Lan Party config Gold - HFSC Shaper - Single WAN / LAN
-
The limiter is for TCP only from the LAN and if you want to change it then adjust the limter settings under traffic shaping or just disable the rule. Since the limiter is on the last LAN rule before the any / any rule it will limit all TCP traffic from the WAN to the LAN.
The WAN / Internet settings should be at 95% of your ISP Limits.
I had a qDNS in there and a rule once upon a time and might have taken it out but forgot the rule so either disable the floating rule or make a queue under shaping on the LAN or WAN if you want to use it.
Hey Sideout, I'm curious, what did you have the TCP limiters configured at? I saw the following dummypipes in the config, but wasn't sure what you had the limiter rates set for. I would guess the Download_LAN would be whatever the total allocated bandwidth was for the default queue and HTTP, putting it at maybe, 54Mbps for you guys (6%+40%), or maybe even higher. Am I off base? Thanks!
<dnpipe>Upload_LAN</dnpipe>
<pdnpipe>Download_LAN</pdnpipe> -
If I am using 3 modems I would set it at like 90Mbit for the 1st 6 hours of the event then throttle that back to like 60 - 70Mbit when online tourneys were going on. The upload I would set at like 8Mbit and usually leave it. I would turn it up at night about 1am or so to 100Mbit so people could download overnight.
With 4 modems I would open it up a bit more.
As a side note ,I am using 3 Linksys 4 port wired routers with the multi modem config to prevent the same gateway issue. Only one modem is directly connected to Pfsense. The other 3 are connected to the Linksys then that is connected to the WAN ports of the router.
-
Cool, thanks. Forgive me if you've gone into this a thousand times already, but why do you use the 4 port routers? What's the "same gateway" issue you mentioned?
I'm assuming from what I remember that it's because you can't have multiple WAN addresses in a gateway group that have the same default gateway or it screws something up? Since TWC likely uses the same gateway on all the modems…that's the problem. So you put a cheap router between the #2,#3, and #4 modems and each pfSense uplink, each of the cheap routers configured with different LAN subnets. This way it ensures that each WAN address in pfSense has a unique gateway on a different subnet. Did I butcher it or am I on track?
-
Yep that is pretty much it. Cant more than one WAN with the same gateway MAC in the ARP table. So the cheap routers do the trick. I just increment the 3rd octet and use a /24 for the router. Until we can talk TWC into giving us an uncapped modem , multi modem it is.
-
Hi Sideout,
Thanks for your work.I am currently on testing your configuration and i don't understand the need of setting limiters.
Are those limiters working on the global bandwitch or per-user bandwitch ?Thanks
-
The limiters are global bandwidth that gets kinda divided up "per user". Here is how it works:
1. You set the limiter to whatever amount you want - lets say 50Mbit for this example.
2. You place the limiter as you see fit , I choose to use a LAN firewall rule for TCP connections before the last any any rule.
3. What happens is that PFsense will attempt to divide up the bandwidth as best it can between all the clients making the request.What typically happens is that if you have 20 people hitting the limiter / rule the first 5 or so get a bigger amount than the next one's. It does not do it equally but it does meter it out so that everyone gets some of the bandwidth on the limiter.
If you want to limit on a per user basis then you do it a different way.
-
tried out the config and it seems to be working…, many thanks!
some question(s) if you don't mind:
1. when I'm alone in the network..., ssh and gui access to pfSense seems fine..., but if there are 1,2 or more users in the network doing websurf and such..., my access to pfSense ssh and gui is too sluggish :( [seems that ssh and gui access is put in the qCatchAll queue?]…, how can I add/make/create a RULE/queue to make access to a pfSense box via ssh and gui without speed restrictions?
-
Because shaping works best when you shape the entire interface, I just use a separate admin interface(vlan) to access PFSense.
-
If you are using floating rules you should just choose WAN for all the interfaces. There is the LAN rule for accessing PFSense but it should not have an affect on shaping. You dont want to chose LAN for any floating rules , only WAN as PFSense will create the rule for the LAN interface.
-
thank you both for your replies
Because shaping works best when you shape the entire interface, I just use a separate admin interface(vlan) to access PFSense.
what if I don't have the luxury of having a VLAN?, dedicated physical LAN connection to my pfsense box and to my monitoring box?
If you are using floating rules you should just choose WAN for all the interfaces. There is the LAN rule for accessing PFSense but it should not have an affect on shaping. You dont want to chose LAN for any floating rules , only WAN as PFSense will create the rule for the LAN interface.
example,
if I apply the shaper in this attachment in the first post, access to pfsense gui == sluggish
if I remove the shaper, gui is smooth without problems :(AND this has quite confused me for a very long time and people will say that IT WILL NOT AFFECT LAN-to-LAN traffic :(
and then, I was thinking of having to create a sub queue below LAN with a name "unrestrictedLAN" with 990Mbits then created a floating rule something like {I chose LAN as the Interface} "lan net" with "any port" to "firewall" with "ssh port" and redirect to "unrestrictedLAN" and that rule is placed on the bottom of the floating rule…, LO and behold..., trafic does not go to "unrestrictedLAN"any tips if I only have 1 physical connection to my pfsense and monitoring box to have ssh and gui access smooth?
-
tried out the config and it seems to be working…, many thanks!
some question(s) if you don't mind:
1. when I'm alone in the network..., ssh and gui access to pfSense seems fine..., but if there are 1,2 or more users in the network doing websurf and such..., my access to pfSense ssh and gui is too sluggish :( [seems that ssh and gui access is put in the qCatchAll queue?]…, how can I add/make/create a RULE/queue to make access to a pfSense box via ssh and gui without speed restrictions?
The more or less official way is to create an "AdminPorts" alias then only allow "AdminUsers" (host/IP alias) to access the administrative ports of pfSense. Then you can create a queue and prioritize the AdminOnly traffic. This also improves security.
-
Will be making some changes to the config. I added some new ports and changed some other ports for some newer games. I will post up the zipped files you need at a later date.
-
Lately, I've gotten lazy and just use user/ip level caps on the network. Fortunately most of my LAN goers are pretty well behaved and it keeps any single person from being able to demolish the network.
Running a steam cache over the course of an event improved things a TON. Still having issues making Battlenet traffic efficient though.
I must say it is hilarious when people complain about bad pings then I show them that their torrent client is filling their small upload pipe.
-
Make sure to get your WAN IP(s) whitelisted with Blizzard well before your event (at least 4 weeks).
http://wcs.battle.net/sc2/en/about/community-tournaments
"Step 2: Get Whitelisted
In order to ensure the safety and security of Battle.net for all players, we have implemented mechanisms to detect and block specific IP addresses if too many connections are being made from a single source. This can occasionally cause problems for organized tournaments where many computers on a local network are all connected to the Internet using the same external IP address. Registering your tournament with Blizzard will allow us to add the IP addresses to the appropriate whitelist for the machines you intend to use for the duration of the tournament. If you’re running an on-site event that will have more than ten (10) people connecting at once from a limited range of IPs, send us an email with the subject Whitelist Request to tourneyinfo@blizzard.com and include detailed information about your event as well as your venue’s IP information."
-
We only had that issue once and an email resolved it.
All of our large local events have been organized by the LanFest org which probably has taken care of it before. -
Just realized that the pfsense 2.3 upgrade broke all the traffic shaping that was setup with sideouts original config. I saw his updated config for multi-wan connections. Is that able to be used?
-
I will work on doing a new config here and see about getting that posted up in the next day or two. Been busy with work stuff and RL stuff.
-
Here is a revision to the Lan Party config Gold - HFSC Shaper - Single WAN / LAN. Here are some notes on this revision:
1. Default rule is removed on LAN rules page and specific allows created.
2. Limiter is set to 1mbit / 500Kbit for TCP connections for unclassified TCP traffic. qInternet is 120Mbit on LAN and WAN is 6Mbit so adjust as needed.
3. DNS is blocked except coming from the PFSense box. If you use a cache server be sure to fix that or allow both of them.
4. The TCP allow LAN rule has a max state setting of 2000 per host. This should help prevent someone from running a torrent client and swapping you.
5. DNS is configured to use Level 3 and Google.
6. Separators have been added to rules.
7. Aliases have been expanded but you still might need to as some game ports in there in case I missed some. Will work on this again.
8. Password for this config is gr1mr3aper as you might need it for the system file. Be sure to change it please.Enjoy and test it out if you want and I will continue to work on it as time permits.
-
Have you got a new version.
Because i have got a problem with DNS
Thanks