@tman222 when using limiters I disabled all altq shapers, using tail drop for management algorithm, worst case weighed fare queue for schedulers.
When using shapers I was using hsfc. Default queue size from wizard.
@Modesty How much the protocol is universally used for illegal or legal activities isn't relevant, you're making an assumption of your tenants use which unless you have data, or notices from your ISP could be incorrect. For example, you mention they use Steam, Steam uses the BitTorrent protocol to distribute data between players so they may not be doing anything illegal at all. I would say though that if the legal ramifications are a concern then you should consider having your tenants subscribe to their own service rather sharing yours. Depending on your ISP you might also be breaching your ISPs ToS by providing service to tenants not leaving you in a great defensible position should they be up to no good post gaming.
I have moved over to using QFQ (which I believe is default selected in pfSense UI) for downstream combined with Codel on the child queue. (this seems to match HFSC performance on ALTQ).
fq_codel works awesome for egress, but not so good for ingress on consumer broadband in my experience.
What i did in limiter configuration.
Pipe set the limit as documented, use droptail.
Scheduler set to QFQ
Queue set to Codel. Also on queue configure src-ip and src-ip6 masks, I used /16 for ipv4 and /56 for ipv6. I will probably change ipv6 to /48.
The idea been I dont want a flow for each individual ip, so many would be created, instead to have traffic from same providers in their own flow, /16 will usually cause that, although it will be possible you may have 2 different providers at once in the same /16, in practice this seems rare though. As an example if I used /32 for flow separation and a steam download (32 threads) was competing with a twitch stream, then it would be 32/33 bandwidth allocated to steam and 1/33 allocated to twitch, with /16 it would be 50/50.
Floating rules would be same as documentation. This still is not 100% for me but its working better for ingress than fq_codel. fq_codel I had to reduce flow limit's to 20 but that flooded my console with warnings and I still didnt have as good performance as QFQ.
Also with this system the flows are visible in the diagnostics -> limiter screen whilst fq_codel hides its internal flows. So you can see which flows have packets dropped by the shaper, to determine how well things are working.
@luiscachog Unfortunately Zoom does not keep (https://assets.zoom.us/docs/ipranges/Zoom.txt) up to date. I have found at least 10 other IPs I had to add. Everyday there seems to be a new IP. I may see if QoS DSCP Marking can be turned on by the host.
The floating rule should match regardless of interface (think of a router with 5 interfaces trying to duplicate all the shaping rules). There's not a need to tie them to interfaces.
The wizard sets up a default setup. I think I would delete and run the wizard if changing types.
The queues affect outbound traffic for the interface so downloading from the Internet would be LAN outbound and ack would be WAN outbound. The rules get set up differently, for instance I think VOIP UDP traffic doesn't have an interface but has a rule for Source and another for Destination. But POP/SMTP etc. TCP gets set on WAN according to destination port by default.
Assumption: You portforward those 3 services, each to their own isp inside lan ip ?
Then i would put the pfSense wan on your isp routers inside lan on (fixed) ip addr xxx ... Don't use DHCP , and remember to set default gw on the pfsense to your routers inside ip address.
And "portforward" the wanted ports on your isp router, to the routers inside lan on ip addr xxx (the pfSense wan ip).
Now matching (portforwarded) traffic will hit the pfSense Wan interface.
Then you need to do the same portforwarding once more on the pfSense , to portforward the interesting stuff on the WAN to the LAN.
Now you can control access to the pfSense LAN (that would be your service lan) , by putting access rules on your pfSense wan interface (preventing unwanted packages from entering the WAN .. And thereby access the Lan.
Be sure that your ISP router inside lan , and your pfSense inside lan does not have the same ip range or it will never work.
I might have given multiple VIP's a try .. Haven't used those yet.
But that might not be easy for a "Non experienced person"
If you are able to add routes to your ISP Router , things might become a lot easier.
@DustSL - unfortunately I can't confirm if the Chelsio cards will work with ALTQ, but I can say that that they should work fine with limiters: I've setup FQ-CoDel based traffic shaping on a system that has had both T520 and T540 Chelsio cards and never experienced any issues. Hope this helps.
Turns out that with the Unifi Controller, you can change the default "User Group" to set a speed limit. Since over Wifi, I'm seeing 120/20, I set my limit to 100/20. When doing the speedtest, I'm now not seeing any bufferbloat and I'm getting an A+ from an F before, but I'm getting speeds around 80/20.
Just a tip too. For reasons unknown, in my controller, I had to specify Kbps and couldn't set it to anything over 100Mbps. I was getting some sort of weird payload error. Some say it was a bug but who knows.
For now, I'll keep it as it is and see how it works. Hopefully it will have a positive effect on zoom meetings.
What's up BOB !
/boot/loader.conf.local - final - best result ever !
4 computer downloading debian iso 4.4 gig
RTT never moved 0.6ms
RTTsd never moved 0.2ms
Lost 0.0 %
this is far the best config ever limiter config Download
queue lenght 100
Which nic's are you using and what version of pfsense?
If you are using nic's which use the ix driver then altq are disabled due to driver instability in 2.4.5 and earlier but It has recently been enabled in the 2.5 development snapshots again.
If you are not using limiters, then note this from the guide;
The ALTQ framework is handled through pf and is closely tied to network card drivers. ALTQ can handle several types of schedulers and queue layouts. The traffic shaper wizard configures ALTQ and gives firewall administrators the ability to quickly configure QoS for common scenarios, and it allows custom rules for more complex tasks. ALTQ is inefficient, however, so the maximum potential throughput of a firewall is lowered significantly when it is active.
pfSense software also supports a separate shaper concept called Limiters. Limiters enforce hard bandwidth limits for a group or on a per-IP address or network basis. Inside of those bandwidth limits, limiters can also manage traffic priorities.
What will be the next thing to do? I am also wondering how can pfsense allocate a dedicated bandwidth or a percent of bandwidth from my total bandwidth to a group and limit each member to for example 3mbps.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.