Q: Best Practice for monitoring Packet Response time?
-
Pfsense gateway monitoring seems to be based on ICMP pings to ISP gateway.
ICMP traffic typically has lower priority than regular TCP traffic. So during high-load in the ISP gateway the ping response-time will typically increase even though actual SYN-ACK response stays constant.
On CLI level, using 'mtr' with '–tcp' switch gives a more accurate measurement of the SYN to SYN-ACK response time during these conditions.
What is the best practice for PFsense deployment to to get an accurate measurement of gateway response time? Can the monitoring be configured to use TCP rather than ICMP? If not, how do you guys manage the de-priorisation of ICMP traffic?
//Jimmy
-
Increase in ping latency when under heavy load may not be so much de-prioritization of ICMP as poor or no QoS and traffic shaping. In which case TCP may suffer the same or similar fate depending on the specifics of what QoS and traffic shaping is being applied by the ISP.
https://www.dslreports.com/forum/r27252457-Internet-Frontier-FIOS-Latency-and-QoS-Where-they-fail
-
Increase in ping latency when under heavy load may not be so much de-prioritization of ICMP as poor or no QoS and traffic shaping. In which case TCP may suffer the same or similar fate depending on the specifics of what QoS and traffic shaping is being applied by the ISP.
True.
However, in this case I have ran mtr with TCP SYN/SYN-ACK test in parallel with pfsense gateway monitoring, and there is a clear discrepancy. The SYN/SYN-ACK maintains low jitter and reports acceptance packet response time, whilst ICMP packages in the Status: RDD Graphs goes from ~100 ms range to to >1000 ms in packet response time.
I can run my connection to 70-80% of the link speed without any package drops, and observe this ICMP behavior. So it's clearly load- and package priority related.
-
True.
However, in this case I have ran mtr with TCP SYN/SYN-ACK test in parallel with pfsense gateway monitoring, and there is a clear discrepancy. The SYN/SYN-ACK maintains low jitter and reports acceptance packet response time, whilst ICMP packages in the Status: RDD Graphs goes from ~100 ms range to to >1000 ms in packet response time.
I can run my connection to 70-80% of the link speed without any package drops, and observe this ICMP behavior. So it's clearly load- and package priority related.
Add a floating rule with interface WAN, Direction: Out, Protocol: ICMP, Pipe into qAck to allow pings to be prioritized just like ack packets.