• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Emulation of VSAT speed with pfSense

Scheduled Pinned Locked Moved Traffic Shaping
19 Posts 2 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Derelict LAYER 8 Netgate
    last edited by Jan 15, 2017, 6:37 PM

    WAN subnet is not the internet. It is the WAN interface subnet. Internet is usually dest any.

    You need to make rules that set limiters on any interface connections are initiated from.

    So if you are only testing from connections initiated by hosts on LAN, you probably want something like:

    Action: Pass
    Interface: LAN
    Protocol: any
    Source: LAN Subnet
    Destination: WAN Subnet
    Description: LAN to WAN Subnet
    No limiters set. This is LAN to WAN subnet traffic and is local traffic

    Followed by:

    Action: Pass
    Interface: LAN
    Protocol: any
    Source: LAN Subnet
    Destination: any
    Description: LAN to Internet over VSAT
    In = VSATLimitUP & Out = VSATLimitDown

    If connections are coming into WAN, like with port forwards or something, the easiest place to set the limiters are on the rules that are already there passing traffic. You might want to make another firewall rule above them that passes traffic from WAN subnet dest port forward target that does not set limiters if you are testing incoming connections from local hosts on WAN subnet.

    Chattanooga, Tennessee, USA
    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
    Do Not Chat For Help! NO_WAN_EGRESS(TM)

    1 Reply Last reply Reply Quote 0
    • M
      mikemastercorp
      last edited by Jan 16, 2017, 6:13 AM

      Thank you very much Derelict for the detailed instructions. Most likely I am getting confused by the fact that the WAN interface for me is taken as the Internet source, however looking at your info seems like I am wrong as the WAN and LAN are two different private local networks where pfSense would act just as a bridge from the first network to the second.

      Do you think that I should apply similar rules to allow access from the WAN interface to the LAN network (after the pfSense box)? To make my task even harder, I was instructed today to provide certain IP's with no limitations accessing the 192.168.170.0/24 network but the rest should be passed through the same VSAT limiters. The whole idea is to simulate and incoming and outgoing traffic over VSAT speed where the defined IP's would be used to manage some of the devices on the LAN net and need to have the full speed for that.

      Knowing your info, I will give the box a try and let's see what is going to happen.

      Btw, do you have any information about why a freshly installed pfSense box would have a minute interval attempts to connect to external networks?

      Here is the log I got from our firewall:

      –-------------------------------------------------------
      192.168.9.254    Jan 10 11:08:25  Jan      local6    warning 10 2017 11:08:19          %ASA-4-410001: Dropped UDP DNS reply from OUTSIDE:202.12.27.33/53 to INSIDE_V109:192.168.9.112/13849; packet length 1097 bytes exceeds configured limit of 512 bytes
      192.168.9.254    Jan 10 11:08:25  Jan      local6    warning 10 2017 11:08:19          %ASA-4-410001: Dropped UDP DNS reply from OUTSIDE:217.149.76.228/53 to INSIDE_V111:192.168.11.10/57447; packet length 519 bytes exceeds configured limit of 512 bytes
      192.168.9.254    Jan 10 11:08:25  Jan      local6    warning 10 2017 11:08:19          %ASA-4-410001: Dropped UDP DNS reply from OUTSIDE:202.12.27.33/53 to INSIDE_V109:192.168.9.112/37048; packet length 1097 bytes exceeds configured limit of 512 bytes
      192.168.9.254    Jan 10 11:08:26  Jan      local6    warning 10 2017 11:08:20          %ASA-4-410001: Dropped UDP DNS reply from OUTSIDE:192.58.128.30/53 to INSIDE_V109:192.168.9.112/25684; packet length 1097 bytes exceeds configured limit of 512 bytes
      192.168.9.254    Jan 10 11:08:26  Jan      local6    warning 10 2017 11:08:20          %ASA-4-410001: Dropped UDP DNS reply from OUTSIDE:192.58.128.30/53 to INSIDE_V109:192.168.9.112/19010; packet length 1097 bytes exceeds configured limit of 512 bytes
      192.168.9.254    Jan 10 11:08:26  Jan      local6    warning 10 2017 11:08:20          %ASA-4-410001: Dropped UDP DNS reply from OUTSIDE:198.97.190.53/53 to INSIDE_V109:192.168.9.112/18967;

      As far as this box is intended to be used ONLY as a limiter to emulate the VSAT speed and no other services are required, I turned off the DNS services however it seems that I am missing still something and need to make sure that this connections stop as we have some important update tasks happening during the night hours and an eventual drops might overwhelm the network...

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Jan 16, 2017, 8:09 AM

        Those logs to me look like the ASA has a 512-byte limit on DNS responses which seems nonsensical to me. not sure what to say about those ASA logs.

        Seems to me that if you had a better understanding about how pfSense rules applied on interfaces this would be pretty simple. it is not hard to make traffic sourced from one set of addresses be excluded from limiters, for instance.

        Nothing between LAN and WAN is bridged. It is all routed.

        It looked like you had a misunderstanding about what WAN network meant.

        Look at the diagram in my signature:

        LAN Network: 172.25.232.0/24
        Host A: 172.25.232.100
        WAN network: 172.25.228.0/24
        WAN address: 172.25.228.5

        If you make a rule that passes traffic source 172.25.232.100 dest WAN network you are not passing traffic from Host A to the internet. You are passing traffic from source 172.25.232.100 to dest 172.25.228.0/24

        In order to pass traffic to the internet you need to pass traffic from source 172.25.232.100 to destination any. The firewall will be looking at the source and destination addresses of the packets with no regard to the intermediate interface addresses.

        Interface rules are evaluated from the top down and when a match is found processing stops and the traffic is blocked or passed based on that match. If there is no match, the traffic is blocked by the default deny rules.

        So in your latest scenario you said this:

        I was instructed today to provide certain IP's with no limitations accessing the 192.168.170.0/24 network but the rest should be passed through the same VSAT limiters.

        That does not sound difficult to do but I need more information, like the source address/interface of the traffic in question. You might need to produce a diagram. Id doesn't need to be a Rembrandt but should include the pfSense interfaces and subnets and their subnets and where this VSAT limiter is placed.

        As far as this box is intended to be used ONLY as a limiter to emulate the VSAT speed and no other services are required, I turned off the DNS services however it seems that I am missing still something and need to make sure that this connections stop as we have some important update tasks happening during the night hours and an eventual drops might overwhelm the network…

        Nothing pfSense does by default should interrupt any normal network operations.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mikemastercorp
          last edited by Jan 16, 2017, 5:23 PM

          Thank you very much for your willing to help and assist Derelict. You can't be more certain that I am having some confusion about the way firewalls in general worked which would cause some confusion on the terminology used in pfSense. No offence to the devs and all the people using it, there is nothing wrong with the names or else, it is just me who needs to adapt and better understand the approach. I checked out your diagram and quickly draw one for our needs. I am sure, that a million words could not explain as well as a single diagram, so did my best to make it clear what is the structure, what is the goal etc.

          So as per the diagram, VESSEL LAN and Office LAN need to communicate in both directions with the VSAT delay of 128Kbps/64 and latency of 700ms. Same thing to apply when the VESSEL LAN goes to Internet.

          Hope this would make more sense. Meanwhile I had to reinstall the box as the hard drive I used failed so once I am back online I will try to implement the rules you suggested and see if my better understanding now would make everything work as intended..

          Once again, thanks for finding some time to write the info and most of all - for the willing to share it as this is what makes a product good - its nice and sharing community :)

          pfSense-office-vessel-diagram.jpg
          pfSense-office-vessel-diagram.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • M
            mikemastercorp
            last edited by Jan 16, 2017, 8:32 PM

            OK. I applied the rules as per your instructions adding the speeds that the management wants to have (128Kbps Down and 64Kbps up) and it seems to be working.

            The issue left to deal with is the ping that is still showing 7-8ms to google (the download is limited though) and to allow access from the Office LAN (setup as WAN) to the VESSEL LAN.

            I added a route on my computer for the test:

            route add 192.168.170.0 mask 255.255.255.0 192.168.9.112

            however that does not let the traffic through.

            I also added a rule Any to LAN Net with no specific ports and no limiters and moved it to the top, but am still not able to communicate from Office LAN to Vessel LAN over pfSense. Something is still missing and looking at the logic - it is another rule on the box to allow the traffic.

            From my computer (192.168.9.148) I am able to ping 192.168.9.112 but am not able to ping 192.168.170.1 (the second pfSense Interface). Shouldn't the rule Any to Vessel LAN allow it? (the rule has been saved and applied. I even tried to reboot the box but that did not help either).

            1 Reply Last reply Reply Quote 0
            • M
              mikemastercorp
              last edited by Jan 16, 2017, 9:18 PM

              Could the access be blocked due to the RFC1918 as both of my networks are private 192.168.x.x or I would have seen the rules in LAN/WAN?

              1 Reply Last reply Reply Quote 0
              • M
                mikemastercorp
                last edited by Jan 17, 2017, 11:46 AM

                I checked out this morning and the blockage of RFC1918 was not active. What questioned me was the fact that I can ping the WAN interface but not the LAN of the pfsense even though I added a rule from WAN Net to LAN Net as well as from IP to IP. On the same time I am able to ping from pfsense a host on the LAN and WAN network.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Jan 17, 2017, 10:38 PM

                  In that case wou want to be sure block RFC1918 is disabled on both LAN and WAN. I want to be 100% sure the following is clear:

                  LAN network = 192.168.170.0/24
                  WAN Network = 192.168.9.0/24
                  any = any including the internet

                  Are you just trying to use pfSense to simulate the VSAT here or are you developing something that will be deployed using pfSense?

                  If the former, you should probably:

                  Disable NAT and place pass any any any rules on WAN to match LAN.

                  If the latter you want to keep WAN rules there.

                  Your diagram says: Limit both ways communication 128Kbps/64Kbps latency 700ms.

                  I presume that really means 128Kbps into WAN (download) and 64Kbps out WAN (upload)

                  You have lots of potential issues with that design. First is that I presume all of the hosts on 192.168.9.0/24 have 192.168.9.254 as their default gateway. That means 192.168.9.254 will receive all traffic destined for 192.168.170.0/24 and will have to hairpin it mack out the interface it arrived on and send it to 192.168.9.112. Not ideal.

                  Are you concerned only with connections originating from Vessel LAN out (web browsing, pinging google, etc) or are you also trying to limit connections going to Vessel LAN originating from the outside (The internet or Office LAN). That dictates where the rules go.

                  Why do they care about full-speed access from certain hosts on 192.168.170.0/24 - that is only complicating your testing with a requirement that cannot exist in the real world. They should figure out what they really want you to do. I would personally belay that request until everyone is limited, then bypass the limiters for certain traffic after it's all working how you want. Smack someone on the noggin there.

                  So, ignoring that requirement, I would make two limiters:

                  From_VSAT (which is LAN downloads)

                  Bandwidth: 128 Kbit/s
                  Mask: None
                  Delay: 350ms

                  To_VSAT (which is LAN uploads)

                  Bandwidth: 64 Kbit/s
                  Mask: None
                  Delay: 350ms

                  Connections from LAN out:

                  Floating rules:

                  Action: Match
                  Interface: WAN
                  Direction: out
                  Address Family: IPv4
                  Protocol: any
                  Source: any
                  Dest: any
                  In/Out pipe: To_VSAT/From_VSAT

                  Connections from WAN in:

                  Bandwidth: 64 Kbit/s
                  Mask: None
                  Delay: 350ms

                  Connections from LAN out:

                  Floating rules:

                  Action: Match
                  Interface: WAN
                  Direction: in
                  Address Family: IPv4
                  Protocol: any
                  Source: any
                  Dest: any
                  In/Out pipe: From_VSAT/To_VSAT

                  At least I think that's what you want. I might have time to try that here today.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Jan 17, 2017, 10:55 PM

                    Looks like you need to set the gateway on the floating WAN out rule.

                    PING 8.8.8.8 (8.8.8.8): 56 data bytes
                    64 bytes from 8.8.8.8: icmp_seq=0 ttl=45 time=763.081 ms
                    64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=762.011 ms
                    64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=763.005 ms

                    –- 8.8.8.8 ping statistics ---
                    3 packets transmitted, 3 packets received, 0.0% packet loss
                    round-trip min/avg/max/stddev = 762.011/762.699/763.081/0.487 ms

                    :)

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      Derelict LAYER 8 Netgate
                      last edited by Jan 18, 2017, 12:18 AM

                      Note also this is going to perform horribly compared to what you will actually experience on a VSAT link. They will put your traffic through performance enhancers that keep the TCP sessions on both sides happy so they don't think they are really being subjected to 800ms of latency.

                      Seems to be working here:

                      ![Screen Shot 2017-01-17 at 4.17.41 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-17 at 4.17.41 PM.png_thumb)
                      ![Screen Shot 2017-01-17 at 4.17.41 PM.png](/public/imported_attachments/1/Screen Shot 2017-01-17 at 4.17.41 PM.png)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • M
                        mikemastercorp
                        last edited by Jan 18, 2017, 1:23 AM

                        Derelict, thank you hugely for the info. I was allowed today to order the definitive guide of pfSense which should be in my possession in the next few days. I hope the value of the book would support the development and the author.

                        A brief story of the reasons to need the emulations. We have on the company roof an actual VSAT antenna that was planned to be used for our needs to emulate a vessel that has the same identical hardware. Due to the winter season, the antenna was suspended. As far as we need to imitate the speed of VSAT to the rack, I decided to use pfSense of which I have only heard that can do the job easily and supports the functionality out of the box.

                        Now back to the networks. 192.168.170.1 presently the LAN interface of pfSense on the actual vessel is the VSAT connection with the defined speeds that is used for incoming and outgoing communication. While in the office and working as an IT, we need to connect to the vessels and fix ongoing issues or test/improve existing functionality. Because of the fact that we connect over the VSAT to the vessel, this is why I am trying to duplicate all the conditions just like we are connecting to a real ship. Achieving this would allow us to run some tests over a rack that is physically in the office instead of testing something in a real working environment where if the things go wrong, would affect the ship operations.

                        In other words, 192.168.170.X devices need to go to the Internet through 192.168.170.1 -> 192.168.9.112  and any 192.168.9.X interface to go to 192.168.170.X device through 192.168.9.112 -> 192.168.170.X

                        The reason to ask for a few IP's to have unlimited access is that sometimes to test new functionality, we need to be able to transfer large files which in a real environment can take days. In a scenario where the rack is near by us, we can copy the files and bring them on USB/HDD, however, if we allow 1-2 IP's access to 192.168.170.X to be passing through the real LAN (with no limiters) - the job is done perfectly. In a case, where you think this would confuse the situation, we can say that a communication 192.168.170.0 <–>192.168.9.112 <--> the Internet with the VSAT limit would work fine as we all will have an access to the firewall administrative interface so can temporary manipulate the box to have full LAN speed and once finished to return it to proper values.

                        I will try what you suggested first place tomorrow morning and inform how that goes. Once we figure it out, I am planning to write down a descriptive howto for our needs but will share it here, so that the next time somebody is looking for similar functionality/structure, knows where to find it.

                        Thanks again for your superb and prompt assistance. As far as I had some dealing with BSD/Linux, the firewalls/networking were never my strongest part to be honest. Slowly I am getting there but as of now, I feel like pfSense can replace quite a few of our office ASA boxes that we use sort of for the same functionality (if less than pfSense can offer with the proper setup and knowledge).

                        1 Reply Last reply Reply Quote 0
                        • D
                          Derelict LAYER 8 Netgate
                          last edited by Jan 18, 2017, 1:38 AM

                          Figured it was something like that. Bypassing limiters on those WAN in rules will be pretty trivial once you know the limiters are working.

                          Still going to totally suck compared to the optimized connections the VSAT provider will give you.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • M
                            mikemastercorp
                            last edited by Jan 18, 2017, 5:21 AM Jan 18, 2017, 5:11 AM

                            Derelict, for sure there is nothing better than the original equipment as the initial idea was to have a 1x1 copy of a vessel in the office in order to have prompt tests metrics. However we've been told that the satellite dish might be nonoperational for a while and I did not want to loose more time but start the planned work. Having an emulation of VSAT simply put would eliminate the possibility to troubleshoot the modem, ACU, and PCU but having a limited speed would at least be something compared to nothing so far. I took the challenge to start with pfSense (even after knowing about the lack of advanced networking skills) in order to start improving that and most of all - learn. As you said, once the basic principles are acknowledged, we might start thinking of other ways to use pfSense other than just have it as a simple traffic shaper, however, it is just the beginning :)

                            With a risk to repeat myself, I really really really appreciate your shared info and will come back tomorrow as soon as I try it. Either with the how-to manual or with a question ;)

                            1 Reply Last reply Reply Quote 0
                            • M
                              mikemastercorp
                              last edited by Jan 18, 2017, 5:25 AM

                              Btw, I see several videos in Internet testing pfSense in a virtual environment. Could you share what you find as the best approach to start with as I thought to play some tests at home and not wait for the office working hours but to start installing now 2 VM's and setting up a pfSense seemed a bit of overwhelming? So do you consider HyperV, ESX or VirtualBox as a good alternative to start with or there are other tools that would make it easier to just fire up and test? I also heard of some testings with GNS3 but did not play with it yet…

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Jan 18, 2017, 5:38 AM

                                I am testing this in XenServer. I believe it works fine in all of those listed.

                                https://doc.pfsense.org/index.php/Category:Virtualization

                                https://forum.pfsense.org/index.php?board=37.0

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mikemastercorp
                                  last edited by Jan 18, 2017, 10:03 PM

                                  Hello again.

                                  I reset the box to factory settings just to make sure no previous rules or settings are activated and messing up with the result. Here is what steps I took:

                                  1. Went to Limiters and as per your instructions created the FROM_VSAT and TO_VSAT (proper values added).

                                  2. Went to add a floating rule: MATCH-WAN-OUT-IPv4-ANY-ANY-ANY-TO_VSAT/FROM_VSAT (here I had to select the GW as you mentioned)
                                  3. Added another floating rule: MATCH-WAN-IN-IPv4-ANY-ANY-ANY-FROM_VSAT/TO_VSAT
                                  4. Disabled NAT
                                  5. Made sure private and bogus networks are not blocked on both WAN & LAN

                                  Tested to ping from 192.168.9.148 and was able to reach successfully the 192.168.170.10 (a client PC)!!!

                                  I was able to ping from 192.168.170.10 the 192.168.9.148 successfully as well!!

                                  However, I was not able to browse the Internet from 192.168.170.10 or any other device on the network (and yes, I made sure there is no firewall blocking the connection, nor antivirus etc.) Before today, I had a connection from the 192.168.170.0 network to Internet, however was not able to get from the 192.168.9.0 network to 192.168.170.0 but now is something different. Did I miss something?

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    Derelict LAYER 8 Netgate
                                    last edited by Jan 19, 2017, 6:18 AM

                                    Just set the WAN interface with a gateway to, IIRC, the .9 address.

                                    None of those floating match rules have anything to do with actually passing traffic.

                                    Disabling NAT is probably not what you want to do. If you do you will have to add a route for the IP subnet on LAN side of pfSense to the edge router.

                                    I see where I said disable NAT below but that was for a specific scenario. Reenable auto nat and you will probably be fine.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mikemastercorp
                                      last edited by Jan 25, 2017, 2:49 PM

                                      Hello Derelict.

                                      Sorry for the delay of my response as I promised to comeback and advise if it works or not.

                                      I applied your rules on a fresh pfSense install and started testing. The PC had Internet until I applied the FROM_VSAT and TO_VSAT to WLAN out traffic. After setting up the in/out settings, I was able to resolve, ping and traceroute to the host, but could not browse the page itself.

                                      What I did was to add a rule in Firewall>Rules>LAN with the following:

                                      Action: Pass
                                      Interface: LAN
                                      Address Family: IPv4 (we do not use IPv6 in the company)
                                      Protocol: any
                                      Source: any
                                      Destination: any
                                      Description: LAN ANY TO ANY
                                      In/Out: To_VSAT / From_VSAT

                                      Saved the rule, moved it to the top, applied the settings and after that all works like a charm. Incoming connections are limited to the speed and latency setup in limiters for both directions but at the same time any LAN traffic is unlimited so a ping from the LAN Net to LAN Net is not affected. I find it useful to have an option to apply the limiters to the LAN network as well for some tests, where in production environment a need to troubleshoot a slow network/latency is needed.

                                      I am extremely grateful to your help and I hope that this short tutorial plus your extensive instructions would be useful for others who need to emulate VSAT or just any other bandwidth, latency, package drop etc. limitations. The options are limitless and it is up to us to see how can we use it.

                                      1 Reply Last reply Reply Quote 0
                                      19 out of 19
                                      • First post
                                        19/19
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        This community forum collects and processes your personal information.
                                        consent.not_received