Seeking best practice advice for bandwidth limiting/sharing

lboregard

hello all, i'm a long time, satisfied pfsense users.

i'm running my pfsense on a 1999 dell pentium III 500mhz, and it just works ! great stuff !

to the point …

i currently have a 7Mbit connection as wan, and a recently upgraded to 15mbit connection dedicated to usenet downloading duties (i download only art conversations, but man are they lengthy :)

i'm thinking of dropping the 7Mbit and share my 15mbit, with approximately the following rules

i will allow usenet downloading to go down to 5mbit, but no more than that
that means if im browsing and downloading stuff on my main box, it could go up to 10mbit if required
if there's no other activity going on, usenet should be doing 15mbit
i want to prioritize openvpn connections from road warriors (mostly myself protecting my connection when at the office or elsewhere, via my phone or tablet)
torrents shouldn't disrupt usenet, so they should have the least of the priorities

i've researched a bit, and from what i understand there seem to be four different ways to achieve this

class based queueing
the example looks like what i need to do, just was put a little bit off by the remark that it isn't elegant but works :)
priority queueing
this doesn't seem to fit my needs
dynamic bandwidth limiting
also seems close to what i want
traffic shaping/L7 traffic shaping
seems a bit more complex to setup

what would be your advice on how to do this, or could you point to some good resource to make an informed decision ?

thanks in advance !

georgeman

HFSC will do all that. Try to set it up and if you have questions or problems, post them up, we will help you ;)

lboregard

ok, i read quite a lot about this, so i think i can describe my planned setup :)

first, my scenario
ISP (tested through speedtest.net)
ISP down speed: 15.12Mb
ISP up speed: 0.97Mb

i'd like the enforce the following policy

guarantee 5Mb down to my usenet downloader if it has anything to download. if no other network activity is taking place, it should use all 15Mb.
give priority to all other traffic (http, https, etc. except p2p), so that it would use up to 10Mb
give as low bandwidth as possible to p2p

i started with this:

as per georgeman's recommended, i should use only 95% of the bandwidth, which would make it DOWN=14.354Mb, UP=0.9214Mb. so i set i to

DOWN = 14.3Mb (this is B in the ack calculation sticky thread)
UP = 0.92Mb (this is A in the ack calculation sticky thread)

as per sticky about ack calculation
my B/A ratio is 14.3/0.92 = 15.5
QUESTION: should i use the 14.3/0.92 or 15.12/0.97 (isp calculated speed)

it's between two values in the lookup table, so it should be approximately

ackWan = 61.5%
ackLan = 0.885%

as per this thread (https://forum.pfsense.org/index.php/topic,69147.msg380302.html#msg380302), i went with

ackWan = 65% (realtime)
ackWan = 5% (linkshare)

ackLan = 5% (realtime)
ackLan = 15% (linkshare)

i went through the traffic shaper wizard, which setup most of the queues, then i tweaked it as described in the attached image

OTHER QUESTIONS:

i don't quite understand the purpose of the WAN/qDefault queue
i set LAN/qInternet/qUsenet realtime value to 33% thinking its about the 5Mb guaranteed i need. can i specify 5Mb here directly ?
in the floating rules, i can set rules to send p2p traffic to qP2P and usenet traffic to qUsenet. I added a LAN/qDefault queue to redirect all traffic to it, but how do i do that ?
i'm thinking about adding a qDns rule with a linkshare value (and perhaps realtime value) just below qAck. Is that necessary ?

i'm only testing in a pfsense vm, before i commit changes to my production servers. does it sound like it would work ?

hope it is clear enough that you can provide me further advice

![Screen Shot 2014-02-16 at 11.16.42 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-16 at 11.16.42 AM.png)
![Screen Shot 2014-02-16 at 11.16.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-16 at 11.16.42 AM.png_thumb)

georgeman

@lboregard:

OTHER QUESTIONS:

i don't quite understand the purpose of the WAN/qDefault queue

Incoming traffic on WAN (port forwards, for example) not assigned to any other queue, will go to qDefault

@lboregard:

i set LAN/qInternet/qUsenet realtime value to 33% thinking its about the 5Mb guaranteed i need. can i specify 5Mb here directly ?

Yes. Make sure you don't exceed 80% of the interface bandwidth

@lboregard:

in the floating rules, i can set rules to send p2p traffic to qP2P and usenet traffic to qUsenet. I added a LAN/qDefault queue to redirect all traffic to it, but how do i do that ?

Traffic not explicitly assigned to a queue will go into the interface's default queue (the one with the option set, name is irrelevant)

@lboregard:

i'm thinking about adding a qDns rule with a linkshare value (and perhaps realtime value) just below qAck. Is that necessary ?

I usually don't find it necessary but it is not a bad idea. DNS will mainly benefit from realtime

lboregard

thanks georgeman, will work on this over the next few days

please clarify something

@georgeman:

@lboregard:

OTHER QUESTIONS:
…

@lboregard:

in the floating rules, i can set rules to send p2p traffic to qP2P and usenet traffic to qUsenet. I added a LAN/qDefault queue to redirect all traffic to it, but how do i do that ?

Traffic not explicitly assigned to a queue will go into the interface's default queue (the one with the option set, name is irrelevant)

in my sample setup, the wizard created qLink as the default queue, then i set the bandwith and m2 linkshare values to the difference between my lan speed (1gb) vs my wan down speed (15mb) (as per another thread suggestion)
now, i cant quite see how to specify that qLink should have lower m2 linkshare than qAck.
that is probably why i created qDefault, so i could check this really as default, but i don't know what would be the consequences of dropping qLink as default.

georgeman

You are right, I forgot the wizard sets up a qLink queue.

Easy answer: delete the qLink queue and use your qDefault as the default queue. Traffic not explicitly assigned will go here

Long, complicated and correct answer: the qLink is created to catch traffic between local interfaces. Since it is supposed to be the default queue, you need another bulk queue to send untagged traffic to (qDefault in your case). The best way to do this would be with a floating rule with interface WAN, direction OUT, action match, destination ! WAN subnet, queue qDefault, on top of any other floating rules. This way traffic going to any device hanging on your WAN subnet will go to qLink, and whatever else to qDefault. Considering the way it internally works, rules applied on LAN will have precedence so this will not interfere with the regular queueing practices. All of this is relevant if you have traffic going between local interfaces (or you are a maniac like I am), otherwise you can skip it

lboregard

thanks a lot, georgeman ! i set apart some time to test this over the weekend

i'm kind of maniac, but i'm sure you beat me ! :)

nevertheless, i will try the long, complicated and correct way … if it doesn't work, i will revert to the easy answer :)

i have a question though

@georgeman:

…. The best way to do this would be with a floating rule with interface WAN, direction OUT, action match, destination ! WAN subnet, queue qDefault, on top of any other floating rules. This way traffic going to any device hanging on your WAN subnet will go to qLink, and whatever else to qDefault. ....

my wan subnet is a range from my isp, how would i benefit from sending traffic to it via qLink, since my overall bandwidth will be limited to at most the 15Mb of my connection, i will never hit 1Gb when talking to another address in the ISP range.

georgeman

This only makes sense if you have other local devices in you WAN subnet. If you have only 1 LAN and 1 WAN, with no other local devices on WAN, then you can skip the qLink part and set another queue as the default one

lboregard

so, i went ahead and implemented my proposed scenario, but obviously it's not working

all traffic goes through qDefault, downloading a file (http) is slow as molasses and i have dropped packets

my usenet box has ip 192.168.23.71 and it reaches the usenet server at port 443.

although the rule exists for this, this traffic is being assigned to qDefault.

Not even the qAck is being used.

im attaching some relevant screenshots…

can't figure it out .. i'd appreciate any help.

LAN+qInternet_result.png
LAN+qInternet_result.png_thumb
LAN+qAck_result.png
LAN+qAck_result.png_thumb
LAN+qDefault_result.png
LAN+qDefault_result.png_thumb
LAN+qUsenet_result.png
LAN+qUsenet_result.png_thumb

rules_result.png_thumb
![rules for qUsenet_result.png](/public/imported_attachments/1/rules for qUsenet_result.png)
![rules for qUsenet_result.png_thumb](/public/imported_attachments/1/rules for qUsenet_result.png_thumb)
pftop+queues_result.png
pftop+queues_result.png_thumb
pftop+queues2_result.png
pftop+queues2_result.png_thumb

georgeman

Screen caps are too small!!

Remember anyway that queuing floating rules match from top to bottom, and the last rule matching is the one enforced. So qDefault should go at the top and the more specific ones down below

lboregard

thank you georgeman.

i've attached the images to an imgur album (http://imgur.com/a/RzHJO)

i'm pretty sure it's working now … the main thing i did was to change rules' settings to make them apply to both wan and lan, that seemed to do the trick... or perhaps it just needed a while to take (i left it overnight, when i woke up it was working)

the only thing i notice is that previously usenet hit about 1800KB/s, now it tops out at about 1600KB/s (having nothing else going on the network).

should i be able to hit 1800KB/s or this is due to the 95% rule of bandwidth ?