Unsure How to Configure Limiter

A Former User

Hi,

Using traffic-shaping queues is probably easier and more powerful.

I have had bad experiences with traffic shaper so I do not like to use this path.

Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.

Well, of course there is a reason. As the guys on site 1 will have only verly limited speed while a backup is consuming nearly full bandwidth…

/KNEBB

Harvy66

@knebb:

Hi,

@Nullity:

Using traffic-shaping queues is probably easier and more powerful.

I have had bad experiences with traffic shaper so I do not like to use this path.

Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.

Well, of course there is a reason. As the guys on site 1 will have only verly limited speed while a backup is consuming nearly full bandwidth…

/KNEBB

I let BitTorrent use all of my free bandwidth with no issues. Idle bandwidth is wasted bandwidth. With proper shaping, you can guarantee every service will get a minimum amount of bandwidth while allow the unused bandwidth to be utilized in a fair way.

I've had very good experiences with the traffic shaper, it works exactly how I expect it to. Correct your expectations and you will find the shaper is very powerful. Based on what I've read, it does have a few rough edges with poor driver support if you use lower quality hardware or a 10Gb NIC and they decided not to implement ALTQ.

A Former User

@Harvy66:

I've had very good experiences with the traffic shaper, it works exactly how I expect it to. Correct your expectations and you will find the shaper is very powerful.

Well, one issue is that traffic shaper does not shape on OpenVPN connections. So I can not divide between different types of traffic inside of the OpenVPN tunnel. But this is what I need!

Traffic Shapper does not work if you want to priorize/ limit traffic within the same OpenVPN tunnel.

Nullity

@knebb:

@Harvy66:

I've had very good experiences with the traffic shaper, it works exactly how I expect it to. Correct your expectations and you will find the shaper is very powerful.

Well, one issue is that traffic shaper does not shape on OpenVPN connections. So I can not divide between different types of traffic inside of the OpenVPN tunnel. But this is what I need!

Traffic Shapper does not work if you want to priorize/ limit traffic within the same OpenVPN tunnel.

I thought you could match individual traffic types with firewall rules on the OpenVPN interface itself.

Nullity

@knebb:

Hi,

@Nullity:

Using traffic-shaping queues is probably easier and more powerful.

I have had bad experiences with traffic shaper so I do not like to use this path.

Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.

Well, of course there is a reason. As the guys on site 1 will have only verly limited speed while a backup is consuming nearly full bandwidth…

/KNEBB

Site 1 is where the backup server is? (I am unclear about your network topolgy.)
If so, yeah, you would need to shape the download at that end, which queues can accomplish, but it's not as optimal as an uncongested pipe. You could allocate 1Mbit (HFSC link-share) to backup and leave the rest for normal traffic, then when there is no normal traffic the backup will get the full 10Mbit. You could additionally use HFSC upper-limit to hold the backup traffic to some arbitrary max like 9Mbit, so that the link is never fully saturated by backup traffic.

A Former User

@Nullity:

Site 1 is where the backup server is? (I am unclear about your network topolgy.)

Yes, it is.

If so, yeah, you would need to shape the download at that end,

This is what I was going to do with the Limiters of the Traffic shaper.
I am just unsure how this all works together regarding the correct configuration. Currently it does not limit at all.
So you say I should configure traffic shaper Seems to be possible, but as you mention it is far away of being perfect. I had a look what the pfSense docs say regarding HFSC:

It can be very effective for VoIP on links that degrade quickly, such as 3G/4G, but it can be complex to configure and tweak for proper operation.

For PRIQ it says:

 Lower priority queues can be completely starved for bandwidth easily.

Which is bad as I need to have the backup to continue any time. Otherwise it would re-start from scratch…
And CBQ limits trafffic non-dynamically. Bad idea.

Still, it loks like I can not use traffic shaper.

So I am back at my first question: How to configure properly to have it up and running?

I thought you could match individual traffic types with firewall rules on the OpenVPN interface itself.

No way. Only physical interfaces.

Nullity

@knebb:

No way. Only physical interfaces.

Are you sure?

A Former User

@Nullity:

@knebb:

No way. Only physical interfaces.

Are you sure?

Pretty much, yes. See attached image. There might be a possibility to configure them on virtual interfaces, but this is not possible with the pfSense GUI. And I am not going on the command line (as these settings will be hidden when you do troubleshooting later).

limiter.png_thumb

Nullity

@knebb:

@Nullity:

@knebb:

No way. Only physical interfaces.

Are you sure?

Pretty much, yes. See attached image. There might be a possibility to configure them on virtual interfaces, but this is not possible with the pfSense GUI. And I am not going on the command line (as these settings will be hidden when you do troubleshooting later).

I said firewall rules, not traffic-shaping (which your image shows).

You may need to do some reading about how VPN, firewall rules, and traffic-shaping queues/limiters work together…

A Former User

@Nullity:

I said firewall rules, not traffic-shaping (which your image shows).

Ok, misunderstood.
Still, with firewall rules I can not limit my traffic. I can select it and let it pass or block/ drop it.

You may need to do some reading about how VPN, firewall rules, and traffic-shaping queues/limiters work together…

This is exactly where I need help. As I wrote in my initial post I did some reading.

My point is that I do not know why it is not working (where I assume I did some misconfiguration). So what I have is a firewall rule on the LAN interface which matches my traffic (destination host is my backup host). On the advanced options of this rule I configured the In/ Out pipe to use the limiter rules.
The limiter itself is configured for an IN and an OUT pipe where the limits are defined.

But still- the backup server consumes 10Mbit/sec instead of configured 1Mbit/s.

KOM

Still, with firewall rules I can not limit my traffic. I can select it and let it pass or block/ drop it.

Expand the Advanced section and look for In / Out Pipe. This is where you direct traffic into a limiter.

Nullity

First, confirm about your firewall rule is catching the proper traffic. Once that is confirmed you can begin to deal with where that traffic is assigned (limiters or queues).

Personally, I think limiters are best used for other things, like dynamic sharing among IPs.
Queues, like HFSC, CBQ (with borrowing), or FAIRQ are what I would use here.

jbourn1907

How to read this limiter logs?

Thanks.

queue.PNG_thumb

KOM

Please don't hijack someone else's thread with unrelated stuff. Start a new thread.

jbourn1907

Sorry but i think this thread is still related to limiter.
I configure limiter and I don't know how to read this details so I think anyone here can help me about this.

Thanks and sorry for this.

KOM

Every question in this forum has to do with the shaper or limiter. This post is specifically about how to configure. You want to know how to read a log. Not the same thing. Start your own thread.

jbourn1907

Ok. Thank you.