Traffic shaping tips and tricks.

sullrich

Let's start collecting tips and tricks.

I just ran into a problem where completely saturating my outbound traffic resulted in new connections being dropped to the web, etc.  On closer inspection I noticed the ACK queues where showing some drops.

When this happens, edit the queues and change the bandwidth from 1% to 5%.

Please post your tips or tricks that have helped out in situations.

Do not post about problems, etc.  Leave those for the other threads.

UPDATE 06/07/06: just ran into this again using the Akamai download manager.  My LAN ACK is running at around 204Kb/s so I needed to increase the LAN acks to 10%.  Everything is fine again.

Afterwards visit Status -> Queues and pay attention to your drops on the LAN and WAN queues.  Keep in mind that you WANT drops on certain queues such as lower priority queues, etc.

dvserg

I repeat my experience setup Shaping in Bridge mode
This really worked, but only need use certain rules..
1. queques settings as usually for normal Shaping.

2. after shaping wizard, in all rules I change sources and destinations type to *(any).
May be this basic on fact, what Bridge worked in interfaces level? (but filterring by IP possible!!!)
May be insert in types src/dst types items "LAN interface, WAN interface …" and shape in bridge only for this items (not use any IP address)?

3. in queues name(may be and rules name) can't use special symbols as "~!@#$%^&*()<>{}[]|=..etc"
normally use for ''. Dont testing for '-'
My proposal - use for name (a-z A-Z 0-9)and ''. Not use national symbols!
May be good idea insert hidden ID field for queues and rules & all relationship between them make with ID?
Description it is perceived as comment ...

4. after change name of queue need reselect them in all rules - what connect to this queue. Name dont update automaticly. This really hidden bug. Decision this bug can be with use my proposition in (3)

PS
i don't detaily testing Shape rules for all variants of Src/Dst types. Is '*' - thirst founding worked variant and this i use in my configuration.

PS2
for looking what work shape rules i used Filter log (10) item in console menu
if rule worked - then they name writed in respective packets

sullrich

Another trick.  If you are running m0n0mon and you find that the window "disappears" from time to time then you are surely running out of LAN ACK queue slots.  Increase the bandwidth to 10% from 1% (or 5% if you followed my advice from the first post in this thead).

Liath.WW

I'm taking it that what dvserg means, in point #2, is to change every shaping rule from:

WAN->LAN	TCP	*	LAN net	Port: 3724	qGamesDown/qGamesUp	m_Game	WoW inbound

to show

WAN->LAN	TCP	*	*	Port: 3724	qGamesDown/qGamesUp	m_Game	WoW inbound

Can anyone verify if this works as intended, and/or better?  I'm not sure about the quirks, so I'm a little hesitant to change every single rule on the shaper…

dvserg

Bridge Shaping:
(1) http://forum.pfsense.org/index.php/topic,6509.msg39091.html#msg39091

After this change i have dual Bridge chaping (In and Out).

–-
Comments:
Generated PF rules use 'keep state' - this create bi-direct 'channel' for connection.
If connection initialized from Lan to Wan (for example browser) - this shaped by
[Lan>Wan] Traffic Shaper rule.
Shaped and incoming and outgoing packets.
Not need create [wan>lan] symmetric rule.
And similarly for connection initialized Wan>Lan - this need only [Wan>Lan] Shaper rules.
–-
But:
Need existing though one [wan>lan] and [lan>wan] rule.
Otherwise corresponding to interface will not is initialized by ALTQ as shaped. (error message generated)
–-
In attachment my rules example.
Marked rule [Wan>Lan]- for avoiding error.

PS:
I tested this only my bridged system and all comments only for this situation.

sullrich

@dvserg:

Bridge Shaping:
(1) http://forum.pfsense.org/index.php/topic,6509.msg39091.html#msg39091

After this change i have dual Bridge chaping (In and Out).

–-
Comments:
Generated PF rules use 'keep state' - this create bi-direct 'channel' for connection.
If connection initialized from Lan to Wan (for example browser) - this shaped by
[Lan>Wan] Traffic Shaper rule.
Shaped and incoming and outgoing packets.
Not need create [wan>lan] symmetric rule.
And similarly for connection initialized Wan>Lan - this need only [Wan>Lan] Shaper rules.
–-
But:
Need existing though one [wan>lan] and [lan>wan] rule.
Otherwise corresponding to interface will not is initialized by ALTQ as shaped. (error message generated)
–-
In attachment my rules example.
Marked rule [Wan>Lan]- for avoiding error.

PS:
I tested this only my bridged system and all comments only for this situation.

And it actually works?  Would you be interested in adding this functionality to our system?

eri--

Correct me if i am wrong,
You have a bridge active and are filtering with rules on specific interface meaning
if_bridge(4) loaded
net.link.bridge.pfil_bridge=1

and shaping with rules
pass out/in on $bridge_interface tagged WHATEVER queue(q1, q2)

This way it should work!
But the context is not that good since you're shaping IP traffic which might not make sense from bridge point of view.
And you may run in strange problems if you mix route-to rules in between or have some form of dynamic network.

The rationale is shape always with direction==in rules to be on safe side.