Correct. NAT occurs before filter policy (which is what classifies traffic). There are alternatives, but we're not geared up to use them (and using them isn't terribly scalable at this time).
OK.. policy filtering works fine. just wanted to be sure that if NAT was enabled that the packets were translated before (NAT always sees the packet first right?). I wouldnt worry about alternatives to something that aint broken, and its not limiting in any way as far as I can see.
been doing some reading on altq and came upon this:
Finally, the rules passing the relevant connections (statefully) are extended to specify what queues to assign the matching packets to. The first queue specified in the parentheses is used for all packets by default, while the second (and optional) queue is used for packets with ToS (type of service) 'lowdelay' (for instance interactive ssh sessions) and TCP ACKs without payload.
not sure if it has the same binings to the gui in pfSense. but my guess is that its related.
We invisibly create the ACK queue. ALTQ only shapes outbound on an interface, we create rules for BOTH interfaces and that's what the queues relate to. An inbound (on the internal interface) and an outbound (on the external interface).
No kidding…it's bad when the person who probably understands our shaping code the most gets it wrong half the time. ALTQ is a real pain in the &&^% to set up right with the design requirements we put down. It was certainly easier to punt to ipfw to assign traffic to queues, but in reality, it never worked quite right (and we want to pull ipfw from base).
The speed at the interface setting should be the physical linespeed of your interface, NOT the speed something is limiting you to by throtteling bandwidth. The Trafficshaper will create queues that go inside that bandwidthsetting.
There's a note at the interface bandwidth option:
"The bandwidth setting will define the speed of the interface for traffic shaping. Do not enter your "Internet" bandwidth here, only the physical speed!"
I also notice a fairly dramatic drop in throughput when I turn traffic shaping on.
When routing between two internal networks (LAN and DMZ) I get around 40-45Mb/s, when traffic shaping is on it's down to 3.5-3.6Mbps. This is using NetCPS on either endpoint computer. I have a 4.4Mb/s down and 0.8Mb/s up WAN link, so I just have kept traffic shaping off as well.
My hardware is a P3 500MHz Celeron, 128MB RAM, 256MB CF card, one 3com NIC.
There is a post in the forums that explains why this is the case. It was written by Bill not even a few days ago.
0) Logout (SSH only)
1) Assign Interfaces
2) Set LAN IP address
3) Reset webGUI password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
9) PFtop <–-------------------------------- I'm talking about this option at the CONSOLE menu, not the webgui.
10) Traffic Logs
Enter an option:
You can access it via ssh as well if ssh is enabled at system>advanced in the webgui.
Actually this bug could derive from two for the next version already fixed bugs:
1. "no scheduler specified": earlier versions had support to select different schedulers. that support was dropped. The setting could be found at the advanced settings page. Due to a non complete removal this error could pop up if you save advanced settings AFTER you have run the shaper wizard. This is fixed in CVS
2. "qwanroot has no parent": This could be cause by not having a bandwidth set at your wan interface in the bandwidthfiled at "Interfaces>WAN". Please check that setting and set it to 10 mbit/s if you have a nic running at 10 mbit there or 100 mbit/s if the link is 100. This also is fixed in the new upcoming release and won't be necessary with this new version.
So: Check WAN Bandwithfield, then run the shaper and don't save advanced settings after that and you should be fine for now….hopefully ;D
Next version won't need these workarounds.
You are right I don't have it set! I have been meaning to set that option too. I don't have it set for Lan either so my traffic shaping is probably not working so well.
I think I will do a clean install on the next version, I just hope I can remember all my settings :).
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.