[2.8.1.b] Multiple limiter issue

NWOSwamp

The issue reported below is still present in 2.8.1.b.20250717.1752

https://forum.netgate.com/topic/197859/2-8-0-limiter-rule-not-honored-on-lan-download-with-multiple-limiters-queues

pst

@NWOSwamp I noticed the same incorrect behaviour in the first 25.07-rc (July09), I have yet to test the latest (July15-rc)

For reference: https://forum.netgate.com/post/1220637

pst

@pst I have tested the June15 25.07-RC and the same problems exist there. Certain limiter combinations just doesn't work in the 2025 releases of pfSense. @stephenw10 , is Netgate aware and actively working on resolving the current limiter issues, or do I need to raise yet another redmine?

Here's todays results from 25.07.r.20250715.1733:

test #1 LAN Limiters

Setup:

• Limiters configured on LAN 100Mb/s DL 50Mb/s UL
• policy routing IPv4 only (IPv6 LAN rules disabled)

Preparation:

• reset firewall state table

Results:

• speedtest.net DL 96Mb/s UL 47Mb/s

Conclusions:

• LAN speeds matches the configured LAN limiters (Success)

[begin update]

the LAN rule:

@676 pass in quick on igb1 route-to (igb0 <GW-ip>) inet from <LAN__NETWORK:3> to any flags S/SA keep state (if-bound) label "USER_RULE: Default allow all from LAN" label "id:1746203437" label "gw:WAN_DHCP" ridentifier 1746203437 dnqueue(6, 5)
  [ Evaluations: 1191      Packets: 732499    Bytes: 714877597   States: 77    ]
  [ Inserted: uid 0 pid 0 State Creations: 78    ]
  [ Last Active Time: Sat Jul 19 15:32:33 2025 ]

the LAN state:

igb1 tcp 137.226.34.45:9001 <- 192.168.0.10:60316       ESTABLISHED:ESTABLISHED
   [2830908969 + 262144] wscale 7  [3555634996 + 63616] wscale 8
   age 00:00:48, expires in 23:59:59, 84:101 pkts, 40230:41100 bytes, rule 676
   id: 80bd946800000000 creatorid: 76926c2a route-to: <GW-ip>@igb0

the WAN state:

igb0 tcp <WAN-ip>:4417 (192.168.0.10:60316) -> 137.226.34.45:9001       ESTABLISHED:ESTABLISHED
   [3555634996 + 63616] wscale 8  [2830908969 + 262144] wscale 7
   age 00:00:48, expires in 23:59:59, 84:101 pkts, 40230:41100 bytes, rule 306, allow-opts
   id: 81bd946800000000 creatorid: 76926c2a route-to: <GW-ip>@igb0

I'm not sure if the limiter is supposed to add another state, but I couldn't find one. As this case is working fine, I assume there is no additional state when using a LAN limiter.

[end update]

test #2 LAN+WAN Limiters, policy routing

Setup:

• Limiters configured on LAN 100Mb/s DL 50Mb/s UL
• policy routing IPv4 only (IPv6 LAN rules disabled)
• Limiter configured on WAN 200Mb/s DL 150Mb/s UL
• buffer-bloat floating rule on WAN (Netgate recepie)

Preparation:

• reset firewall state table

Results:

• speedtest.net DL 196Mb/s UL 145Mb/s

Conclusions:

• LAN speeds matches the configured WAN limiters (Failure)

[begin update]

the LAN rule:

@677 pass in quick on igb1 route-to (igb0 <GW-ip>) inet from <LAN__NETWORK:3> to any flags S/SA keep state (if-bound) label "USER_RULE: Default allow all from LAN" label "id:1746203437" label "gw:WAN_DHCP" ridentifier 1746203437 dnqueue(6, 5)
  [ Evaluations: 443       Packets: 137929    Bytes: 133343647   States: 80    ]
  [ Inserted: uid 0 pid 0 State Creations: 87    ]
  [ Last Active Time: Sat Jul 19 15:23:31 2025 ]

the WAN rule:

@342 pass out quick on igb0 route-to (igb0 <GW-ip>) inet from <WAN-ip> to any flags S/SA keep state (if-bound) label "USER_RULE: From bufferbloat recipe" label "id:1750159398" label "gw:WAN_DHCP" ridentifier 1750159398 dnqueue(2, 1)
  [ Evaluations: 20977     Packets: 1198815   Bytes: 1126546123  States: 103   ]
  [ Inserted: uid 0 pid 0 State Creations: 166   ]
  [ Last Active Time: Sat Jul 19 15:23:30 2025 ]

the LAN state:

igb1 tcp 142.250.74.106:443 <- 192.168.0.10:58800       ESTABLISHED:ESTABLISHED
   [799371312 + 261376] wscale 8  [2304724535 + 262656] wscale 8
   age 00:01:21, expires in 23:59:03, 20:23 pkts, 8918:4625 bytes, rule 677
   id: 94a3946800000000 creatorid: 76926c2a route-to: <GW-ip>@igb0

the WAN state:

igb0 tcp <WAN-ip>:59630 (192.168.0.10:58800) -> 142.250.74.106:443       ESTABLISHED:ESTABLISHED
   [2304724535 + 262656] wscale 8  [799371312 + 261376] wscale 8
   age 00:01:21, expires in 23:59:03, 20:23 pkts, 8918:4625 bytes, rule 342
   id: 95a3946800000000 creatorid: 76926c2a route-to: <GW-ip>@igb0

[end update]

test #3 LAN+WAN Limiters, default routing

Setup:

• Limiters configured on LAN 100Mb/s DL 50Mb/s UL
• default routing IPv4 only, IPv6 LAN rules disabled
• Limiter configured on WAN 200Mb/s DL 150Mb/s UL
• buffer-bloat floating rule on WAN (Netgate recepie)

Preparation:

• reset firewall state table

Results:

• speedtest.net DL 193Mb/s UL 48Mb/s

Conclusions:

• DL LAN speed matches the configured WAN DL limiter (Failure)
• UL LAN speed matches the configured LAN UL limiter (Success)

[begin update]

the LAN rule:

@677 pass in quick on igb1 inet from <LAN__NETWORK:3> to any flags S/SA keep state (if-bound) label "USER_RULE: Default allow all from LAN" label "id:1746203437" ridentifier 1746203437 dnqueue(6, 5)
  [ Evaluations: 745       Packets: 723716    Bytes: 689917885   States: 78    ]
  [ Inserted: uid 0 pid 0 State Creations: 170   ]
  [ Last Active Time: Sat Jul 19 15:09:14 2025 ]

the WAN rule:

@342 pass out quick on igb0 route-to (igb0 <GW-ip>) inet from <WAN-ip> to any flags S/SA keep state (if-bound) label "USER_RULE: From bufferbloat recipe" label "id:1750159398" label "gw:WAN_DHCP" ridentifier 1750159398 dnqueue(2, 1)
  [ Evaluations: 8204      Packets: 735203    Bytes: 697785013   States: 102   ]
  [ Inserted: uid 0 pid 0 State Creations: 398   ]
  [ Last Active Time: Sat Jul 19 15:09:14 2025 ]

the LAN state:

igb1 tcp 64.233.164.188:5228 <- 192.168.0.10:56610       ESTABLISHED:ESTABLISHED
   [3711352026 + 261888] wscale 8  [1875466931 + 267776] wscale 8
   age 00:01:13, expires in 23:59:32, 9:12 pkts, 2442:7559 bytes, rule 677
   id: da78946800000000 creatorid: 76926c2a

the WAN state:

igb0 tcp <WAN-ip>:40446 (192.168.0.10:56610) -> 64.233.164.188:5228       ESTABLISHED:ESTABLISHED
   [1875466931 + 267776] wscale 8  [3711352026 + 261888] wscale 8
   age 00:01:13, expires in 23:59:32, 9:12 pkts, 2442:7559 bytes, rule 342
   id: db78946800000000 creatorid: 76926c2a route-to: <GW-ip>@igb0

[end update]

[addendum]
Limiter configuration:

[25.07-RC][admin@felicity.local.lan]/root: dnctl sched list
00001: 200.000 Mbit/s    0 ms burst 0
q65537  50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail
 sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 1
00002: 150.000 Mbit/s    0 ms burst 0
q65538  50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail
 sched 2 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 2
00005: 100.000 Mbit/s    0 ms burst 0
q65541  50 sl. 0 flows (1 buckets) sched 5 weight 0 lmax 0 pri 0 droptail
 sched 5 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 5
00006:  50.000 Mbit/s    0 ms burst 0
q65542  50 sl. 0 flows (1 buckets) sched 6 weight 0 lmax 0 pri 0 droptail
 sched 6 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 6
[25.07-RC][admin@felicity.local.lan]/root: dnctl pipe list
00001: 200.000 Mbit/s    0 ms burst 0
q131073 2000 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 150.000 Mbit/s    0 ms burst 0
q131074 2000 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
 sched 65538 type FIFO flags 0x0 0 buckets 0 active
00005: 100.000 Mbit/s    0 ms burst 0
q131077 2000 sl. 0 flows (1 buckets) sched 65541 weight 0 lmax 0 pri 0 droptail
 sched 65541 type FIFO flags 0x0 0 buckets 0 active
00006:  50.000 Mbit/s    0 ms burst 0
q131078 2000 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 droptail
 sched 65542 type FIFO flags 0x0 0 buckets 0 active
[25.07-RC][admin@felicity.local.lan]/root: dnctl queue list
q00001  50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail
q00002  50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail
q00005  50 sl. 0 flows (1 buckets) sched 5 weight 0 lmax 0 pri 0 droptail
q00006  50 sl. 0 flows (1 buckets) sched 6 weight 0 lmax 0 pri 0 droptail

stephenw10

Yup we are aware of it.

Can we see the rules you are using to apply those Limiters?

Do you see states opened matching those rules?

pst

@stephenw10 I have updated the post with the details you asked for (I hope...). Yes, there are states opened matching the rules.

As far as others' reports of limiters not working, they seems to suggests the rules that were working in 2.7.2 no longer works in 2.8.0, so that should be an easy test case to run. I've never run 2.7.2 but remember having limiters enabled at some point in 24.0x (not sure if I still have them in my defunct 24.11 setup)