Lan Party config Gold - HFSC Shaper - Single WAN / LAN
-
Hey sideout.
Just wanted to thank you for the nice TS config. Just a couple of questions though…
For this parts:
4. A limiter for TCP uploading and downloading is set on the LAN rules so undo that or change the limits. Currently set at 70MB Download and 8MB upload.
I don't see any limits settings on this LAN rule in my FW settings. Is there something else that requires importing? My observations see that it seems to be throwing all HTTP downloads and limiting them in the levels for qHTTP settings.
There is a reference to qDNS on the Floating Rules side for DNS traffic, and I don't see this in the TS queues. Is this supposed to be like this?
Lastly, for the WAN and Internet settings, are those the ISP profiles or just under them? I've tried lowering upwards of 10 percent from my ISP profile (100/10) to 90/9 and still don't see or feel any differences.
Thanks again.
-
@Thor086:
Lastly, for the WAN and Internet settings, are those the ISP profiles or just under them? I've tried lowering upwards of 10 percent from my ISP profile (100/10) to 90/9 and still don't see or feel any differences.
What do you mean by "still don't see or feel any differences"? What exactly do you want to see or feel? Precisely what problem(s) are you experiencing?
Are you experiencing bufferbloat (aka high ping)? Are you saturating upload, download, or both?
-
Hi, yes I see buffer bloat from either profile settings or lowering it by 10 percent. My understanding is that is normal with HFSC. Correct me if I am wrong.
Thank you.
-
@Thor086:
Hi, yes I see buffer bloat from either profile settings or lowering it by 10 percent. My understanding is that is normal with HFSC. Correct me if I am wrong.
Thank you.
HFSC does not control the queue depth (bufferbloat). You can change the queue depth (default: 50 packets) yourself or employ an AQM like Codel (tick codel checkbox) to deal with bufferbloat.
-
@Thor086:
Hey sideout.
Just wanted to thank you for the nice TS config. Just a couple of questions though…
For this parts:
4. A limiter for TCP uploading and downloading is set on the LAN rules so undo that or change the limits. Currently set at 70MB Download and 8MB upload.
I don't see any limits settings on this LAN rule in my FW settings. Is there something else that requires importing? My observations see that it seems to be throwing all HTTP downloads and limiting them in the levels for qHTTP settings.
There is a reference to qDNS on the Floating Rules side for DNS traffic, and I don't see this in the TS queues. Is this supposed to be like this?
Lastly, for the WAN and Internet settings, are those the ISP profiles or just under them? I've tried lowering upwards of 10 percent from my ISP profile (100/10) to 90/9 and still don't see or feel any differences.
Thanks again.
The limiter is for TCP only from the LAN and if you want to change it then adjust the limter settings under traffic shaping or just disable the rule. Since the limiter is on the last LAN rule before the any / any rule it will limit all TCP traffic from the WAN to the LAN.
The WAN / Internet settings should be at 95% of your ISP Limits.
I had a qDNS in there and a rule once upon a time and might have taken it out but forgot the rule so either disable the floating rule or make a queue under shaping on the LAN or WAN if you want to use it.
-
I can't wait till we can get full Layer 2 managed switches on the tables that way I can track a MAC to the actual port and just disable it there.
BTW - if you aren't aware of 'em, check out the Ubiquity Unifi Switches - come with free management console that will give one network-wide view of all your switches (among other things). Good stuff. They haven't ported everything like layer3 routing over from the EdgeSwitch line yet so you might want to see if the Unifi switches as they are today support everything you need first. If they will work they are a VERY nice solution (and yes, the POE may be overkill and extra unneeded expense, but still)
-
Thanks so much jahonix!
After uploading the files using restore I am unable to log into my router. I looked in the system config file that I got from sideout, and I see where it shows the username and password but the string of characters that is listed there does not work to log in.
-
You're welcome!
Just restore your original config you have backed up previously and then ONLY import the traffic shaper part, not the complete config.
Use a text-editor (NOT wordpad!) to edit the config.xml.
Thought that was clear.I looked in the system config file that I got from sideout, and I see where it shows the username and password but the string of characters that is listed there does not work to log in.
The password is not stored in plain text.
Look at your original config.xml where your username is readable but your password is not.If you have a serial console on your router you can use that to restore username and password to defaults as well.
(Reset Web configurator password or so) -
The limiter is for TCP only from the LAN and if you want to change it then adjust the limter settings under traffic shaping or just disable the rule. Since the limiter is on the last LAN rule before the any / any rule it will limit all TCP traffic from the WAN to the LAN.
The WAN / Internet settings should be at 95% of your ISP Limits.
I had a qDNS in there and a rule once upon a time and might have taken it out but forgot the rule so either disable the floating rule or make a queue under shaping on the LAN or WAN if you want to use it.
Hey Sideout, I'm curious, what did you have the TCP limiters configured at? I saw the following dummypipes in the config, but wasn't sure what you had the limiter rates set for. I would guess the Download_LAN would be whatever the total allocated bandwidth was for the default queue and HTTP, putting it at maybe, 54Mbps for you guys (6%+40%), or maybe even higher. Am I off base? Thanks!
<dnpipe>Upload_LAN</dnpipe>
<pdnpipe>Download_LAN</pdnpipe> -
If I am using 3 modems I would set it at like 90Mbit for the 1st 6 hours of the event then throttle that back to like 60 - 70Mbit when online tourneys were going on. The upload I would set at like 8Mbit and usually leave it. I would turn it up at night about 1am or so to 100Mbit so people could download overnight.
With 4 modems I would open it up a bit more.
As a side note ,I am using 3 Linksys 4 port wired routers with the multi modem config to prevent the same gateway issue. Only one modem is directly connected to Pfsense. The other 3 are connected to the Linksys then that is connected to the WAN ports of the router.
-
Cool, thanks. Forgive me if you've gone into this a thousand times already, but why do you use the 4 port routers? What's the "same gateway" issue you mentioned?
I'm assuming from what I remember that it's because you can't have multiple WAN addresses in a gateway group that have the same default gateway or it screws something up? Since TWC likely uses the same gateway on all the modems…that's the problem. So you put a cheap router between the #2,#3, and #4 modems and each pfSense uplink, each of the cheap routers configured with different LAN subnets. This way it ensures that each WAN address in pfSense has a unique gateway on a different subnet. Did I butcher it or am I on track?
-
Yep that is pretty much it. Cant more than one WAN with the same gateway MAC in the ARP table. So the cheap routers do the trick. I just increment the 3rd octet and use a /24 for the router. Until we can talk TWC into giving us an uncapped modem , multi modem it is.
-
Hi Sideout,
Thanks for your work.I am currently on testing your configuration and i don't understand the need of setting limiters.
Are those limiters working on the global bandwitch or per-user bandwitch ?Thanks
-
The limiters are global bandwidth that gets kinda divided up "per user". Here is how it works:
1. You set the limiter to whatever amount you want - lets say 50Mbit for this example.
2. You place the limiter as you see fit , I choose to use a LAN firewall rule for TCP connections before the last any any rule.
3. What happens is that PFsense will attempt to divide up the bandwidth as best it can between all the clients making the request.What typically happens is that if you have 20 people hitting the limiter / rule the first 5 or so get a bigger amount than the next one's. It does not do it equally but it does meter it out so that everyone gets some of the bandwidth on the limiter.
If you want to limit on a per user basis then you do it a different way.
-
tried out the config and it seems to be working…, many thanks!
some question(s) if you don't mind:
1. when I'm alone in the network..., ssh and gui access to pfSense seems fine..., but if there are 1,2 or more users in the network doing websurf and such..., my access to pfSense ssh and gui is too sluggish :( [seems that ssh and gui access is put in the qCatchAll queue?]…, how can I add/make/create a RULE/queue to make access to a pfSense box via ssh and gui without speed restrictions?
-
Because shaping works best when you shape the entire interface, I just use a separate admin interface(vlan) to access PFSense.
-
If you are using floating rules you should just choose WAN for all the interfaces. There is the LAN rule for accessing PFSense but it should not have an affect on shaping. You dont want to chose LAN for any floating rules , only WAN as PFSense will create the rule for the LAN interface.
-
thank you both for your replies
Because shaping works best when you shape the entire interface, I just use a separate admin interface(vlan) to access PFSense.
what if I don't have the luxury of having a VLAN?, dedicated physical LAN connection to my pfsense box and to my monitoring box?
If you are using floating rules you should just choose WAN for all the interfaces. There is the LAN rule for accessing PFSense but it should not have an affect on shaping. You dont want to chose LAN for any floating rules , only WAN as PFSense will create the rule for the LAN interface.
example,
if I apply the shaper in this attachment in the first post, access to pfsense gui == sluggish
if I remove the shaper, gui is smooth without problems :(AND this has quite confused me for a very long time and people will say that IT WILL NOT AFFECT LAN-to-LAN traffic :(
and then, I was thinking of having to create a sub queue below LAN with a name "unrestrictedLAN" with 990Mbits then created a floating rule something like {I chose LAN as the Interface} "lan net" with "any port" to "firewall" with "ssh port" and redirect to "unrestrictedLAN" and that rule is placed on the bottom of the floating rule…, LO and behold..., trafic does not go to "unrestrictedLAN"any tips if I only have 1 physical connection to my pfsense and monitoring box to have ssh and gui access smooth?
-
tried out the config and it seems to be working…, many thanks!
some question(s) if you don't mind:
1. when I'm alone in the network..., ssh and gui access to pfSense seems fine..., but if there are 1,2 or more users in the network doing websurf and such..., my access to pfSense ssh and gui is too sluggish :( [seems that ssh and gui access is put in the qCatchAll queue?]…, how can I add/make/create a RULE/queue to make access to a pfSense box via ssh and gui without speed restrictions?
The more or less official way is to create an "AdminPorts" alias then only allow "AdminUsers" (host/IP alias) to access the administrative ports of pfSense. Then you can create a queue and prioritize the AdminOnly traffic. This also improves security.
-
Will be making some changes to the config. I added some new ports and changed some other ports for some newer games. I will post up the zipped files you need at a later date.
