Flooded log

nicknuke

@stephenw10
Yes with 2.6 it just happened few last weeks. Never log in much since it just worked. In fact that is the reason why log in to it to check, and noticed there was an update to 2.7.

I will post some limiters i applied, later on here

stephenw10

Hmm, so it was working as expected in 2.6 until recently? Nothing changed in the pfSense config?

nicknuke

@stephenw10
Yes.. it shows all those messages in logs.
Btw, I've tested 2.71 from fresh install.. All good but limiter also have problems.
I put 2 mbps upload and 5 mbps download for test for one vlan,
Upload speed seems to be correct, but download speed seems off quite a bit.
Here is one default Download Limiter created ( upload limiter exactly the same with 2 mbps set ),
and how it applied to fw rules.
Client got only 1.85 Mbps Download + 1.8 Upload
Thank you for your help.

nicknuke

@stephenw10
Okay.. I think i've found something new ?

I've reinstalled 2.71, restore fw rules & aliases from backup.
This pfsense is basically just do firewalling & b/w limit / shaper.
We have 2 WAN / ISP. Several vlans as clients.
all vlans are directed to a Layer 3 switch in LAN.
So this pfsense vm have 3 interface.

I create 2 Limiter 5mbps & 3 Mbps. ( Let's say i wanted 5 Mbps Down and 3 Up )
If I directed this one vlan via ISP 1, I have to put 3 Mbps in IN Pipe & 5 Mbps in Out Pipe ( that's the normal, right ? ).
But if i wanted this vlan to go through ISP2, still using the same down / up limit, I have to substitute the place..
I have to put 5Mbps limiter in IN pipe, and put 3 Mbps in Out Pipe.
I've tried it few times and tested it with speedtest-cli, and iperf ...
I'm quite surprise tbh..

stephenw10

@nicknuke said in Flooded log:

But if i wanted this vlan to go through ISP2, still using the same down / up limit, I have to substitute the place..
I have to put 5Mbps limiter in IN pipe, and put 3 Mbps in Out Pipe.

The only time that would be true is if you're using an outbound rule on the ISP2 interface? If you did that and used the same pipes in opposite directions you could see some odd things. The same limit both ways at least.

nicknuke

@stephenw10
Thanks for looking in to this. Reinstalled with 2.7.1.
It is working fine for the main ISP with cable.

Somehow limiter acting weird with backup ISP with radio. Radio link is 10Mbps, i limit 1 subnet/vlan with 3 Up and 5 down, but somehow clients get 2.5 Mbps down and 0.5 - 2 mbps up... without limiter they got the full 10Mbps down and up.
But no more flooded logs with 2.7.1. I guess i have to look for more clue in the backup ISP.

Thank you so much.

stephenw10

Hmm, curious. Are you using one rule to both apply the limiters and route traffic to the ISP2 WAN?

nicknuke

@stephenw10
well actually yes...
the vm actually just act as redirector and shaper for different vlans to different ISP's gateway.
Been doing that and it just works.. until lately..
Do I miss something ?

stephenw10

Nope I would expect that work fine. It seems suspicious that something just changed seemingly without any changes made to the pfSense config. Like something else is limiting it.

nicknuke

This post is deleted!

nicknuke

@stephenw10
That's the hair pulling prob.

Let's call this pfsense box : shaper ( vm ).
It has 3 interfaces, 1 to LAN ( L3 Switch ), 1 interface to ISP1, and 1 other to ISP2
Turned off NAT on shaper, so it's just doing routing and traffic shaping only.
Gateway of ISP1 is actually another pfsense doing NAT ( a vm )
Gateway of ISP2 is the debian box ( another VM )

I suspected there's something wrong on the gateway side.
I have debian box act as gateway on top of pfsense.

But when I tried removing the limiter to ISP2 , vlan client got full bandwidth.

• Limit Off : vlan pc - iperf3 - gateway = Full b/w.
• Limit On : vlan pc - iperf3 - gateway = inconsistent b/w. ( this is done with no other client online ).
  But ONLY on this particular gateway to ISP2.
  I've been re-installing pfsense like 5 times in vm already, lol..

stephenw10

Hmm, you're testing using iperf3 to the gateway directly? Though that should still work.

nicknuke

@stephenw10
Okay .. there's just something with 2.71 that I just do not know about.

I got good backup of 2.6 vm image.. started it up...
All is well.. surprisingly well.. no flooded msgs in the log like above.
I do not know how it got there the first time.
Started the slave vm.. performed well also, Limiter works great with both ISP's Gateway.

Installed a fresh 2.71..
Then Restore the FULL backup config from 2.6.0...

Everything went well.. EXCEPT the Limiter again !
I even copy all /boot/loader.conf from 2.6 vm..
The limiter on 2.7.1 just doesn't work as well as 2.6.0 one...

here's the loader.conf content :
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
kern.ipc.nmbjumbo9="524288"
autoboot_delay="3"
hw.hn.vf_transparent="0"
hw.hn.use_if_start="1"
net.link.ifqmaxlen="128"
hw.vtnet.csum_disable="1"

I guess I will stick to 2.6.0 for now then...

stephenw10

Do you have WAN1 set as the system default gateway?

If you set that to WAN2 does it affect the Limiter behaviour?

That's about the only thing I can imagine that's different between the two WANs. And we did see issues with that in 2.5.X.

nicknuke

@stephenw10 I will try that again tomorrow and let you know..

nicknuke

@stephenw10
Tried upgrading again from 2.60, still no go.
The weird thing was even when i use ISP1's gateway, as "Default gateway IPv4" in Settings-Routing,
then I try traceroute with source address any, it somehow still uses ISP2's gateway.
The speed from lan degraded like previous attempts. ( upgrading the same vm, then just tried it again right away ).
Went back to backup image of 2.6 now.. ( We even gonna have 3rd ISP coming in, so i really need stability right now, which 2.6.0 can still deliver ).

stephenw10

@nicknuke said in Flooded log:

The weird thing was even when i use ISP1's gateway, as "Default gateway IPv4" in Settings-Routing,
then I try traceroute with source address any, it somehow still uses ISP2's gateway.

Hmm, did you note if it set the WAN1 gateway as the default route correctly?

nicknuke

@stephenw10
yes of course :D that why i noticed how weird it was. Also found some other posts here having the same prob with limiter, getting half than assigned bandwidth.

stephenw10

Is it exactly half? Same value every time?

That feels like something looping twice through the same Limiter. But I'm not sure how that would happening with something on the LAN side.

nicknuke

@stephenw10
no, its top speed is half the assigned limit.