pfSense

Setup:

• Limiter is set up with child queues that have a /32 source mask applied - parent limiter is set to 100mbps
• An OpenVPN client is set up and assigned as an interface
• Firewall Rule on a LAN interface specifies the OpenVPN interface as the gateway and specifies the child queue
• Outbound NAT rule for traffic from the LAN leaving the OpenVPN translates the address to the OpenVPN interface address.

Expected behavior:

Traffic should be limited to 100mbps with a single dynamic child queue

Observed behaviour:

• Traffic is limited to 50mbps
• A child queue is created for the IP of the device on the LAN and the IP of the OpenVPN interface
• The traffic has to pass through each child queue, sharing 100mbps equally which results in 50mbps real throughput

Workaround:

• Create a 1000mbps limiter (higher than interface's actual capacity)
• Create a floating rule rule of type 'match' for packets leaving the OpenVPN interface
• Select the 1000mbps limiter on this rule

I can see the logic of why the above occurs, but this does not happen when using a 'standard' WAN interface without outbound NAT e.g. DHCP/PPPoE internet connection. I assume there's some logic that applies in the background to 'detag' the packets for being passed into the limiter when they pass out of these interfaces that is being missed when an OpenVPN client is being assigned as an interface.

Also described here: https://forum.netgate.com/topic/188302/bug-limiters-apply-twice-when-using-openvpn-c-as-an-interface-with-nat