Traffic shaper changes [90% completed, please send money to complete bounty]

SlickNetAaron

Embedded Build: Wed Apr 2 23:31:42 EDT 2008

Sorry Ermal, back to the drawing board!

I was trying to do the setup you explain and I am getting error after error, plus silent failures and  successes with crazy error messages.

Specific difficulties/bugs I am experiencing:
Adding a child queue - fails silently unless the first queue is set to default.  This is counterintuitive because I was just trying to duplicate the existing queue tree for of the primary Internet queue.  Thoughts on resolving: a. making a note for adding the first child queue b. error checking when pressing the save button c. not load the config to hfsc/altq until apply button is pressed.  This would allow the USER to input queues in any order they please and minimize frustration.

Editing Queue name: fails silently - name does not change on the queue tree.  (I added a queue that had more than 15 character queue name - I got the error and tried to shorten the queue name, but it failed. )
Invalid queue name is not able to delete (caused by the error above)

Attempt to delete parent queue to delete the child queue with invalid Queue Name: error:

Warning: copy(/cf/conf/backup/config-1207241932.xml): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1794 Warning: fopen(/cf/conf/backup/backup.cache): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1801 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1802 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1803 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1794) in /usr/local/www/firewall_shaper.php on line 82

Attempt to delete child queue off of LAN interface: Error:

Warning: copy(/cf/conf/backup/config-1207241932.xml): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1794 Warning: fopen(/cf/conf/backup/backup.cache): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1801 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1802 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1803 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1794) in /usr/local/www/firewall_shaper.php on line 82

Added a child queue to qInternet (qAP2Down), then the default child queue (qAP1Default) gives error.

 php: : There were error(s) loading the rules: pfctl: should have one default queue on vr0 pfctl: errors in altq config - The line in question reads [ should have one default queue on vr0 pfctl]:

Added qAP1Ack (child of AP2Down) set priority 7, with no service curve.  Error:

php: : There were error(s) loading the rules: pfctl: the sum of the child bandwidth higher than parent "qAP2Down" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:33: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ the sum of the child bandwidth higher than parent "qAP2Down" pfctl]:

Why would a blank linkshare say it is greater than it's parent?

Starting over with the shaper…..

Wizard: " numberofconnections: Number of connections you have"  Can we please specify if this is for LAN or WAN?
Wizard: "conn0interface:"  ?????  Who exactly is conn0interface?

At this point, I removed the shaper and started the wizard again.  Attempting to create:
LAN
---qInternet
-----qAP1
--------qACK
--------qDefault
--------etc
-----qAP2
--------qack, etc
-----qLocal
--------qack, etc

Deleting existing children of qInternet - happened every time I deleted.  However, the shaper GUI does update and appear to delete the queue.

Warning: fopen(/cf/conf/backup/backup.cache): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1801 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1802 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1803 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1801) in /usr/local/www/firewall_shaper.php on line 82 

Warning: copy(/cf/conf/backup/config-1207246821.xml): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1794 Warning: fopen(/cf/conf/backup/backup.cache): failed to open stream: Read-only file system in /etc/inc/config.inc on line 1801 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1802 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/config.inc on line 1803 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1794) in /usr/local/www/firewall_shaper.php on line 82 

How does the LinkShare work inside of a Child queue?  If I write 5% linkshare, is that 5% of the direct parent, or the root?

When I get to:
lan
–qInternet
----qP2P default (can't modify or delete!)
----qAP1 default (cannot remove default flag)
-------qAP1CatchAll(Default)

I get the error below.  I try to add and delete any possible combinations of Default Flags on the tree of queues.  It just won't accept the config.  Also, the changes to Default Queue flags seem to save (silent failure), but they revert back and appear to not take effect.

: php: : There were error(s) loading the rules: pfctl: should have one default queue on vr0 pfctl: errors in altq config - The line in question reads [ should have one default queue on vr0 pfctl]:

Attempting to start from scratch: no wizard.  My exact actions are as follows:
LAN: bw: 100mb
SAVE, Add New Queue
15mB, qInternet, Priority 6
UpperLimit: 15Mb 30000 8Mb
Save, Apply

Error: php: : There were error(s) loading the rules: pfctl: should have one default queue on vr0 pfctl: errors in altq config - The line in question reads [ should have one default queue on vr0 pfctl]:

Add default Flag to qInternet
Save, Apply, no error
ADD Queue button is not available to add child queue to qInternet???
Delete qInternet to try to start over.
Apply.
Interface with no label appears above lan, Queue not found error box displayed (attachment: shaper-phantom interface.jpg}
)

Clicking on the phanton interface yields the Queue not found error again.  The only way to remove it is to use "Remove Shaper" button.

Going to try again without using qInternet parent.  (This will NOT work for my setup, but going to see if it is a problem with multiple layers of queues.)
Again, my exact actions:
Click on LAN interface
15MB bandwidth is pre-populated
save & Apply
Add New Queue
Bandwidth 5Mb
qAP1
Default
upperlimit m2= 5mb
save & apply
I want to add a child queue to this, but the Add New Queue button and Delete buttons are gone.

Tell me what I did wrong?!  I'm following the steps exactly as one is able to do given the GUI provided.  It just feels so much like the end user (a human, NOT a programmer) is being forced to think like a programmer and if we don't do exact steps it fails horribly.  Why can't the user get things setup the way they want and let the programming handle the details?  That is what a good GUI is all about.  I feel like I am constantly having to fight the GUI to get to do what I want… the GUI always wins and I lose and don't end up with a working shaper.

Is it possible to write the darn config manually???  I am pretty sure I know what I need things to look like.

Aaron


eri--

Can i have access to your box.

I didn't understand much of your posting but i am not able to replicate some of your errors here.

Or please after you find the error send me config.xml and rules.debug?!

eri--

Attached just a demonstartion of what the can be done with the new shaper as for queue creation.

SlickNetAaron

@ermal:

Attached just a demonstartion of what the can be done with the new shaper as for queue creation.

Yup, it's true! I think he took that screen cap from my box ;)

Thanks for the help.  I think it's working now! There are some bugs, but it's workable.

Aaron

SlickNetAaron

Now that I am able to configure my queues, Is there a way to get a list of the rules that are generated by the wizard?

I don't mind having to input them manually (I need to anyway for my setup), but it would be helpful to have a detailed list with how they are configured so I can set them up on my network.  I just don't know every port, tcp flag and everything else that I need to match rules

Aaron

ridnhard19

I got the new image; thanks for posting! its working now.

I've started working with the new shaper config and I've been unable to get the queues to show traffic relating to the rules the wizard or I define in the floating rules section.

I've done the following to try to get them to work:
-Removed the default accept all traffic rule from the LAN area
-Disabled the webGUI anti-lockout rule
-Added a lan network 2 lan address rule for port 80 to keep access working to the web gui
-Added a lan network 2 lan addres rule for tcp/udp 53 (DNS) to keep access working to the web (in theory, but no rule to * destination on port 80.
-Added basic queues using the wizard but to only include a priority of http traffic (adds rules to the floating rules area)

I go grab a big file from the web and see where my traffic ends up in the queues and it always goes to the default queues.

I've been able to get it to separate in the corresponding queues but I have to put the rules in the specific tab of the interface (LAN in this case) and then it works as we would expect.

Do you have any suggestions based on above as to what I could be doing wrong?

Thanks!

SlickNetAaron

I have a few observations/requests that I think will help everyone.. I just struggled with these things for quite a while.  Most of these are cosmetic, but very helpful to the end user.  Maybe another dev can help polish up the GUI to make it more consistent with the rest of pfSense?

1. Default queues - Is it possible to have the shaper GUI automatically create Default Queues for each level of child queues?  This is driving me nutz!  Especially when the error messages do not specify which queue layer is missing a default queue.  Also, a note that says you must have exactly 1 default queue for each part of the tree would be helpful.

2. Error checking and notification before Applying rules?  For Example, When the child total bandwidth is more than the parent, I have to wait for the rules to apply and reload just to find out that some math or parameter is wrong.  Then I have to click thru each queue to figure out what everything adds up to be and where I need to change things.  Perhaps a list that auto-add's the current layer's total bandwidth as you are entering it?  So you will automatically see you are at 105%

3. Editing a queue name after it has been created is still not functioning

4. Modifying queues flagged as Default: It is good that the "Add new queue" and "delete" buttons are invisible on a default queue, because you must have a default queue.  But what happens if there is 2 default queues by accident or I need to delete it for some reason?  It is not obvious what a user needs to do to modify that queue.  Can there be a label that says "Note: in order to delete or modify this queue, the Default Queue flag must be removed"?

5. I think the tree view is very helpful to give people a visual representation on the queue layers/tree.  Is it also possible to have a list view of the queues and their most common parameters like we would see in a Rule list (Also like m0no's Pipes or Queues view)?  This would give us a bird's eye view of all of the queues for easy troubleshooting.  (Just think about asking people on the forum to list their queues.. it's easy to take a screen cap to find obvious things.)  It is a pain in the rear to have to click on each and every queue to verify basic settings when things go wrong.

6. As noted in my PM - creating a queue AND specifying service curve parameters - after pressing SAVE the queue creation fails and fails silently (with no error message).  We are only able to add service queue parameters AFTER the queue has been created.

7. When using "Add New Queue" button - a. Perhaps it should say "Add Child Queue" to be more accurate? b. There is no way for the user to know which queue he/she is adding a child to.  It would be great to have the tree light up and make placeholder where the queue is going to be placed… but at LEAST a label that says "Add a child queue to xxxx parent" would be very helpful.

8. That's all for now :)  That'll keep you busy!

SlickNetAaron

@ridnhard19:

I've started working with the new shaper config and I've been unable to get the queues to show traffic relating to the rules the wizard or I define in the floating rules section.

I had the same problem several times.  I think it is due to the queue rules not loading because of a config error.  Did you get an error that scrolled across the top of your screen?

Also, Try Reset States.
Aaron

SlickNetAaron

so now that we have a mostly functioning shaper GUI, I need to understand the rules.

I need to understand the floating rules concept more.

My understanding is that we can have rule and "flag" those packets matching the rule… then continue to match rules until the Quick option is found.  The concept is great!...  The GUI is not.

1.  The advanced options section does not even have the parameters labeled.  How do we know what to put in these fields?  And I think we are missing options necessary for the shaper?  ie. Where can I find the TCP flags section and the TOS section? These appear to be missing, unless I am blind?  How exactly does the advanced section for flags work?  The advanced section tells us what we can do, but not  what type of parameter is valid here.  What on EARTH is the "Maximum new connections / per second" for, and why does it have a drop-box with numbers of unknown units?

Since I need my network back and fully operational by Friday afternoon, I need to be able to get these rules in place or else go back to 1.2 release.  These GUI issues must be addressed. I'm not trying to be harsh, but this shaper was claimed to be "90% completed", but in reality it is still in alpha stage.

ie. Do I just type in "VoIP" for the first unnamed parameter and that is my flag?  And then on the network matching rule, do I use "VoIP" in the 2nd (unnamed) field as the flag that is necessary to match with that particular rule?  Is it possible to use multiple flags in these parameter fields?

So, in my situation, I need to match the traffic type (ack, VoIP, web, ssh, etc).  Then I need to match a Network address to determine which queue to place the packet in.  Then how does that queue pass the packets to it's parent queue?

So, for VoIP(Generic low-delay TOS), what exact rules do I need to flag a packet as "VoIP" and continue down the list of rules.

These questions are exactly what end users (like ME) are going to be asking.  Why not give the answer before we need to answer 5233 of the same question in the forum?

Thanks for the help.
Aaron

GoldServe

Full ISO install would be nice. Somehow the full install update file killed my full install. Can not find kernel when it rebooted.

eri--

@SlickNetAaron:

so now that we have a mostly functioning shaper GUI, I need to understand the rules.

I need to understand the floating rules concept more.

My understanding is that we can have rule and "flag" those packets matching the rule… then continue to match rules until the Quick option is found.  The concept is great!...  The GUI is not.

1.  The advanced options section does not even have the parameters labeled.  How do we know what to put in these fields?  And I think we are missing options necessary for the shaper?  ie. Where can I find the TCP flags section and the TOS section? These appear to be missing, unless I am blind?  How exactly does the advanced section for flags work?  The advanced section tells us what we can do, but not  what type of parameter is valid here.  What on EARTH is the "Maximum new connections / per second" for, and why does it have a drop-box with numbers of unknown units?

The advanced option is the same as in 1.2 it just has 2 more fields that just mark the packets as in every marking thingy i have used.
To learn more how to use them just see http://cvs.openbsd.org/faq/pf/tagging.html.
The tag = mark in that page.
The tagged = marked.

Since I need my network back and fully operational by Friday afternoon, I need to be able to get these rules in place or else go back to 1.2 release.  These GUI issues must be addressed. I'm not trying to be harsh, but this shaper was claimed to be "90% completed", but in reality it is still in alpha stage.

You do not know what an alpha stage means and do not make silly claims.
I do not think there is anything in there anymore to hold you from creating a working config apart some error checking from preventing the user doing silly things.

BTW, for an interface you need a default queue. It does not mean that for every 'level' you can have a default queue just that for the LAN section you need explicitly ONE AND ONLY ONE DEFAULT QUEUE IN THAT 'LEVEL'.
The same applies to WAN/OPT1 or any other interface. Any of them should only have only one default queue.

ie. Do I just type in "VoIP" for the first unnamed parameter and that is my flag?  And then on the network matching rule, do I use "VoIP" in the 2nd (unnamed) field as the flag that is necessary to match with that particular rule?  Is it possible to use multiple flags in these parameter fields?

So, in my situation, I need to match the traffic type (ack, VoIP, web, ssh, etc).  Then I need to match a Network address to determine which queue to place the packet in.  Then how does that queue pass the packets to it's parent queue?

So, for VoIP(Generic low-delay TOS), what exact rules do I need to flag a packet as "VoIP" and continue down the list of rules.

You have a box labeled DSCP(diffserv codepoint) and you do not need TOS for that if you have DSCP.

So, in my situation, I need to match the traffic type (ack, VoIP, web, ssh, etc).  Then I need to match a Network address to determine which queue to place the packet in.  Then how does that queue pass the packets to it's parent queue?

I do not think this even makes sense but am trying to give you some help.
If you want you can do things as.
1- Floating rule tag packets for VoIP. In the advanced section on the mark input just type "VoIP"
2- On specific interface tab just create a rule that has in the marked input "VoIP" and the specific network you want plus the queue you want it to go to.

These questions are exactly what end users (like ME) are going to be asking.  Why not give the answer before we need to answer 5233 of the same question in the forum?

Thanks for the help.
Aaron

sai

@SlickNetAaron:

These questions are exactly what end users (like ME) are going to be asking.  Why not give the answer before we need to answer 5233 of the same question in the forum?

because the dev wil not know what the end user needs help with. docs and howtos are usually written by the enduser.

SlickNetAaron

@sai:

because the dev wil not know what the end user needs help with. docs and howtos are usually written by the enduser.

I've already committed to writing the howto.  But not everybody reads directions, either ;)

The dev will know what the end user needs help with by end users (like me) who are not afraid to give good feedback and take significant amounts of time to document the problems so they can be fixed or made idiot-proof before release to the public.

It is my experience that if you can get end users to USE your program or product and you watch how they do things, you can use that insight to make your program more user friendly.  The moment a user says "Huh?" is where a dev should take note and make something more intuitive or at least give a note explaining what we need to do here.  Then you continue on in the process, carefully watching the end user, until they hit the next "huh?" and take note again.

Test and test again until the system flows smoothly for every different kind of situation the users will encounter (as much as possible).  In my experience, the GREAT products out there thrive on getting feedback from users and refining and refining based on that feedback.  The more feedback, the better things become because the dev has the most insight on what people are doing with the product.  Not everyone has an in depth knowledge of BSD, altq, HFSC.  Isn't that the point of making a GUI?

I hope the feedback I offer is appreciated.  Working with other companies to report issues has been GREATLY appreciated because their product can become better as a result.

In this situation, I AM a customer, offering my time and experience to try to help, but it is not well received.

Aaron

eri--

Yeah but you make comments on the product by judging it.

If you want to help please tell me what you find unnatural in there and not accuse something does not work only to you it seems counter intuitive.

A firewall is not something simple if you click the advanced options. This try to be addressed with wizards just for this class.

I have attached a picture of what the service curve parameters need to look like when added to the queue.
It works since the first time just it seem that you do not know how to enter them.

Valid values for units in the service curve parameters are (Kb, Mb, Gb, b, %) and they are case sensitive.

You cannot rename a queue cause that means that you want to create a new one. Delete the old and create a new one is not that it is something that difficult afaik.
Furthermore it is not consistent to allow a queue to be renamed cause of the rules that reference it. When you delte a queue it is automatically removed from rules to not break your config.(Just a rule afaik to protect the silly user ;).

P.S. the picture is taken from a debugging output that's why some labels are misaligned.

SlickNetAaron

@ermal:

Yeah but you make comments on the product by judging it.

If you want to help please tell me what you find unnatural in there and not accuse something does not work only to you it seems counter intuitive.

I don't try to be a jerk, honest!  I get frustrated, but I just try to give objective information.  I didn't write the errors for my health :)

Valid values for units in the service curve parameters are (Kb, Mb, Gb, b, %) and they are case sensitive.

Yes, I knew these parameters.  I just rebooted a couple times and now queue creation is working just fine with the same values that previously failed.  Hmm??

I am wondering if a lot of my errors are because of the errors I got about not being able to write to the file system and not being able to write to the config?  Maybe this is a bigger problem, outside of the shaper in pfSense or BSD?  Or maybe I have intermittent defective hardware or driver problem for ALIX?

You cannot rename a queue cause that means that you want to create a new one. Delete the old and create a new one is not that it is something that difficult afaik.
Furthermore it is not consistent to allow a queue to be renamed cause of the rules that reference it. When you delte a queue it is automatically removed from rules to not break your config.(Just a rule afaik to protect the silly user ;).

Fair enough.  Just sometimes people make spelling errors.  If the error was on the parent, it is a lot of work to create 10-15 queues again ;)  Something to consider?  I would love to have a "create parent queue" button.

Entering hex values to convert TOS to diffserv: please file this under unnatural :)

I remember the diffserv options used to be listed out like TCP Flag radio buttons were:
Low Delay: yes no don't care
Reliability: yes no don't care

I googled for the hex value equivalent of low-delay TOS  … I can't find a specific value, and I don't have time to become an expert on diffserv.  Where did the radio button go?  Or do I remember it from m0n0?  But for now, can you give me a value that will work for VoIP?  Pretty Please? Plus, I would really love the list of rules the wizard puts out so I can get a config running by this afternoon.

Aaron

hoba

@SlickNetAaron:

Entering hex values to convert TOS to diffserv: please file this under unnatural :)

I remember the diffserv options used to be listed out like TCP Flag radio buttons were:
Low Delay: yes no don't care
Reliability: yes no don't care

I googled for the hex value equivalent of low-delay TOS  … I can't find a specific value, and I don't have time to become an expert on diffserv.  Where did the radio button go?  Or do I remember it from m0n0?  But for now, can you give me a value that will work for VoIP?  Pretty Please? Plus, I would really love the list of rules the wizard puts out so I can get a config running by this afternoon.

Aaron

TOS is not DiffServ. Please consult wikipedia if unsure about this and what the difference is between TOS and DiffServ. For TOS you could have these radiobuttons but DiffServ is different. You also can only use either or as both techniques use the same bits in the IP-Header.

http://en.wikipedia.org/wiki/Type_of_Service
http://en.wikipedia.org/wiki/Differentiated_services

m0n0 only supports TOS but DiffServ is superior as it allows more levels of control.

SlickNetAaron

@hoba:

TOS is not DiffServ. Please consult wikipedia if unsure about this and what the difference is between TOS and DiffServ. For TOS you could have these radiobuttons but DiffServ is different. You also can only use either or as both techniques use the same bits in the IP-Header.

http://en.wikipedia.org/wiki/Type_of_Service
http://en.wikipedia.org/wiki/Differentiated_services

m0n0 only supports TOS but DiffServ is superior as it allows more levels of control.

Thanks for the clarification.  I'll take a look at that.  Ermal told me to use Diffserv when I asked about TOS. "You have a box labeled DSCP(diffserv codepoint) and you do not need TOS for that if you have DSCP."

The question remains: WHERE and HOW do I set the rule that will identify my VoIP traffic?  I can't find the option for generic Low-Delay TOS and I don't know the DiffServ value.  If I need to enter a DiffServ value, what hex value do I use?  I can't run the shaper wizard or it will destroy my queue sets, and I need to set manual rules anyway. I don't really want to use IP or MAC to identify traffic, but I guess I can in the immediate term.

This is why I have asked a couple times for the detailed list of rules the wizard generates ;)  I can use them as a template.  I know just enough to be dangerous ;)  I know high level stuff, and even some low level things.  But I do not possess the knowledge for getting into bit level details of diffserv and stuff like that.

I just need to create rules to ident traffic… something like this:
High Priority flag: dest 80, 443, 53, 5100, 22, etc
VoIP: low-Delay TOS (or equivalent diffserv) .. or I may have to list individual IPs
catchall (Not sure how to create this one???)

Then rules for each /16 subnet to put the ident flags in the appropriate ack & queue for that subnet.
If this does not sound correct, please let me know.

Thanks for your help!
Aaron

eri--

Here is a trick.

Keep your QUEUE config in opt1 interface.
Run the wizard and select only one conection(either multiwan or multilan) follow the wizard and it will create the queues and rules.
After finishing the wizard and having the rules ready to modify you can than go to Firewall->Traffic shaper ->By queues view
Select the opt1 interface from the list and select "copy/clone queues" over the Lan interface and than Wan if you want the same there to.

Now just follow the rules on the floating tab and modify those at your will.

That should keep your config and give you a template of rules.

Is this ok for you?

I cannot give you the template since it is generated in code and they are not hardcoded rules.

SlickNetAaron

@ermal:

Here is a trick.
Is this ok for you?
I cannot give you the template since it is generated in code and they are not hardcoded rules.

That sounds like a good trick!  I just ran it like that, but got this error on on the last screen that has "finish" button.

Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/shaper.inc:41) in /usr/local/www/wizards/traffic_shaper_wizard.inc on line 535

D'oh!  The end result is this error and these queues (the rules generated, but with only 2 queues)
php: : New alert found: There were error(s) loading the rules: pfctl: should have one default queue on vr1 pfctl: errors in altq config The line in question reads [ should have one default queue on vr1 pfctl]:

since my queues are destroyed now anyway (I did copy them to OPT1..?? But I think I ran the wrong wizard) I'll start over fresh one more time.  crosses fingers

Aaron


eri--

could you tell me what options did you choose during the wizard? And which wizard you ran?