Traffic shaper changes [90% completed, please send money to complete bounty]
-
@ermal:
When you choose multiple Wan wizards it refers to internet connections.
For multi LAN wizards it refers to number of internal networks ie number of local interfaces that will be connected to local networks.
I know that after multiple runs thru the wizard, but my point is that it's not obvious. Some wizard(s) do specify Local and WAN, some just say num of connections.
Anyway, more bug time! ::)
1. The rules page loads VERY slowly and often fails to complete loading. Attaching a couple screen caps. Almost every time I have to refresh the list to get a full populate. Mostly on the floating rules, but WAN is having same issue. I am guessing this an issue outside of the shaper?
2. Rules created by the wizard
-
First thing I noticed is my VoIP goes to my P2p catch all queue. The voIP rule seems to have UDP as the only identifying portion of the rule? Where is the TOS/DiffServ flags? This used to work flawlessly in 1.2RC4
-
Do we still need to delete the default LAN rule and create one on the float tab?
-
Do we still need to disable the anti-lockout rule?
3. Floating rules interface:
I like the concept of tagging a LOT. But, I think that mixing the queues in with the firewall rules is confusing. Maybe I'm just not knowledgeable enough, but I am paranoid of the interaction of creating Pass rules in the firewall to use the shaper queues. I just reloaded 1.2 Release and making shaper rules with targets, TOS & TCP flags just seems a lot more intuitive. Plus, it idents my VoIP correctly.I have decided that I am going to use 1.2 Release for the time being. I'll get out of your hair, let you work.
Please, Please, Pretty please… test everything and polish things up before releasing this again. Walk through what a user would do in a few scenarios. Forget your intimate knowledge of what you created, and try to go thru it like you have never seen it. Of course test with real traffic to make sure rules are matching (I think absolutely everything is ending up in the catch all queue for me right now! I didn't check the lockout rule tho.) Read each label and try to config using only the directions on the screen. You will see what I mean.
I look forward to a 1.3 beta where others have tested the shaper and things are working much better.
I'll keep an eye on this thread. Please feel free to ping me if you would like me to do some testing or get some feedback.Regards,
AaronEDIT: I am still committed to writing a HowTo.. But I'd like thing to be in more final form before I prepare it.
-
-
How much do I need to contribute to get a 1.2 package for this? I can't send much immediately but I could send $50 immediately if it means I can:
1.5mb T1 connection
a) Limit DMZ upload/download to/from WAN to 512kb/sec
b) Not limit DMZ upload/download to/from LANIs this possible/is $50 enough to get access to the 1.2 packages?
-
Hi,
i know that maybe i wasn't supposed to do that, but i've downloaded the last update image from the location ermal gave me the last time, named
pfSense-Full-Update-1.2-RELEASE-20080402-1748.tgz
Do not use it!! The kernel doesn't load on my machine after the update, i will try to figure out how to fix that…
albe
-
k3rmit is this an embedded update?!
Since others have reported to upgrade just fine!
-
sorry to have such few time to follow this thread ermal, i still owe you an answer regarding a shaper error… which is: i managed to disable it, reset the configuration and reconfig again correctly. I suppose something got wierd with the first shaper setup, that subsequently created an interpretation error with the update.
To answer your last question, no, is not embedded and thanks for the new link you sent me, i will have a look at it tomorrow morning (it's midnight here).
cheers
albe
-
Well, I haven't been around for some time and if I see the postings during my absence it looks like no many people having problems to setup and configure the new shaper.
Sorry, but I do have some difficulties to get it working.
The lastest available update (20080409-1911) does not have the new shaper, or at least to wizard looked like to old one.
So I downloaded 20080402-1748 and applied it to a fresh 1.2-RELEASE installation (downgrading from 20080409-1911 does not worked).
Once finished the basic configuration I moved the "Default LAN rule" to the floating tab and disabled the webGUI anti-lockout rule.
To keep it simple the load-balancing pools have been created but no rules to use them have been created.
Only the floating tab is having one rule.
So far everything good, I still could access to webGUI and the clients could access the internet.Now I walked through the single LAN Multi WAN Wizard:
numberofconnections: 3
Put in the values of my ADSL connections (still don't know if I should substract the PPPoE overhead? But guess, yes!) and select HFSC scheduler.
Enable Prioritize Voice over IP traffic.
No Penalize IP or Alias.
No Lower priority of Peer-to-Peer traffic (At a later stage I do want this but for now I want it as simple as possible).
No Prioritize network gaming traffic.
Yes Other networking protocols, set HTTP and MSN to higher priority and SMTP. POP3, IMAP and Lotus Notes to Lower priority.
Finish.The following rules at the floating tab have been created:
Proto Source Port Destination Port Gateway Queue Schedule Description UDP * * * * * qVoIP DiffServ/Lowdelay/Upload TCP * * * 1863 * qACK/qOthersHigh m_Other MSN1 outbound TCP * * * 6891 - 6900 * qACK/qOthersHigh m_Other MSN2 outbound TCP * * * 6901 * qACK/qOthersHigh m_Other MSN3 outbound UDP * * * 6901 * qOthersHigh m_Other MSN4 outbound TCP * * * 80 (HTTP) * qACK/qOthersHigh m_Other HTTP outbound TCP * * * 443 (HTTPS) * qACK/qOthersHigh m_Other HTTPS outbound TCP * * * 25 (SMTP) * qACK/qOthersLow m_Other SMTP outbound TCP * * * 110 (POP3) * qACK/qOthersLow m_Other POP3 outbound TCP * * * 143 (IMAP) * qACK/qOthersLow m_Other IMAP outbound TCP * * * 1352 * qACK/qOthersLow m_Other LotusNotes1 outbound UDP * * * 1352 * qOthersLow m_Other LotusNotes2 outbound * LAN net * * * * noneI would expect that HTTP traffic would go into qOthersHigh and receiving an email (8MB attachment) with Thunderbird into qOthersLow.
OK, the outgoing port is set to 587 because port 25 is blocked here, but the incoming is default on port 110.But it does not, everything goes into qDefault (WAN and LAN).
Do I need to configure something else?
Cheers
-
Hi guys,
Happy to pledge 50$ to get openvpn tunnels working with the Shaper.. Is this possible? Will it be implemented?
Regards,
-
Well, I haven't been around for some time and if I see the postings during my absence it looks like no many people having problems to setup and configure the new shaper.
Sorry, but I do have some difficulties to get it working.
The lastest available update (20080409-1911) does not have the new shaper, or at least to wizard looked like to old one.
So I downloaded 20080402-1748 and applied it to a fresh 1.2-RELEASE installation (downgrading from 20080409-1911 does not worked).
Once finished the basic configuration I moved the "Default LAN rule" to the floating tab and disabled the webGUI anti-lockout rule.
To keep it simple the load-balancing pools have been created but no rules to use them have been created.
Only the floating tab is having one rule.
So far everything good, I still could access to webGUI and the clients could access the internet.Now I walked through the single LAN Multi WAN Wizard:
numberofconnections: 3
Put in the values of my ADSL connections (still don't know if I should substract the PPPoE overhead? But guess, yes!) and select HFSC scheduler.
Enable Prioritize Voice over IP traffic.
No Penalize IP or Alias.
No Lower priority of Peer-to-Peer traffic (At a later stage I do want this but for now I want it as simple as possible).
No Prioritize network gaming traffic.
Yes Other networking protocols, set HTTP and MSN to higher priority and SMTP. POP3, IMAP and Lotus Notes to Lower priority.
Finish.The following rules at the floating tab have been created:
Proto Source Port Destination Port Gateway Queue Schedule Description UDP * * * * * qVoIP DiffServ/Lowdelay/Upload TCP * * * 1863 * qACK/qOthersHigh m_Other MSN1 outbound TCP * * * 6891 - 6900 * qACK/qOthersHigh m_Other MSN2 outbound TCP * * * 6901 * qACK/qOthersHigh m_Other MSN3 outbound UDP * * * 6901 * qOthersHigh m_Other MSN4 outbound TCP * * * 80 (HTTP) * qACK/qOthersHigh m_Other HTTP outbound TCP * * * 443 (HTTPS) * qACK/qOthersHigh m_Other HTTPS outbound TCP * * * 25 (SMTP) * qACK/qOthersLow m_Other SMTP outbound TCP * * * 110 (POP3) * qACK/qOthersLow m_Other POP3 outbound TCP * * * 143 (IMAP) * qACK/qOthersLow m_Other IMAP outbound TCP * * * 1352 * qACK/qOthersLow m_Other LotusNotes1 outbound UDP * * * 1352 * qOthersLow m_Other LotusNotes2 outbound * LAN net * * * * noneI would expect that HTTP traffic would go into qOthersHigh and receiving an email (8MB attachment) with Thunderbird into qOthersLow.
OK, the outgoing port is set to 587 because port 25 is blocked here, but the incoming is default on port 110.But it does not, everything goes into qDefault (WAN and LAN).
Do I need to configure something else?
Cheers
Did you remove the qucik from the Default lan rule?!
Please send me even your rules.debug to me privately to give you a more complete answer.
Go to Diagnostics->Edit file on the textbox enter /tmp/rules.debug and send that output.Ermal
-
Yes, quick is not selected.
My rules.debug should have arrived.
-
Just an update for all those interested before I get into the next issue.
Finally, we managed to get the queues correctly utilized.
It looked like the all rules were correctly created but in /tmp/rules.debug Ermal found that no queues were assigned to the rules.So I started (try and error) to get the queues assigned.
First I disabled all rules using the toggle button in front of each rule and applied the changed.
Then I started enabling the first rule using the toggle button and applied the changes..checking the rules.debug..same before.
But when I opened the same rule and changed the queue to some other…press save and apply... checking the rules.debug..jepp, queue assigned.
Ok, changing back to the correct queue and now the correct queue was assigned in rules.debug, gooood!
The rest of the rules I just opened and removed the disabled flag and applied one by one.Now the traffic shaper is working with single WAN, lets get to the next level - load balancing.
I do not remember if it was mentioned in this thread before but I'm not sure how to get my traffic balanced over my three connection.
Yes, I have it working with 1.01, 1.2 betas and RCs but it seems to be different with the new shaper.
As soon I create the LB rule on the LAN tab I'm out (yes, anti lockout-rule disabled).Well, after enabling the anti lockout-rules I'm back in and it seems to work.
Two parallel http downloads were using two different connections.
For me it looks like that with my current setup the anti lockout-rule is not an issue.
May be later when I try to catch all p2p which is the major reason for me do traffic shaping?But why I got locked out?
This is how the new rule looks like in rules.debug:
pass in quick on $lan route-to { ( vlan1 192.168.20.254 ) , ( vlan2 192.168.30.254 ) , ( vlan2 192.168.30.254 ) } round-robin from 192.168.100.0/24 to any keep state label "USER_RULE"
Pass in quick! That was the first Ermal asked. But on the LAN tab it does not appear in the rule properties.
So I cannot enable/disable it.Any idea?
Cheers
Btw.
Where are all the success stories?
I believe it would help a lot if more people could post a brief description how they did and what pitfalls they run into! And even more important, how to get around or avoid!
Not only that others would benefit but also free-up Ermals back. -
So now it is working?!
Anyway you get locked out since the route-to rule catchs up your request and gets sent out of the firewall and not to the server running on the pfSense machine. So it seem that you need to keep that anti-lockout rule.
-
Yes, it is working now.
Thank you very much for your support.Now I have to re-read about what you said about load-balancing, squid and traffic shaper.
Cheers
-
I have a simple question how does this differ to the normal traffic shapper ?
which one would suite me better.
we host websites on port 80 and 443 , i want to set the http/mail/ssh to be priority traffic in and out, mostly out for one netwrok and low proiroty traffic for another network no matter what it is
-
Just out of curiosity, how much was the total bounty, and how much of the bounty is still outstanding?
I'm just looking for a dollar amount, not a list of shame.
-
Ciao everybody,
had a chance to install the latest iso (the firmware update wasn't updating at all) and everything is working nicer now, with floating rules created automatically by the wizard according to definitions.
Still, i'd like to report a couple of bugs:
1. multi lan single wan wizard at the last passage is like
and then
2. the rules creation after the wizard reports the following errors:
php: : There were error(s) loading the rules: pfctl: should have one default queue on em0 pfctl: should have one default queue on bfe0 pfctl: should have one default queue on rl0 pfctl: errors in altq config - The line in question reads [ should have one default queue on em0 pfctl]:
php: : New alert found: There were error(s) loading the rules: pfctl: should have one default queue on em0 pfctl: should have one default queue on bfe0 pfctl: should have one default queue on rl0 pfctl: errors in altq config The line in question reads [ should have one default queue on em0 pfctl]:didn't have the chance to test rules effectiveness, will let you know as soon as i have the occasion (=continuous non interrupted time :-)
cheers
albe
 -
Hi again,
i'm testing the shaper now and must say that besides minor glitches it is working quite fine.
First, the above reported bug is one in the wizard, because i didn't fill the p2p shaping percentage text filed, it didn't check that while clicking Next, went on and BAM, error in the end: i specified that now, so it is creating queues and floating rules correctly.
I'd like to ask something though:
1. I can't reproduce the exact procedure to get there, but somehow, while creating additional queues and assigning them to additional floating rules, it lost all floating rules.
2. The order of rules application on traffic seems to be interface rules and then floating rules: in a case such as mine, one has lots of rules created for each interface, considering floating rules didn't exists for pfsense in the past and it was the only way to regulate traffic, therefore those rules will all use the qDefault queue and will override all those nice floating rules created by the wizard, making them useless, unless you assign to each and every interface rule the corresponding queue. Can the rules application order be reversed?
3. i assigned 4130Kb to the WAN interface, 1Mb to the VOIP queue, and the results of the wizard queue creation are:
qAck: 19.846% band, ls m1 0b, ls d 500, ls m2 19.846%
qDefault: 9.923% band
qVoIP: 32Kb, rt m1 0b, rt d 10, rt m2 1Mb
qOthersHigh: 9.923% band, ls m1 0b, ls d 200, ls m2 9.923%
qOthersLow: 4.9615% band, ls 4.9615%, ls d 200, ls m2 4.9615%same thing for all siblings on other interfaces. Question is: the total amount of bandwidth from these rules doesn't match the one assigned to the WAN interface, why?
On the side note, i'd like to point out that the queue definition interface works well, but limits for values should be checked at entry or submission time, not at changes application, or you will get strange errors which are not always easy to debug. (i.e. bandwidth overallocation for subqueues).
Hope i explained myself well enough..
Thanks
albe
-
Correction at point 1: the f*#@ing pfsync was configured and the conf was overwritten from the first machine. sorry for that.
Correction at point 3: i did assign 1 Mb to VOIP in the wizard.
Finally: i'm struggling to make the catch all queue from LAN to DMZ and viceversa woro, to no avail. communications are always crawling… like 200bps... what's wrong? I double checked everything, i'm monitoring via pftop that the traffic is falling in the right queues, but nothing... even with 80Mb set in the queue and 100Mbit in the interface, the traffic is always crawling. Specifically i'm trying to copy a file from DMZ to LAN: all rules interestd in this have been assigned the right queues. I even created a dedicated ACK queue for such traffic, but it didn't change anything...
any clue?
thanks.
-
Can you please send me your rules.debug to ermal at pfsense.org just to check the order of the evaluation or it might be that the rules produced by the wizard are without the quick keyword and you can edit the floating rules to be terminating but that will mostly break the policy.
I am sorry there is no easy fix to such a thing since there is no easy way to update the existing policy to conform to the new shaper :(.For the DMZ - LAN problem i would suggest trying living the queue policy in effect only for the internet connections ie on the Traffic shaper config delete the queue policy for LAN and DMZ and see if it suits you with shaping only on outbound. Usually it would suffice since the other part is throtled by the ISP and packets will be driven by the outgoing policy.
If you need a more specific answer please give me some more detailed specification even in private if you wish.
-
Guys,
How can i have access to the image with the multi nic shapper?
Thank You!
Duarte Santos
-
If you donate xxx$ to it you'll get access.
Please read every reply in this topic before asking any additional questions.