Traffic shaper changes [90% completed, please send money to complete bounty]
-
Hi all,
It looks like you guys have put some good time and effort into getting the traffic shaper what it needs to be. Hopefully this bounty is of value to me and I can throw in $50-100 for it.
It sounds like this is possible to do, but I just wanted to verify.
I have 1 wan (probably 2 in the future) on pfSense. It's about a 12/2meg connection.
LAN has a local router and also 2 access points. I would like to split/share the bandwidth amongst these 3 devices attached to the LAN. The trick here is that I need to have more than 2 layers of queueswan > pf (10.0.0.1) > switch > AP1 > customer router1(10.5.x.1) (Linksys Tomato) > customer router 2(10.5.x.1) > AP2 > customer router 3(10.6.x.1) > etc(10.6.x.1) >local router > Local PCsSorry that diagram isn't working well. Basically - the AP1, AP2 and local router are attached to pfSense by a switch. Then customer routers are static routed networks off of pf.
The caveat is that each AP is only capable of about 5-6mbps of total traffic. I would like to let customers share the full-speed of the bandwidth from the AP. Also, there may be some customers that would get less than an even share (penalty box per customer?)
At the same time, we obviously need to prioritize VoIP, http, DNS and set everything else to a lower priority.
So, I believe what I need to do is:
1. Ident traffic type (flags in new shaper?)
2. Setup multiple queues within queues?
a. WAN queues > b. queues for the individual APs (1 for the 10.5.xxx network and 1 for 10.6.xxx network) >
c. within the queues for the individual APs: queues or rules for traffic types (http, dns, etc)?
d. a way to limit individual customers (ie 10.5.3.x network gets limited to 512k but the rest of 10.5.xxxx gets to share the full bandwidth of the AP)Does that make sense? Will the new shaper allow me to do this? I think it's just multiple layers of queues? I do have outbound traffic shaping on the customer routers so they can't saturate the AP. Customer routers inbound shaping is limited to dropping packets - I don't want to use that option on the customer routers.
Thanks for your input. I would love if I can throw in some cash to the pot and get access to the new shaper if it will work for me.
Regards,
Aaron -
Yeah it can do multiple level of queues and all of what you describe.
-
Great! Thank you! I just sent $75 to Chris.
@ermal:
Yeah it can do multiple level of queues and all of what you describe.
-
So I guess I need to know how to access and install this. I will get a PM? This is an embedded install on ALIX.2C3
Regards,
AaronGreat! Thank you! I just sent $75 to Chris.
-
So I guess I need to know how to access and install this. I will get a PM? This is an embedded install on ALIX.2C3
Regards,
AaronGreat! Thank you! I just sent $75 to Chris.
Yes, pretty soon.
-
If this is the place for tech support questions with the new shapper than great. Otherwise, please direct me where these should go.
I have been playing aorund with the new shapper and either I am really dense, and can't figure it out or I don't understand QoS Properly… Who Knows...
Anyway, I am trying to prioritize VoIP traffic. This traffic runs over my OpenVPN connection setup in the pfSense. I am having a real problem getting the traffic to register in the voip queue (using the wizard and then modifying the floating tab in rules). Is there anything special I am suppoed to do? I thought about trying to prioritize the openvpn traffic, but couldn't get that to work either. Everything just goes to the default queue.
This is an Avaya ip office setup. I have traffic being tagged with difserv- DSCP 46, DSCP Mask 63, and SIG DSCP as 0. I tried setting the diffserv in the floating rule to 46, but it still didn't put that traffic in the queue. Any help would be appreciated.
Thanks!
Nate -
Shaping inside openvpn tunnels is not yet supported afaik, inside IPSEC should work though.
-
It is the default LAN rule that is botching it.
Just make it specific or create the rules for the in the LAN tab over the default one supplied by pfSense.
And please try disabling the antilockout rule.With the new update things should be better(a matter of days since some issues have been fixed).
-
Hi, I don't mean to be impatient. Just wondering when I may get access to the new shaper. I can wait for the new update if it is just a couple days.
Regards,
Aaron@ermal:
With the new update things should be better(a matter of days since some issues have been fixed).
-
Should be soon.
-
For all the bounty contributors.
In the same link as before will find the updated images with several problem fixed. -
Get the one with the highest date on it. as -20080324 ;)
-
Ill add 50 to the bounty, should i send them now? when will the image be available¿?
-
Ill add 50 to the bounty, should i send them now? when will the image be available¿?
All bountysupporters get exclusive access to the testingimages and are welcome to testdrive and report back. All others will have to wait for now until there are official builds including the changes. Feel free to send the money in right now.
-
I explained it a page before:
http://forum.pfsense.org/index.php/topic,2718.180.htmlthe queue wizard is really a work in progress. the first part is difficult to understand and has text labels in code style. the second part, the one with traffic type prioritization, is an heritage of the old shaper wizard but has no reason to exist, 'cause is not applied anywhere and there's no interface to edit. It seems that now the assignment of traffic type to queues is done within each firewall rule.
Well you do not need any interface to choose since it applies to all interfaces.
Read my explanation of the Floating Tab.As for the names i will make them more friendly.
BTW, since you are a user what part of the first part you didn't understand?
-
sorry, i just found your 1st explanation, that's why i deleted my post…
i'll try apply the rules as by your tutorial and in case get back to you with a good feedback.
to answer your question, if for example i click on the "single wan multi lan" wizard, i'm asked for the number of connections: in my understanding this should be the LAN and the DMZ, but in the next step i have WAN and OPT1 (DMZ) grouped in the "setup connections speed" section, like if we were talking about two WANs, while the DMZ has to be considered like a LAN section.
i'm puzzled here because given i'm configuring multiple lans, as by wizard name, i should be asked just for the wan bandwidth and then describing the lan part. this could be a limit of my understanding of the shaping mechanism within pf, but i have to admit that the wizard isn't a lot descriptive about what am i doing with the info i'm entering and the options i'm choosing.i just want to avoid traffic shaping between the LAN and DMZ and meanwhile shape all traffic from all interfaces to WAN: from your tutorial i understand that i just need to assign floating rules to queues. i have a solid heritage of rules assigned to each interface, so i think it will take time to make it work correctly. is there any monitoring/debugging application for pf out there?
btw, thanks for the prompt answer.
-
Oh for the Multi Lan wizard i might have missed some labels changes.
Though it really asks you for the number of LAN's. As i can not guess what interfaces are considered LAN in your cases.
You see WAN in there since i need to know on which interface is the internet connection connected.If you do not want to shape traffic between DMZ and LAN, on the traffic shaper config:
1- Click the lan root node on the tree. Set its interface bandwidth to the same as you Network card speed(i.e. 100Mb)
2- Delete the traffic shaper config on both LAN and DMZ
3- Create a queue called qInternet in both the LAN and DMZ interface and setup it with the download speed of your internet connection.
If you have choosen HFSC scheduler make its linkshare m1=m2=link download speed and d =something.
4- Create a DMZ queue on both the LAN and DMZ interface. Setup its bandwidth = Lan root speed - speed of qInternet queue
5- Under the qInternet queue replicate the queues that gets created by the wizard, so that the internet shaping for LAN and DMZ works ok.Than create a rule that matches local traffic(traffic between LAN and DMZ) and sends it to the qDMZ queue so it does not have limitations from the shaper.
I am testing this setup and will make the changes for the Multi Lan wizard, at least, to produce the above automatically.
You will get it with the next update which fixes the other reported issues.
Just a stupid text illustration of the above is:
WAN
–-qACK
---qDefault
---qP2P
---qVoIP
---qOthersHigh
LAN
---qInternet
----------qACK
----------qDefault
----------qP2P
----------qVoIP
----------qOthersHigh
---qDMZ
DMZ
---qInternet
----------qACK
----------qDefault
----------qP2P
----------qVoIP
----------qOthersHigh
---qDMZOn the floating rules tab make a rule:
1- pass
2- select LAN and DMZ interface
3- Direction any
4- from any (though you might consider only the ports to the DMZ services)
5- to any (though you might consider only the ports to the DMZ services)
6- queue qDMZAnd done.
Another more advanced scheme might be:
WAN
---qACK
---qDefault
---qP2P
---qVoIP
---qOthersHigh
LAN
---qInternet
----------qACK
----------qDefault
----------qP2P
----------qVoIP
----------qOthersHigh
---qDMZ
----------qDMZACK
----------qDMZDefault
----------qDMZP2P
----------qDMZVoIP
----------qDMZOthersHigh
DMZ
---qInternet
----------qACK
----------qDefault
----------qP2P
----------qVoIP
----------qOthersHigh
---qDMZ
----------qDMZACK
----------qDMZDefault
----------qDMZP2P
----------qDMZVoIP
----------qDMZOthersHighAnd propper rules in place.
-
LANs are easy to determine. Walk the configuration and look for interfaces without a gateway attached to them.
-
Hi Ermal,
Thanks for allowing access to the new shaper. I see you are continuing to work on it.
I'm having a very hard time trying to figure out how to set this up. I am unable to add queues to interfaces (I got it to succeed only once!) I'm totally not understanding how this shaper is laid out - it just does not seem intuitive.
My setup was explained here: http://forum.pfsense.org/index.php/topic,2718.195.html
If you can help me understand how to set this up, I would be grateful. I would even be willing to write up a HowTo to try to explain the new shaper as well as help form the GUI with you.Regards,
Aaron -
Can you please post full details of your configuration.
Bandwidths you want to use etc so i can give you a config.The upgrade you have has 3 issues:
1- you cannot add queues other than on the Lan.
EDIT: You cannot add queues that are childs of parent interface other than LAN. But you can add childs of other queues on any interface.
2- The Status->queues is shifted to the right as for a missing line for displaying the header ok.
3- The rrd graphs has a typo which does not allow to propperly view the queues graph
4- Floating rules are generated after per tab interface rules so if you have some rules in the specific interface tabs(wan/lan tab) they will spoil the floating rules.
This are just regressions of backporting from RELENG_1. In the next update they will be ok.In your case you should not have any problems since you want to add queues only for LAN so you should be OK.
Now from what i see you want something like this.
Create an alias with the host you want to limit.On the wizard check the Penalty box and add this alias on this step.
Also check the catchall option of it.
You should have a scheme like this after it.WAN
–-qACK
---qP2P
---qVoIP
---qOthersHigh
---qOthersDefault
---qOthersLow
LAN
---qACK
---qP2P
---qVoIP
---qOthersHigh
---qOthersDefault
---qOthersLowThis should set you on for anything you want.
You limit the customers through the Alias config and no need to tweak the rules.
Also if you want a hard limit for them set the uppelimit of qOthersLow(value m2) to the required limit.Since of issue 4 you do not need any settings on Wan apart specific things you want to block.
Disable anti lockout rule.
And replicate the LAN default pass in rule to the Floating tab and disable that one(for this upgrade you are running.That's all you need to share all the bandwidth evenly in your setup. Since you say the AP's are limited to 6Mb that's as simple as it can get with the upper scheme.
You can optimize VoIP rules by converting the rules for VoIP to use DSCP(diffserv code point) instead of port based ones; if you know that they use a specific DSCP mark.Tell me if this suits you.
The other scheme if you wanted to have the hard limit to 6Mb setuped on the pfSense is:
WAN
---qACK
---qP2P
---qVoIP
---qOthersHigh
---qOthersDefault
---qOthersLow
LAN
---qAP1 (m1=m2=6Mb d=line delay)
------qAP1ACK
------qAP1P2P
------qAP1VoIP
------qAP1OthersHigh
------qAP1OthersDefault
------qAP1OthersLow
---qAP2 (m1=m2=6Mb d=line delay)
------qAP2ACK
------qAP2P2P
------qAP2VoIP
------qAP2OthersHigh
------qAP2OthersDefault
------qAP2OthersLowor
WAN
---qACK
---qP2P
---qVoIP
---qOthersHigh
---qOthersDefault
---qOthersLow
LAN
------qACK
------qP2P
---qVoIP
------qOthersHigh
------qAP1OthersHigh
------qAP2OthersHigh
---qOthersDefault
------qAP1OthersDefault
------qAP2OthersDefault
---qOthersLow
------qAP1OthersLow
------qAP2OthersLow
On this one set the limits for each AP to the specific queue using upperlimit m2 value. Though i doubt you want their Voip queues to be separate since you want both clients to have seemles VoIP.
The last scheme might give you better results but it is hard to understand for someone not knowing what he is doing.BTW, if you could gather all my postings about the shaper to something readble and skinned :) i would greatly appriciate. I have not yet found the time to do that.