Traffic shaping not working in Beta 4 for outbound queues?

dvserg

Not. I nothing to find
really worked in queue status : qwandef  qlandef  qlanacks
other queues not have packets (0/pps)

# System Aliases 
loopback = "{ lo0 }"
lan = "{ xl0  carp0 bridge0 }"
wan = "{ rl0  carp0 bridge0 ng0 }"
# User Aliases 
AdminLine = "{ 10.62.0.25 }"

set loginterface rl0
set loginterface xl0
set optimization normal

scrub on rl0 all random-id 
altq on rl0 hfsc bandwidth 2Mb queue { qwanRoot }
altq on xl0 hfsc bandwidth 256Kb queue { qlanRoot }

queue qwanRoot bandwidth 2Mb priority 0 hfsc { qwandef, qwanacks, qRdpUp, qOthersUpH, qOthersUpL, qwebUp }
queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qRdpDown, qOthersDownH, qOthersDownL, qwebDown }
queue qwandef bandwidth 5% priority 3 hfsc (  default realtime 1% )
queue qlandef bandwidth 5% priority 3 hfsc (  default realtime 1% )
queue qwanacks bandwidth 5% priority 7 hfsc (  realtime 1% )
queue qlanacks bandwidth 5% priority 7 hfsc (  realtime 1% )
queue qRdpUp bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qRdpDown bandwidth 3% priority 6 hfsc (  red ecn realtime 3% )
queue qOthersUpH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersDownH bandwidth 1% priority 6 hfsc (  red ecn realtime 1Kb )
queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn realtime 1Kb )
queue qwebUp bandwidth 10% priority 2 hfsc (  red ecn realtime 5Kb )
queue qwebDown bandwidth 40Kb priority 2 hfsc (  red ecn realtime 5Kb )

# UPnPd rdr anchor
rdr-anchor "upnpd/*"
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
nat on $wan from 10.62.0.0/24 port 500 to any port 500 -> (rl0) port 500
nat on $wan from 10.62.0.0/24 to any -> (rl0)
#SSH Lockout Table
table <sshlockout>persist

# spam table 
table <whitelist>persist
table <blacklist>persist
table <spamd>persist
table <spamd-white>persist file "/var/db/whitelist.txt"
rdr pass on rl0 proto tcp from <blacklist>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from <spamd>to port smtp -> 127.0.0.1 port spamd
rdr pass on rl0 proto tcp from ! <spamd-white>to port smtp -> 127.0.0.1 port spamd

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 22  keep state tagged unshaped tag qOthersUpH 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 22 keep state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 22  keep state tagged unshaped tag qOthersDownH 
pass out on $wan proto tcp from any to any port 22 keep state tagged qOthersDownH tag qOthersUpH
pass in on  $wan proto icmp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto icmp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto icmp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto icmp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 53  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 53 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 53  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 53 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 161  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 161 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 161  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 161 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 119  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 119 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 119  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 119 keep state tagged qlandef tag qwandef
pass in on  $wan proto esp from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto esp from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto esp from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto udp from any to 10.62.0.0/24 port 500  keep state tagged unshaped tag qwandef 
pass out on $lan proto udp from any to 10.62.0.0/24 port 500 keep state tagged qwandef tag qlandef
pass in on  $lan proto udp from 10.62.0.0/24 to any port 500  keep state tagged unshaped tag qlandef 
pass out on $wan proto udp from any to any port 500 keep state tagged qlandef tag qwandef
pass in on  $wan proto ah from any to 10.62.0.0/24  keep state tagged unshaped tag qwandef 
pass out on $lan proto ah from any to 10.62.0.0/24 keep state tagged qwandef tag qlandef
pass in on  $lan proto ah from 10.62.0.0/24 to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 1723  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 1723 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 1723  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 1723 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 445  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 445 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 445  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 445 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 137:139  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 137:139 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 137:139  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 137:139 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3389  keep state tagged unshaped tag qRdpUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3389 keep state tagged qRdpUp tag qRdpDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3389  keep state tagged unshaped tag qRdpDown 
pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 6667:6670  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 6667:6670 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 6667:6670  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 6667:6670 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 80  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 80 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 80  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 80 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 443  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 443 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 443  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 443 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 3125:3129  keep state tagged unshaped tag qwebUp 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 3125:3129 keep state tagged qwebUp tag qwebDown
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 3125:3129  keep state tagged unshaped tag qwebDown 
pass out on $wan proto tcp from any to any port 3125:3129 keep state tagged qwebDown tag qwebUp
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 143  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 143 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 143  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 143 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 110  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 110 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 110  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 110 keep state tagged qlandef tag qwandef
pass in on  $wan proto tcp from any to 10.62.0.0/24 port 25  keep state tagged unshaped tag qwandef 
pass out on $lan proto tcp from any to 10.62.0.0/24 port 25 keep state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 10.62.0.0/24 to any port 25  keep state tagged unshaped tag qlandef 
pass out on $wan proto tcp from any to any port 25 keep state tagged qlandef tag qwandef

anchor "ftpsesame/*" 
anchor "firewallrules"

# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"
# enable ftp-proxy

anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on xl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on xl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from port 20 to (rl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.62.0.3 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.62.0.3 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for xl0
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on rl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qOthersUpH queue (qOthersUpH, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qOthersDownH queue (qOthersDownH, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 10.62.0.0/24 to 10.62.0.3 keep state label "anti-lockout web rule"

# SSH lockout
block in log proto tcp from <sshlockout>to any port 22 label "sshlockout"

# User-defined rules follow
# Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
anchor qlanRoot tagged qlanRoot
anchor qwandef tagged qwandef
anchor qlandef tagged qlandef
anchor qwanacks tagged qwanacks
anchor qlanacks tagged qlanacks
anchor qRdpUp tagged qRdpUp
anchor qRdpDown tagged qRdpDown
anchor qOthersUpH tagged qOthersUpH
anchor qOthersDownH tagged qOthersDownH
anchor qOthersUpL tagged qOthersUpL
anchor qOthersDownL tagged qOthersDownL
anchor qwebUp tagged qwebUp
anchor qwebDown tagged qwebDown
pass in log quick on $wan from any to any keep state  queue (qwandef, qwanacks)  label "USER_RULE: Default Wan -> any" 
pass in log quick on $lan from any to any keep state  queue (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any" 
pass quick proto carp keep state
pass quick proto pfsync
# VPN Rules

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></spamd-white></spamd></blacklist></spamd-white></spamd></blacklist></whitelist></sshlockout> 

darrendavid

hey-

same issue here. I want to see if a cvs_sync fixes it, but I'm on a soekris and / is mounted read-only… and of course i can't edit /etc/fstab because, well, / is mounted read-only. what's the trick for cvs_sync'ing on a WRAP box?

thanks,
darren

sullrich

@darrendavid:

hey-

same issue here. I want to see if a cvs_sync fixes it, but I'm on a soekris and / is mounted read-only… and of course i can't edit /etc/fstab because, well, / is mounted read-only. what's the trick for cvs_sync'ing on a WRAP box?

thanks,
darren

There is no trick.  This does not work with Embedded platforms.

darrendavid

i /knew/ you were going to say that.  ;)

can you point me to the docs for building my own from cvs, if there are any?

thanks for all the work on this. it's looking grand.

cheers,
darren

dvserg

in other forums say thet ALTQ must be configured to 2 interface (because them work only with out traffic).
allike problem when one with interfaces not correctly set
in my rules this correct?

ps pls don't kill me - i only newbe (2 mth with nix system)  ;)

ps2 after update from cvs queue status graph work very stable (1.5 hr wisout stops)

Leoandru

hrm, I don't get it.. this really should be working. There were no major changes to the shaper since Beta3 and the rules look fine from here. even after looking at them many time over. I'll wait to see if the fix works for anyone else..

??? 'scratch head'

dvserg

Tomorrow reupdate Beta 3 and test this config again  :-
May be broken update to Beta 4 ? But any errors not view.
Goodnight  ;D

–-----------------------------------
Good day.
I do it whith Beta 3, but nothing news. Them i update Beta 4 and rebuild my bridge config new. If a take update from cvs - them continuing testing with Beta4.

---

Good day 2
Yesss !!! BRIDGE!!!
If i setup in LAN any dummy address - not WAN - my shaping get circus (bear's show)
I set LAN IP = WAN IP and mask LAN IP = 32 (what recomended Hoba in Firewall topic)
And my queue blinking all!!
I must begin full testing.
Write any result after this.
Bye

hoba

Trafficshaper won't work in a bridge configuration. This is a limitation.

dvserg

This is interested post about ALTQ & bridge (only this about openBSD).
http://www.csl.sony.co.jp/~kjc/altq-ml-2002/msg00551.html

Theme "ALTQ and bridge" - dont have wide information in Inet. I looking very mach questions, but little answers  :'(
Can this url help for you project?

nima.m

Hoba,

So If my router has a WAN/LAN and WLAN, and the WLAN is bridged to LAN, the traficc shaping dosn't work anymore, correct ?

Is there anything the pfsense team can do to make Trafic Shaping work on multiple NIC that are bridged with LAN?

hoba

That's something to do for 1.1 though there is no fixed featureset for 1.1 yet. If it's doable it will be implemented sooner or later.

However if you are shaping WAN/LAN and your OPT1 is bridged to LAN there are chances that the shaping actually works. I think I heared someone report this scenario is working earlier, but not too sure about it. Try and let us know.

dvserg

Can i have comment from professional to my questions?
:)
Bridge0 - logical interface .. but them can use for all rules in PF, yes?
Can bridge0 use in ALTQ rules?
May be this take effect for shaping (of cose if this possible)

nima.m

I suspect that the queue is working,
The problem is the rules.

In rules, you define "In Interface" and "Out Inferface", and what we miss here is the term for ANY
This is tipical picture of configuration, if we only could choose
In Interface = WAN
Out Interface = ANY

Then I think the problem would be solved.

dvserg

Thx.
I today testing bridge queue rule with
source * destination* - define only protocol and port.
in simple model i give worked result. If time give possible - tomorrow be testing more big model.

billm

@nima.m:

I suspect that the queue is working,
The problem is the rules.

In rules, you define "In Interface" and "Out Inferface", and what we miss here is the term for ANY
This is tipical picture of configuration, if we only could choose
In Interface = WAN
Out Interface = ANY

Then I think the problem would be solved.

Sorta…too bad it's not quite that simple ;)

--Bill

nima.m

Billm,

Dose pfsense and m0n0wall use the same Traffic Shaping Engine ?

sullrich

No.  m0n0wall uses dummynet, we use ALTQ.

nima.m

Okay, The Traffic Shaper in both system look very similar.

However, they have solved the bridge problem very cleverly, in the LAN side anyway.
In m0n0wall, they only have one interface for rules, and the user can shape the rule for inboud/outbound based on the "direction"
So, If you have multiple NIC that are bridged with LAN, you can choose WAN as interface and "in" for direction for choosing "inbound" and "out" for direction for choosing "outbound"
So the Traffic Shaping dosn't need to look for both "In Interface" and "Out Interface".

However, pfsense need both "In Interface" and "Out Interface".

sullrich

Yep completely different set of problems.  The rabbit whole gets EXTREMELY deep when you dive into ALTQ further.

bruor

i also had this bug,  noticed that i was getting drops on my voip phone, and that things were not going into the voip outbound queue,  i have run the cvs sync to releng_1 and will post results here in the next day or so.