Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lan Party config Gold - HFSC Shaper - Single WAN / LAN

    Scheduled Pinned Locked Moved Traffic Shaping
    42 Posts 16 Posters 17.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elgwhoppo
      last edited by

      @sideout:

      The limiter is for TCP only from the LAN and if you want to change it then adjust the limter settings under traffic shaping or just disable the rule.  Since the limiter is on the last LAN rule before the any / any rule it will limit all TCP traffic from the WAN to the LAN.

      The WAN / Internet settings should be at 95% of your ISP Limits.

      I had a qDNS in there and a rule once upon a time and might have taken it out but forgot the rule so either disable the floating rule or make a queue under shaping on the LAN or WAN if you want to use it.

      Hey Sideout, I'm curious, what did you have the TCP limiters configured at? I saw the following dummypipes in the config, but wasn't sure what you had the limiter rates set for. I would guess the Download_LAN would be whatever the total allocated bandwidth was for the default queue and HTTP, putting it at maybe, 54Mbps for you guys (6%+40%), or maybe even higher. Am I off base? Thanks!

      <dnpipe>Upload_LAN</dnpipe>
      <pdnpipe>Download_LAN</pdnpipe>

      1 Reply Last reply Reply Quote 0
      • S
        sideout
        last edited by

        If I am using 3 modems I would set it at like 90Mbit for the 1st 6 hours of the event then throttle that back to like 60 - 70Mbit when online tourneys were going on.  The upload I would set at like 8Mbit and usually leave it. I would turn it up at night about 1am or so to 100Mbit so people could download overnight.

        With 4 modems I would open it up a bit more.

        As a side note  ,I am using 3 Linksys 4 port wired routers with the multi modem config to prevent the same gateway issue.  Only one modem is directly connected to Pfsense. The other 3 are connected to the Linksys then that is connected to the WAN ports of the router.

        1 Reply Last reply Reply Quote 0
        • E
          elgwhoppo
          last edited by

          Cool, thanks. Forgive me if you've gone into this a thousand times already, but why do you use the 4 port routers? What's the "same gateway" issue you mentioned?

          I'm assuming from what I remember that it's because you can't have multiple WAN addresses in a gateway group that have the same default gateway or it screws something up? Since TWC likely uses the same gateway on all the modems…that's the problem. So you put a cheap router between the #2,#3, and #4 modems and each pfSense uplink, each of the cheap routers configured with different LAN subnets. This way it ensures that each WAN address in pfSense has a unique gateway on a different subnet. Did I butcher it or am I on track?

          1 Reply Last reply Reply Quote 0
          • S
            sideout
            last edited by

            Yep that is pretty much it.  Cant more than one WAN with the same gateway MAC in the ARP table.  So the cheap routers do the trick.  I just increment the 3rd octet and use a /24 for the router.  Until we can talk TWC into giving us an uncapped modem , multi modem it is.

            1 Reply Last reply Reply Quote 0
            • J
              ju2256
              last edited by

              Hi Sideout,
              Thanks for your work.

              I am currently on testing your configuration and i don't understand the need of setting limiters.
              Are those limiters working on the global bandwitch or per-user bandwitch ?

              Thanks

              1 Reply Last reply Reply Quote 0
              • S
                sideout
                last edited by

                The limiters are global bandwidth that gets kinda divided up "per user".  Here is how it works:

                1. You set the limiter to whatever amount you want - lets say 50Mbit for this example.
                2. You  place the limiter as you see fit , I choose to use a LAN firewall rule for TCP connections before the last any any rule.
                3. What happens is that PFsense will attempt to divide up the bandwidth as best it can between all the clients making the request.

                What typically happens is that if you have 20 people hitting the limiter / rule the first 5 or so get a bigger amount than the next one's.  It does not do it equally but it does meter it out so that everyone gets some of the bandwidth on the limiter.

                If you want to limit on a per user basis then you do it a different way.

                1 Reply Last reply Reply Quote 0
                • G
                  gratis.obake
                  last edited by

                  tried out the config and it seems to be working…, many thanks!

                  some question(s) if you don't mind:

                  1. when I'm alone in the network..., ssh and gui access to pfSense seems fine..., but if there are 1,2 or more users in the network doing websurf and such..., my access to pfSense ssh and gui is too sluggish :( [seems that ssh and gui access is put in the qCatchAll queue?]…, how can I add/make/create a RULE/queue to make access to a pfSense box via ssh and gui without speed restrictions?

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66
                    last edited by

                    Because shaping works best when you shape the entire interface, I just use a separate admin interface(vlan) to access PFSense.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sideout
                      last edited by

                      If you are using floating rules you should just choose WAN for all the interfaces.  There is the LAN rule for accessing PFSense but it should not have an affect on shaping.  You dont want to chose LAN for any floating rules , only WAN as PFSense will create the rule for the LAN interface.

                      1 Reply Last reply Reply Quote 0
                      • G
                        gratis.obake
                        last edited by

                        thank you both for your replies

                        @Harvy66:

                        Because shaping works best when you shape the entire interface, I just use a separate admin interface(vlan) to access PFSense.

                        what if I don't have the luxury of having a VLAN?, dedicated physical LAN connection to my pfsense box and to my monitoring box?

                        @sideout:

                        If you are using floating rules you should just choose WAN for all the interfaces.  There is the LAN rule for accessing PFSense but it should not have an affect on shaping.  You dont want to chose LAN for any floating rules , only WAN as PFSense will create the rule for the LAN interface.

                        example,
                        if I apply the shaper in this attachment in the first post, access to pfsense gui == sluggish
                        if I remove the shaper, gui is smooth without problems :(

                        AND this has quite confused me for a very long time and people will say that IT WILL NOT AFFECT LAN-to-LAN traffic :(
                        and then, I was thinking of having to create a sub queue below LAN with a name "unrestrictedLAN" with 990Mbits then created a floating rule something like {I chose LAN as the Interface} "lan net" with "any port" to "firewall" with "ssh port" and redirect to "unrestrictedLAN" and that rule is placed on the bottom of the floating rule…, LO and behold..., trafic does not go to "unrestrictedLAN"

                        any tips if I only have 1 physical connection to my pfsense and monitoring box to have ssh and gui access smooth?

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nullity
                          last edited by

                          @gratis.obake:

                          tried out the config and it seems to be working…, many thanks!

                          some question(s) if you don't mind:

                          1. when I'm alone in the network..., ssh and gui access to pfSense seems fine..., but if there are 1,2 or more users in the network doing websurf and such..., my access to pfSense ssh and gui is too sluggish :( [seems that ssh and gui access is put in the qCatchAll queue?]…, how can I add/make/create a RULE/queue to make access to a pfSense box via ssh and gui without speed restrictions?

                          The more or less official way is to create an "AdminPorts" alias then only allow "AdminUsers" (host/IP alias) to access the administrative ports of pfSense. Then you can create a queue and prioritize the AdminOnly traffic. This also improves security.

                          Please correct any obvious misinformation in my posts.
                          -Not a professional; an arrogant ignoramous.

                          1 Reply Last reply Reply Quote 0
                          • S
                            sideout
                            last edited by

                            Will be making some changes to the config.  I added some new ports and changed some other ports for some newer games. I will post up the zipped files you need  at a later date.

                            1 Reply Last reply Reply Quote 0
                            • A
                              Ancients
                              last edited by

                              Lately, I've gotten lazy and just use user/ip level caps on the network. Fortunately most of my LAN goers are pretty well behaved and it keeps any single person from being able to demolish the network.

                              Running a steam cache over the course of an event improved things a TON. Still having issues making Battlenet traffic efficient though.

                              I must say it is hilarious when people complain about bad pings then I show them that their torrent client is filling their small upload pipe.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mcwtim
                                last edited by

                                @Ancients

                                Make sure to get your WAN IP(s) whitelisted with Blizzard well before your event (at least 4 weeks).

                                http://wcs.battle.net/sc2/en/about/community-tournaments

                                "Step 2: Get Whitelisted

                                In order to ensure the safety and security of Battle.net for all players, we have implemented mechanisms to detect and block specific IP addresses if too many connections are being made from a single source. This can occasionally cause problems for organized tournaments where many computers on a local network are all connected to the Internet using the same external IP address. Registering your tournament with Blizzard will allow us to add the IP addresses to the appropriate whitelist for the machines you intend to use for the duration of the tournament. If you’re running an on-site event that will have more than ten (10) people connecting at once from a limited range of IPs, send us an email with the subject Whitelist Request to tourneyinfo@blizzard.com and include detailed information about your event as well as your venue’s IP information."

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Ancients
                                  last edited by

                                  We only had that issue once and an email resolved it.
                                  All of our large local events have been organized by the LanFest org which probably has taken care of it before.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    albert001
                                    last edited by

                                    Just realized that the pfsense 2.3 upgrade broke all the traffic shaping that was setup with sideouts original config. I saw his updated config for multi-wan connections. Is that able to be used?

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sideout
                                      last edited by

                                      I will work on doing a new config here and see about getting that posted up in the next day or two.  Been busy with work stuff and RL stuff.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sideout
                                        last edited by

                                        Here is a revision to the Lan Party config Gold - HFSC Shaper - Single WAN / LAN.  Here are some notes on this revision:

                                        1. Default rule is removed on LAN rules page and specific allows created.
                                        2. Limiter is set to 1mbit / 500Kbit for TCP connections for unclassified TCP traffic. qInternet is 120Mbit on LAN and WAN is 6Mbit so adjust as needed.
                                        3. DNS is blocked except coming from the PFSense box. If you use a cache server be sure to fix that or allow both of them.
                                        4. The TCP allow LAN rule has a max state setting of 2000 per host.  This should help prevent someone from running a torrent client and swapping you.
                                        5. DNS is configured to use Level 3 and Google.
                                        6. Separators have been added to rules.
                                        7. Aliases have been expanded but you still might need to as some game ports in there in case I missed some. Will work on this again.
                                        8. Password for this config is gr1mr3aper as you might need it for the system file.  Be sure to change it please.

                                        Enjoy and test it out if you want and I will continue to work on it as time permits.

                                        PFSenseLanPartySingleWANHFSCFull.zip

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          Juan-marco
                                          last edited by

                                          Have you got a new version.

                                          Because i have got a problem with DNS

                                          Thanks

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.