Traffic Shaping takes down IPSEC Tunnels, and MAIL connections

kaneda

Hello, I have a big throuble with Queues on v2.0 x86 From Monday 16.

Im working on  v.1.2.3 perfect, but I need Diffserv for VoIP, then I decided to move to 2.0.
I poweroff the machine, disconnect the old HD, attach a new one and boot from the pfsense 2.0 x86 from Monday16 CD.
I made an Easy Install, let it boot and change IP on LAN to access by web interface, the restore config from my Pfsense 1.2.3.

I Removed all aditional modules to minimize problems, And start the Traffic chaper wizard for multilan and multi wan.
I have a Net like this…

__________              _________________          _____________
-----| LAN        |----------|Pfsense              | -------| Router Wan1|
      ||              ||    ||
                                        |_____      |______
                                      |DMZ                  |            | Router Wan2|
                                      |____|            ||

I selected for local1 LAN and for local2 DMZ, Then for Wan1 and Wan2 for outputs, with their bandwidths and only reserve some traffic for VoIP (300Kb) bandwidth with 7 priority and this config at realtime: 0b - 10ms - 320Kb
Later raise % badwidth for Default Queues to reach 100% of parent.

All saves and applies ok, no errors, but half and hour later all connections to LAN from VPN are hang, and port redireccions to Mail server on DMZ dont work, only web services and nat from LAN works

Any idea?
Im getting crazy with this, any help greatly appreciated.
Many thanks

Kaneda

eri--

Upgrade to latest snap.

kaneda

I updated to latest snapshot yesterday morning, all traffic coming from outside remains blocked.
After that I removed the Traffic Shaping config, no changes, then try rebooting, no changes.

Appears like the assistant do something that later, the remove shaping button does not solve.

Other Thing That I find curious is that the shaper uses for child Queues only 50% of total Interface bandwidth given at parent queue called Internet.

Anyone is experiencin problems like me with traffic shaping?

eri--

I do not think this is traffic shaping related.
Check your configuration for possible problems.

kaneda

I try it again and connections dont starts being denied until I make the traffic shaper assistant.
the only traffic that is allowed at WAN its outgoing HTTP.

Using traffic assistant multi wan and multilan it keeps using 50% of bandwidth. for example:

WAN (2Mb)
–Internet Queue (2Mb)
          |___ qAck (19%)
          |___ qDefault (9,9%)
          |___ qP2P (4,95%)
          |___ qVoIP (512Kb)
          |___ qOthersHigh(9,9%)
          |___ qOtherLow(4,95%)
The percent values only reach 50% and bandwidth for VoIP is only 25% then I think 25% will be unused beacuse is not included at any Queue and should be at qdefault queue raising it to 34,9%

Please correct me if im wrong, but All I do is run the assistant and raise qdefault queues to reach near 100%.

Many thanks

eri--

Now you are asking totally unrelated questions to the thread topic.

kaneda

The main problem for me is the same, incoming connections as previouly said dont reach destination after I complete the traffic shaper assitant and this is the post subject "Traffic Shaping takes down IPSEC Tunnels, and MAIL ", later I realized that it cuts any incoming connection not using HTTP (web server at dmz works), all other incoming traffic dont do it (Mail, IPSEC, OpenVPN, ports redirected …
)

I forget to tell thats this is happening on x86 version, with config imported from v1.2.3

eri--

I am sorry but I cannot belive that.
Can you post your /tmp/rules.debug here?

kaneda

Ok, today I will be out of the office, but thursday will try again with latest snapshot and will post last /tmp/rules.debug
THanks in advance  :)

kaneda

Same result but This time I wait without doing traffic shaping and cut mail connections (at this moment only appears to be affected connections to IPPublica4, wich is nated to mail server at dmz).
IPPublica1=Mail server
IPPublica3=web server
IPPublica4=Wan Firewall
IPPublica5=Default WAN Router

here is the rules.debug

[deleted by request]

–----------------------------------------------------------

If i do a tcpdump I dont see the public VIP (Proxy ARP Virtual IP), in the logs, anybody knows if there are any problem importing Virtual IPs, the only time that I updated firewall and mail server works until I do the traffic shaper assistant I saw the reinstalling modules web dialog and I change  fast the window trying to interrupt it. Doing that it works until I tried to do the traffic shaping.

Im getting really crazy with this, any help would be nice.

eri--

You have problems in your nat.

kaneda

But… That config works great on 1.2.3 I just backed up it and restore on 2.0.

What do you see strange on it?