A definitive, example-driven, HFSC Reference Thread
-
Ok. Moving on to the OpenVPN prioritization.
My Site-to-Site OpenVPN to the office is on server aliased to work_vpn UDP 1195.
I have qVPN on WAN and LAN set at bw 10% rt 5% ls 10%
Floating rule: WAN out dest work_vpn UDP 1195 none/qVPN
That places traffic sent to the VPN in qVPN but none of the return traffic is going into qVPN on LAN.
I haven't been able to get traffic received through the VPN into qVPN on LAN.
I have tried
Floating: LAN out source remote_vpn_lan any none/qVPN
Floating: WAN in source work_vpn UDP 1195 none/qVPNI know that I can't apply queues to virtual interfaces (OpenVPN) only physical. Not sure what I need to do here.
Edited:
I think I solved this with the following rules:
Floating Match LAN in any source any dest remote_vpn_lan none/qVPN
Floating Match WAN out UDP source any dest work_vpn 1195 none/qVPNIt looks like one of the necessary concepts to grasp is your rules have to be implemented so they catch the traffic at the point of state creation.
It looks like this also works:
Floating Match OpenVPN any any source any dest any none/qVPN
Floating Match WAN out UDP source any dest work_vpn 1195 none/qVPNI would think that the former could be used to queue a specific VPN out the LAN interface and the latter would be an easy way to do the same with all OpenVPN traffic.
-
We say that the 20% value for the qLink queue doesn't matter because in this examples, it is destined just for local traffic, there is not upperlimit on it and usually the qInternet values are way lower than the interface speed. If this is not the case, or if you want to be strictly accurate, you would need to set the qLink value to the difference between the interface speed and qInternet values, so the sum of them adds up to 100% (or the interface speed)
Hello Mr. Georgeman,
How the local traffic is directed through qLINK ? is there any floating/lan/wan rule I need to apply?
Regards,
CP
-
Hello phoenixsampras,
I suppose that, given we've made qLink the default queue, anything that does not match the other queues, go into the qLink queue "by default".
-
Hello all,
I have a few queries:
1. I need some clarifications regarding the relationship between incoming/outgoing connections and downloading/uploading.
I understand that, whether a connection is incoming or outgoing depends on the location/interface where the associated state is first created.
So, if this is correct, then we can say that incoming or outgoing connections are not related to downloading or uploading.
As an example, a local FTP client makes an outgoing connection to a remote public FTP server, but afterwards, a download or an upload can be made.
Similarly, a remote FTP client makes an incoming connection to a local FTP server, but afterwards, a download or an upload can be made.
Is my understanding correct?2. From what I've understood (as Derelict also mentioned), in order for traffic shaping to work and for the packets to be placed in the correct queue, the rule should be on the interface where the state is first created. Can anyone confirm this?
3. When we create and define the queues in "Firewall->Traffic Shaper" in pfSense, queues created on the LAN interface shape downloads and queues created on the WAN interface shape uploads. Is this correct?
Thanks for any help.
-
Hello all,
I have a few queries:
1. I need some clarifications regarding the relationship between incoming/outgoing connections and downloading/uploading.
I understand that, whether a connection is incoming or outgoing depends on the location/interface where the associated state is first created.Yes, but this can be either the ingress or the egress interface for the state. Here's an example using the diagram at the top of the thread and FTP. Say you have an FTP client on LAN connecting to an internet FTP site. You can either set the queue with a firewall rule on LAN, or a floating rule on WAN out. Like georgeman and sideout have indicated, it's a lot easier to shape on WAN out. This is because you probably do not want to shape FTP from, say, LAN to DMZ so you can either have a lot of rules for LAN governing what is shaped and what is not in or just put it on floating WAN out with qLink the default queue on LAN.
So, if this is correct, then we can say that incoming or outgoing connections are not related to downloading or uploading.
As an example, a local FTP client makes an outgoing connection to a remote public FTP server, but afterwards, a download or an upload can be made.Yes. When either interface matches and sets up a state, the queue on the other interface of the same name is also set. In this example qFTP on WAN will shape traffic out of WAN and qFTP on LAN will shape out of LAN. So your LAN queue will regulate "downloads" and your WAN queue will regulate "uploads", regardless of how the state was created.
Similarly, a remote FTP client makes an incoming connection to a local FTP server, but afterwards, a download or an upload can be made.
Is my understanding correct?Yes. But for inbound sessions to a local FTP server, you probably want to set the queues on the firewall rule on WAN that allows such connections in in the first place. As georgeman mentioned, you have to have the rule anyway and it will only apply to WAN traffic.
2. From what I've understood (as Derelict also mentioned), in order for traffic shaping to work and for the packets to be placed in the correct queue, the rule should be on the interface where the state is first created. Can anyone confirm this?
Not exactly. They have to be on an interface that is included in the initial state creation. Like with the outbound FTP session example above, it will work with a floating rule on WAN out even though the session is actually initiated from LAN. This way it will not impact ftp sessions from, say, LAN to DMZ which you probably want to shape differently if at all.
3. When we create and define the queues in "Firewall->Traffic Shaper" in pfSense, queues created on the LAN interface shape downloads and queues created on the WAN interface shape uploads. Is this correct?
You might be better off thinking in terms of flow direction. The shaper shapes traffic going OUT the interface on which the queue is defined. Someone outside could be "uploading" to your local FTP server on LAN, but that "upload" would be shaped by the queue on the LAN interface.
Also remember that rules created on interface tabs only apply to states created coming IN that interface. The only way to create rules to catch states being created going OUT an interface is with a floating rule.
Thanks for any help.
Hope I haven't misled you here.
Someone please correct me if I made any mistakes. I'm learning too.
-
…
I agree on pretty much everything mentioned here ;)
As regards the OpenVPN prioritization mentioned before, in fact I have never tried to do it on an OpenVPN site-to-site tunnel. I can tell that I don't think you can shape within the tunnel in case of (at least) roadwarrior connections since the packets are seen encrypted out of the WAN interface and the queue selections do not seem to be kept (on IPsec they are, but because it is hooked up to the kernel I guess).
As soon as I can we can continue to elaborate on HFSC (since all this was more about the general shaper config)
Cheers!
-
To keep this simple, always try that the sum of the linkshare values from the children queues sum up to the value of the parent queue. This is because HSFC uses a "sustractive" method for the percentages (I can elaborate of this later).
Could you elaborate on this? Your other information has helped me learn more about this.
-
I've been quite busy lately, but I would like to keep helping here :)
To keep this simple, always try that the sum of the linkshare values from the children queues sum up to the value of the parent queue. This is because HSFC uses a "sustractive" method for the percentages (I can elaborate of this later).
Could you elaborate on this? Your other information has helped me learn more about this.
A CBQ parent queue assigns a generic "100%" of its bandwidth to be shared by its children. With HFSC, the percentage is an absolute value, not a fraction of the parent.
Best way to understand this is to analyze this example, taken from the book "Building Firewalls with OpenBSD and PF - 2nd Edition", by Jacek Artymiak
While CBQ uses a 'proportional' method, HFSC uses a 'subtractive' method. To see how it works in practice, compare the following rules, which divide bandwidth in the same way, yet the percentage notation is different:
CBQ
altq on $ext_if cbq bandwidth 20Mb
queue{dmznet, prvnet, others}prvnet gets 8Mb
queue prvnet bandwidth 40% queue{host1, host2}
host1 gets 4Mb
queue host1 bandwidth 50%
host2 gets 4Mb
queue host2 bandwidth 50%
–--
HFSC
altq on $ext_if hfsc bandwidth 20Mb
queue{dmznet, prvnet, others}prvnet gets 8Mb
queue prvnet hfsc(linkshare 40%) queue{host1, host2}
host1 gets 4Mb
queue host1 hfsc(linkshare 20%)
host2 gets 4Mb
queue host2 hfsc(linkshare 20%)
Basically, the 40% assigned to the parent is divided (50%-50%) on CBQ (relative percentage), while is (20%-20%) on HFSC (absolute percentage)
Best regards!
-
I was wondering if anyone here can lend a hand.
I've read this thread line by line - there's a lot of great info here, but I still can't get my QoS to work.
Everything is still on the default queues for each interface.I'm using CBQ, but it's more or less the same setup.
I have 3 WANS, and 1 LAN.
The WANs are:
WAN
PIAUS <– OpenVPN to a Canadian server
PIACA <-- OpenVPN to a US server
(I've attached a screen shot of the how the queues are setup).
I made sure to divvy up the BW properly, set the right queues to default, etc...Easy enough so far...
The I go to make the floating rules (see attachments).
I want to prioritize entire host machines, not ports. I have dedicated VMs on my network that I give certain tasks to (torrent downloading, usenet downloading, etc... ) so I want to be able to route all traffic from certain hosts to certain queues.
I made aliases: queHigh, queMed, queLow to put the hosts in.Setup the floating rules as instructed, except for the small difference that I'm using more than 1 WAN, so I chose all 3 WANs as the Interface (with direction: OUT) in each of these rules. Then I picked the alias as the Source address. Not sure if this is correct, but I tried it in Source and Destination and neither worked.
So, on to my LAN interface rules (see screen shot).
Here's where I send hosts on my LAN to the specific gateway I want them to leave on, either one of the VPNs or unencrypted on WAN.Thing is, at one point I had this working... then just the other day I did a full reinstall of pfSense in order to install the 64-bit version.
It was so long ago now that I got it up and running that I can't remember what the heck I did!!I really hope someone can lend some advice here, I've been researching all day and still haven't found a solution.
Thanks in advance!!!
-
This thread is about HFSC.
-
Yeah, I get that… but as far as the firewall rules are concerned, are they not very similiar, if not, exactly the same?
-
Yes, HFSC vs CBQ vs PRIQ is just the underlying algorithm. The rules and queue defs are mostly the same with some exceptions like bandwidth definitions and allocation.
Impossible to tell whats going on without seeing your rule definitions. Your floating rules look funky. You have aliases that look like queue names as the Source. Here is my Floating Rules page as a simple example.
-
Hey KOM, thanks for the reply and screen shot.
I've done a bit more reading and found this thread: https://forum.pfsense.org/index.php?topic=61106.0In it, it's stated (regarding floating rules), "Note that NAT has happened before the rules apply so you can't match on a private IP source that has gone through NAT, you have to match on the destination or the translated source."
This is something I've always wondered but could never find an answer to. What order do things happen in pfSense?
LAN traffic -> into pfSense firewall -> LAN interface rules -> NAT -> floating rules -> desired gateway -> out of pfSense firewall -> modem / internet ?
If I had a better understanding of the "signal path", so to speak, I'm sure I could figure this out.In my LAN interface rules I have rules that put certain hosts on my LAN into certain gateways - either one of the two VPNs or the WAN.
Does this happen before the floating rules are applied? If so, the "source" in my floating rules wouldn't be my private LAN IP addresses like I've done there, because the address would already have been translated to the WAN or VPN interface.Am I getting this right?
So, if I want to send certain LAN hosts to: a) a specific gateway and b) a certain traffic shaping queue… I have to... ?
Make LAN interface rules for every combination of priority queue and gateway, then place the hosts into the alias that would correspond to that rule?
Oh, and regarding my aliases that look like traffic queues - I name them that way (high, low, med) and then place the IPs of the hosts in them that I want ALL their traffic to be. I don't do anythng at a port level.
-
So the way it works is: (at least my understanding )
Traffic In –---> WAN Interface ----->Floating Rules parsed ------> Traffic hits queues ------> Traffic out from LAN -----> Hits inverse of Floating Rule queues ------> LAN Rules parsed ------> Traffic Out Internet.
When a packet comes in from the WAN , Floating rules are applied and traffic hit queues and then any traffic that was matched goes out the inverse queue automatically created. Interface rules are processed last and first matching rule win's so the order of the rules on the interface side is critical.
Case in point - I had applied a limiter to say that any traffic from the LAN Subnet with TCP protocol that was not going to the LAN Subnet via a gateway group was subjected to a limiter. Well it seems that Plants Versus Zombies and ESO both use TCP now for gaming traffic so they were hitting this and causing them to not connect or have lag.
To fix it I had to make a LAN interface rule for the ports they were using and place that above the limiter rule and apply it to the traffic queue - qGames .
Who would have thought that a game is using TCP for actual gaming traffic since the majority of the games out there have been using UDP for the longest time.
You want to queue traffic coming in from the WAN before the NAT happens so you apply the floating rules to the WAN interface. You would use LAN rules to send specific traffic out specific gateways.
I would recommend you create multiple gateway groups for this. Something like:
1. ALLGATES - All your WAN gateways
2. HIGATE - Traffic for your High queues that need the bandwidth
3. LOWGATE - Traffic for your lower queues.In the ALLGATES group you have all gateways all set equally with fail on packet loss or member down.
In the HIGATE group you have a primary WAN and a secondary WAN with a lower setting with fail on packet loss or member down
In the LOWGATE group you would have the same thing just with different WAN's.In your LAN rules the last rule - the any / any rule would use the ALLGATES. Split your other rules up to the other gateways. Make sure you have DNS allocated to each gateway under the system tab otherwise it will not work.
The goal with the groups is to make it so if a WAN goes down - everything will still function. Make the groups and then test by unplugging a WAN and see what happens. If you dont get the desired results then make some modification and try again.
Bottomline here is that you need to test , check , test again and then know how to troubleshoot to resolve the issue.
HFSC is a constant tuning process especially in a LAN party setting where you are dealing with large packet amounts and periods of high demand and then low demand. I regularly adjust bandwidth amounts several times during the event to provide the maximum amount of bandwidth to tourney games when needed.
-
Thanks for the reply.
I'm not sure the WAN groups are necessary as I only have one physical WAN. My other two are VPNs that go out over that WAN.
Currently, I'm able to successfully send traffic out over whichever "WAN" I want by using LAN interface rules and applying the alias (containing hosts) to a rule that selects the gateway I want them to leave on.
That part is working fine, it's getting the same traffic into the right queue that's I'm struggling with.I think my issue was that I followed this guide (earlier posts) where it said to place the traffic into queues using floating rules setup as:
interface = WAN
direction = outI then placed my LAN IP addresses that I wanted put in a certain queue into the same floating rules, as the "source", except I didn't realize that NAT had already happened, effectively changing the "source" IP address from the private LAN address to whichever gateway that host was put on in the LAN rules…. I think...
So I feel like I need to place the traffic into the queues BEFORE NAT happens. Which I assume would be in LAN rules.
I'm going to test this when I get home from work later today.
When I drew my little "signal path" in my previous post, I was starting from the point of view of a host on my LAN.
Are you looking at it the other way around? -
Yes you always look at it from traffic coming in from the WAN as that is how the shaping is designed to work before the NAT happens. The only way to shape like that is to use floating rules with Interface set to WAN and I use direction any on my rules.
-
So I ran into a problem tonight. I wanted to take a specific OPT2 device, 192.168.225.65, and place it in a "Penalty Box" for egress to the WAN. I created an alias Penaltybox containing Host 192.168.225.65 and created a floating rule on WAN out placing anything sourced from that alias into qPenaltyBox.
There is also a pass any any any rule on OPT2 that assigns no queues.
No traffic was ever placed in qPenaltyBox. States cleared several times. 0 packets put into qPenaltyBox ever.
Does the Pass rule on OPT2 create the state with no queue assigned before the floating rule has a chance to assign the queue?
I did manage to get this traffic into qPenaltyBox by creating a rule on OPT2 that passed traffic from the Penaltybox host and marked it with "PB". I then created a floating rule on WAN out putting all traffic from any to any and marked with PB into qPenaltyBox.
-
In the stickies for traffic shaping, there is a note from Ermal (perhaps collecting several postings together, from the look of it and the thread it links to) that makes reference to needing to kill the any/any rule. That effectively implies that we need to nail down getting everything else classified and sorted. There's also the confusing (to me, thus far) bits about order sensitivity in firewall rule processing, and that being different for interface rules .vs. floating rules, and…in short, I often find things don't do what I think they should do there; I read, I think I get it, I try things, they don't work as expected based on my reading, lather, rinse, repeat. Perhaps if I had a month and nothing else to do....
Ermal wrote:
Now back to why you need to disable the anti-lockout rule and the default LAN rule.
The pf packet filter is stateful and if it registers a state about a stream of traffic it will not check the ruleset again.
On this packet filter that is used in pfSense traffic is assigned to a queue by specifying it explicitly with the rule that matches the traffic/ the rule that creates the state.
The default anti-lockout rule is the same as the default lan rule just createt automatically for the user to prevent his from doing stupid things.
But this rule is to generic as it matches all the traffic passing from lan and nothing else in the ruleset gets executed. As such it sends all the traffic to the default queue which is not what the user wants with a QoS policy on.
The same applies to the default LAN rule pfSense ships with. Since now you have to explicitly choose the queue the traffic has to go when creating a rule there is no easy solution to this other than disable these settings and have more fine tuned rules for classifying traffic to the propper queue. -
Maybe someone can expand on WHY this is, I just know that for the order of rules processing, it follows that:
WAN and LAN rules are applied to the first matching condition working its way down from top to bottom.
Floating rules apply to the LAST matching rule from top to bottom.Hope this helps.
-
I did manage to get this traffic into qPenaltyBox by creating a rule on OPT2 that passed traffic from the Penaltybox host and marked it with "PB". I then created a floating rule on WAN out putting all traffic from any to any and marked with PB into qPenaltyBox.
Can you expand on the marking functionality? I have some ideas on how this would be useful to me but not 100% sure on how to implement it.
I want to mark certain packets in the LAN rules, then find those marked packets in the outgoing WAN rules (floating rules) to put them on a certain gateway.I posted a thread about it here: https://forum.pfsense.org/index.php?topic=83972.msg460314#msg460314
Thank you!