Shaper dont work on 1.2final

srs

I was looking at logs and saw this entry, related to the day when I first configured Shaper and qPenalty; since then, even if I re-run shaper wizard, qPenalty doesnt shape traffic to it's related IP. Does someone knows what that means?

In this cases, what to do? reinstall pfsense? why this happens?

Mar 14 10:16:54 nat php: : There were error(s) loading the rules: /tmp/rules.debug:16: queue qPenaltyUp has no parent /tmp/rules.debug:16: errors in queue definition /tmp/rules.debug:17: queue qPenaltyDown has no parent /tmp/rules.debug:17:
errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [16]: queue qPenaltyUp bandwidth 1% priority 2hfsc (  red ecn upperlimit 10Kb )

This is today's message, when I re-run shaper wizard: (qPenalty still dont shapes traffic bandwidth)
Mar 17 08:23:15 nat check_reload_status: reloading filter
Mar 17 08:29:23 nat last message repeated 3 times
Mar 17 08:33:26 nat php: /wizard.php: Create RRD database /var/db/rrd/wan-queues
.rrd
Mar 17 08:33:26 nat php: /wizard.php: Creating rrd update script
Mar 17 08:33:29 nat check_reload_status: reloading filter
Mar 17 08:41:56 nat check_reload_status: reloading filter
Mar 17 08:42:07 nat check_reload_status: reloading filter

thanks

sullrich

Remove the shaper config and rerun the wizard.

srs

Ok, lets go: the desktop wich IP is in penalty rule queue is turned off, so, no states;

I turned off trafic shaper, saved; then I re-run the wizard, placing that desktop ip again in penalty rule queue;

Finished shaper wizard; turned on the desktop; begin to download a knoppix.iso from internet and the the download speed is almost my full wan (1536kbits/s) when it should be the one configured in penalty queue (10kb).

Still the same :(

Mar 18 09:36:11 nat check_reload_status: reloading filter
Mar 18 09:38:17 nat check_reload_status: reloading filter
Mar 18 09:38:17 nat php: /wizard.php: Create RRD database /var/db/rrd/wan-queues
.rrd
Mar 18 09:38:17 nat php: /wizard.php: Creating rrd update script

Another question: do you know when (with month) can we have pfsense 1.3 final or any RC?

hoba

Maybe this is a rule ordering issue? Do you have set http to high and it is above the penalty rules?

It's far too early to say anything about 1.3 final or releasecandidates atm.

srs

First, thank you Hoba for your attention.

This is my pfsense queues list and order; this is the default one, I have not changed it when ended wizard.

Flags  Priority  Default  Bandwidth  Name 
  0  No 1536 Kb  qwanRoot 
    0  No 1536 Kb  qlanRoot 
    1  Yes 1 %        qwandef 
    1  Yes 1 %    qlandef 
ACK        7      No      25 %  qwanacks 
ACK        7      No 25 %  qlanacks 
    7  No 25 %    qVOIPUp 
    7  No 25 %    qVOIPDown 
RED ECN    2      No     1 %  qPenaltyUp 
RED ECN    2      No     1 %  qPenaltyDown 
RED ECN    1      No     1 %  qP2PUp 
RED ECN    1      No     1 %  qP2PDown 
RED ECN    4      No     25 %  qOthersUpH 
RED ECN    4      No     25 %  qOthersDownH 
RED ECN    2      No     1 %  qOthersUpL 
RED ECN    2      No     1 %  qOthersDownL

Again, thanks for your time!

dav1d

Hy Srs,

i had same problem, but first my configuration was  "transparent firewall", and traffic shape doesn't work :'(; second i think that is important the order of the rules  (like rules firewall), because if you download from internet using http protocol, and your http rule is on top ``first match wins''.
Try to move up the penality rules.

I hope this help you.

srs

hey dav1d, thanks a lot for your help; I will test the rules order; but one more question: what you mean with 'transparent firewall'? I use transparent proxy, but in older pfsense versions, it always worked, shaper with transparent proxy… can you help with this? thanks one more time!

dav1d

I am not sure, but transparent firewall is a packet filtering and normally you put it between your GW and LAN. In your case, transparent proxy intercept a particular service like HTTP and redirect it to squid for  simple content filtering, cache, etc.

My configuration was this: http://pfsense.trendchiller.com/transparent_firewall.pdf.

srs

hey dav1d, thanks again for your time and help!

I think the setup that is described in that document is for a bridge setup; The most strange about the queues order is that they are in default position, I have not changed them after running trafic shaper wizard… In other situations, with another pfsense versions, it worked; before installing 1.2 final I used 1.2rc3, or 4, I dont remember, but the last versions; and it was all working; I had created other queues, and they were all working nicely; this is the reason I simply dont understand why this shaper is not working now; I have setup pfsense manually, did not restore no one backup file, and the shaper is running from the default wizard setup, the only thing I've done is the choose the IP for penalty and the bandwidth for penalty (10k) and for the entire shaper (1536kbits/s up and down), the same values that I have used in other times and have worked.

Have you tried 1.3 already?

thanks a lot for your help!

srs

hey folks, I think I've found the problem:

When I turn off transparent proxy in squid, the shaper seems to work fine; but when transparent proxy is enabled, the shaper doesnt work; the strange is that I always used squid, as transparent proxy, and shaper, in previous pfsense versions, and I know it worked…

Well, what can be done to use these two must-have features??

thanks

sullrich

Contribute to the traffic shaping bounty and ask Ermal if he can fix.

srs

can you tell me wether this was always this way or this is a 1.2family issue? I just want to confirm that I have used shaper plus squid in pfsense before.

thanks

hoba

I think it has always been that way. When enabling squid in transparent mode it creates invisible redirects to the squid deamon that match before other rules do. Also it has been a know limitation for quite some time that traffic from services (like squid) running at the pfSense directly can't be shaped properly due to the way the trafficshaper is working in releases up to 1.2.

srs

well, this is really strange, because I always used squid and I'm sure at 6 to 8 months ago I used the shaper successfully to shape bandwithd of computers laboratories and penalty some ips… and it always worked and I'm sure, I always used squid with some blacklists/whitelists, always in transparent mode beucase I never nedded to configure anything in desktops...

But so this is ok, I must vote for what is the most important to me: shaper or access control lists (squidguard).

Please, can you tell me if this is planned to work (together) on upcoming 1.3?

thanks a lot for all your patience and always congrats for your really nice work!

sullrich

This has always been an issue.  if you want to guarantee it will be in 1.3 then contribute to the bounty.  Otherwise no promises.

srs

ok sullrich, thanks a lot! as I'm in Brazil, I dont know how can I contribute, but I'll check this, ok! I always used pfsense since 0.9x and pretend keep using it!!!

Thanks a lot!