit down and 40mpbs up. When I enable QoS on my pfSense I dont see any improvements in my connections anywhere in my network, so I never use it. Now if you have a much slower connection (like Tom’s business connection) it would benefit you to enable QoS to properly manage a somewhat saturated network (probably during normal business hours and lots of employees are on the network).

The hardware requirements for VPN all by itself best run with a CPU that has hardware encryption support such as a chip with AES-NI. Otherwise, you will be utilizing software encryption and will tax your CPU that pfSense is also using for QoS traffic shaping and all other backend stuff its already doing. Generally a quad core with at least 4GB ram and AES-NI support can do what you are asking with one caveat…your bandwidth between the two sites is fast enough. I would say, 35mps up and down is what is needed for best quality. This is after you’ve established the VPN connection and if you still decide QoS is needed.

I hope that help you with your connection issues and if you are still having issues, try and provide your pfSense hardware specs and bandwith at home as well as between your office.


Thank you for the quick reply.

VPN… I’m not using OpenVPN or any VPN software. The Aruba AP-303HR is a hardware VPN device that has 2 ethernet ports on it. One for my Cisco VoIP phone and one for the work laptop. The uplink side of the Aruba connects to my switch and then the switch connects to my pfSense routeer (i5-7200U w/32M RAM). So I have plenty of horse power on the pfSense box even though I’m not using it for VPN.

Therefore, as the connection is already encrypted by the time it reaches the pfSense box (encrypted by the Aruba device) then I’m not sure the QOS is correctly identifying that traffic as voice/video and in need of QOS. However, just in case it can’t it should still see it as secure traffic and therefore, I did check the “Raise or Lower other Applications” box in step 6 of the wizard and made the 2 VPN options (PPTP and IPSEC) as Higher Priority.

Home Bandwidth -

I have Spectrum cable with 400/20 mbps. Before I enabled QOS, I would see between 380 and 480 down depending on the time of day but upload is fairly consistent at about 20-22 mbps (naturally this is not going through the Aruba). Since I have Traffic Shaping turned on and I’m reserving bandwidth for VoIP now, I’m sure it is lower.

So do I need to run QOS? maybe. There have been days working from home where there were no issues at all. I ran it for 3 months before even trying to address the issue, so it couldn’t have been too bad. But with that said, a couple weeks ago, I did have a bad day and just used my cell phone to dial in. Again, that could have been the nature of internet usage or perhaps work was having some issues that caused it and it’s not my issue at all.

This brings me back to the original question… How can I see the status of the queue states (as I don’t then 1 queue used with show up on the graph) and does pfSense log when a queue is starved? If so, where is that recorded? If I could see all these things then I could prove that my settings are to wrong (reserving either too much or too little BW), not doing what I need (prioritizing the wrong type of traffic), or I’m in the right spot but in need of some tweaking, or lastly my connection BW is high enough that this isn’t needed in my case.

Thanks for the help.