Emulation of VSAT speed with pfSense

mikemastercorp

Could the access be blocked due to the RFC1918 as both of my networks are private 192.168.x.x or I would have seen the rules in LAN/WAN?

mikemastercorp

I checked out this morning and the blockage of RFC1918 was not active. What questioned me was the fact that I can ping the WAN interface but not the LAN of the pfsense even though I added a rule from WAN Net to LAN Net as well as from IP to IP. On the same time I am able to ping from pfsense a host on the LAN and WAN network.

Derelict

In that case wou want to be sure block RFC1918 is disabled on both LAN and WAN. I want to be 100% sure the following is clear:

LAN network = 192.168.170.0/24
WAN Network = 192.168.9.0/24
any = any including the internet

Are you just trying to use pfSense to simulate the VSAT here or are you developing something that will be deployed using pfSense?

If the former, you should probably:

Disable NAT and place pass any any any rules on WAN to match LAN.

If the latter you want to keep WAN rules there.

Your diagram says: Limit both ways communication 128Kbps/64Kbps latency 700ms.

I presume that really means 128Kbps into WAN (download) and 64Kbps out WAN (upload)

You have lots of potential issues with that design. First is that I presume all of the hosts on 192.168.9.0/24 have 192.168.9.254 as their default gateway. That means 192.168.9.254 will receive all traffic destined for 192.168.170.0/24 and will have to hairpin it mack out the interface it arrived on and send it to 192.168.9.112. Not ideal.

Are you concerned only with connections originating from Vessel LAN out (web browsing, pinging google, etc) or are you also trying to limit connections going to Vessel LAN originating from the outside (The internet or Office LAN). That dictates where the rules go.

Why do they care about full-speed access from certain hosts on 192.168.170.0/24 - that is only complicating your testing with a requirement that cannot exist in the real world. They should figure out what they really want you to do. I would personally belay that request until everyone is limited, then bypass the limiters for certain traffic after it's all working how you want. Smack someone on the noggin there.

So, ignoring that requirement, I would make two limiters:

From_VSAT (which is LAN downloads)

Bandwidth: 128 Kbit/s
Mask: None
Delay: 350ms

To_VSAT (which is LAN uploads)

Bandwidth: 64 Kbit/s
Mask: None
Delay: 350ms

Connections from LAN out:

Floating rules:

Action: Match
Interface: WAN
Direction: out
Address Family: IPv4
Protocol: any
Source: any
Dest: any
In/Out pipe: To_VSAT/From_VSAT

Connections from WAN in:

Bandwidth: 64 Kbit/s
Mask: None
Delay: 350ms

Connections from LAN out:

Floating rules:

Action: Match
Interface: WAN
Direction: in
Address Family: IPv4
Protocol: any
Source: any
Dest: any
In/Out pipe: From_VSAT/To_VSAT

At least I think that's what you want. I might have time to try that here today.

Derelict

Looks like you need to set the gateway on the floating WAN out rule.

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=45 time=763.081 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=762.011 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=763.005 ms

–- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 762.011/762.699/763.081/0.487 ms

:)

Derelict

Note also this is going to perform horribly compared to what you will actually experience on a VSAT link. They will put your traffic through performance enhancers that keep the TCP sessions on both sides happy so they don't think they are really being subjected to 800ms of latency.

Seems to be working here:


mikemastercorp

Derelict, thank you hugely for the info. I was allowed today to order the definitive guide of pfSense which should be in my possession in the next few days. I hope the value of the book would support the development and the author.

A brief story of the reasons to need the emulations. We have on the company roof an actual VSAT antenna that was planned to be used for our needs to emulate a vessel that has the same identical hardware. Due to the winter season, the antenna was suspended. As far as we need to imitate the speed of VSAT to the rack, I decided to use pfSense of which I have only heard that can do the job easily and supports the functionality out of the box.

Now back to the networks. 192.168.170.1 presently the LAN interface of pfSense on the actual vessel is the VSAT connection with the defined speeds that is used for incoming and outgoing communication. While in the office and working as an IT, we need to connect to the vessels and fix ongoing issues or test/improve existing functionality. Because of the fact that we connect over the VSAT to the vessel, this is why I am trying to duplicate all the conditions just like we are connecting to a real ship. Achieving this would allow us to run some tests over a rack that is physically in the office instead of testing something in a real working environment where if the things go wrong, would affect the ship operations.

In other words, 192.168.170.X devices need to go to the Internet through 192.168.170.1 -> 192.168.9.112  and any 192.168.9.X interface to go to 192.168.170.X device through 192.168.9.112 -> 192.168.170.X

The reason to ask for a few IP's to have unlimited access is that sometimes to test new functionality, we need to be able to transfer large files which in a real environment can take days. In a scenario where the rack is near by us, we can copy the files and bring them on USB/HDD, however, if we allow 1-2 IP's access to 192.168.170.X to be passing through the real LAN (with no limiters) - the job is done perfectly. In a case, where you think this would confuse the situation, we can say that a communication 192.168.170.0 <–>192.168.9.112 <--> the Internet with the VSAT limit would work fine as we all will have an access to the firewall administrative interface so can temporary manipulate the box to have full LAN speed and once finished to return it to proper values.

I will try what you suggested first place tomorrow morning and inform how that goes. Once we figure it out, I am planning to write down a descriptive howto for our needs but will share it here, so that the next time somebody is looking for similar functionality/structure, knows where to find it.

Thanks again for your superb and prompt assistance. As far as I had some dealing with BSD/Linux, the firewalls/networking were never my strongest part to be honest. Slowly I am getting there but as of now, I feel like pfSense can replace quite a few of our office ASA boxes that we use sort of for the same functionality (if less than pfSense can offer with the proper setup and knowledge).

Derelict

Figured it was something like that. Bypassing limiters on those WAN in rules will be pretty trivial once you know the limiters are working.

Still going to totally suck compared to the optimized connections the VSAT provider will give you.

mikemastercorp

Derelict, for sure there is nothing better than the original equipment as the initial idea was to have a 1x1 copy of a vessel in the office in order to have prompt tests metrics. However we've been told that the satellite dish might be nonoperational for a while and I did not want to loose more time but start the planned work. Having an emulation of VSAT simply put would eliminate the possibility to troubleshoot the modem, ACU, and PCU but having a limited speed would at least be something compared to nothing so far. I took the challenge to start with pfSense (even after knowing about the lack of advanced networking skills) in order to start improving that and most of all - learn. As you said, once the basic principles are acknowledged, we might start thinking of other ways to use pfSense other than just have it as a simple traffic shaper, however, it is just the beginning :)

With a risk to repeat myself, I really really really appreciate your shared info and will come back tomorrow as soon as I try it. Either with the how-to manual or with a question ;)

mikemastercorp

Btw, I see several videos in Internet testing pfSense in a virtual environment. Could you share what you find as the best approach to start with as I thought to play some tests at home and not wait for the office working hours but to start installing now 2 VM's and setting up a pfSense seemed a bit of overwhelming? So do you consider HyperV, ESX or VirtualBox as a good alternative to start with or there are other tools that would make it easier to just fire up and test? I also heard of some testings with GNS3 but did not play with it yet…

Derelict

I am testing this in XenServer. I believe it works fine in all of those listed.

https://doc.pfsense.org/index.php/Category:Virtualization

https://forum.pfsense.org/index.php?board=37.0

mikemastercorp

Hello again.

I reset the box to factory settings just to make sure no previous rules or settings are activated and messing up with the result. Here is what steps I took:

1. Went to Limiters and as per your instructions created the FROM_VSAT and TO_VSAT (proper values added).

2. Went to add a floating rule: MATCH-WAN-OUT-IPv4-ANY-ANY-ANY-TO_VSAT/FROM_VSAT (here I had to select the GW as you mentioned)
3. Added another floating rule: MATCH-WAN-IN-IPv4-ANY-ANY-ANY-FROM_VSAT/TO_VSAT
4. Disabled NAT
5. Made sure private and bogus networks are not blocked on both WAN & LAN

Tested to ping from 192.168.9.148 and was able to reach successfully the 192.168.170.10 (a client PC)!!!

I was able to ping from 192.168.170.10 the 192.168.9.148 successfully as well!!

However, I was not able to browse the Internet from 192.168.170.10 or any other device on the network (and yes, I made sure there is no firewall blocking the connection, nor antivirus etc.) Before today, I had a connection from the 192.168.170.0 network to Internet, however was not able to get from the 192.168.9.0 network to 192.168.170.0 but now is something different. Did I miss something?

Derelict

Just set the WAN interface with a gateway to, IIRC, the .9 address.

None of those floating match rules have anything to do with actually passing traffic.

Disabling NAT is probably not what you want to do. If you do you will have to add a route for the IP subnet on LAN side of pfSense to the edge router.

I see where I said disable NAT below but that was for a specific scenario. Reenable auto nat and you will probably be fine.

mikemastercorp

Hello Derelict.

Sorry for the delay of my response as I promised to comeback and advise if it works or not.

I applied your rules on a fresh pfSense install and started testing. The PC had Internet until I applied the FROM_VSAT and TO_VSAT to WLAN out traffic. After setting up the in/out settings, I was able to resolve, ping and traceroute to the host, but could not browse the page itself.

What I did was to add a rule in Firewall>Rules>LAN with the following:

Action: Pass
Interface: LAN
Address Family: IPv4 (we do not use IPv6 in the company)
Protocol: any
Source: any
Destination: any
Description: LAN ANY TO ANY
In/Out: To_VSAT / From_VSAT

Saved the rule, moved it to the top, applied the settings and after that all works like a charm. Incoming connections are limited to the speed and latency setup in limiters for both directions but at the same time any LAN traffic is unlimited so a ping from the LAN Net to LAN Net is not affected. I find it useful to have an option to apply the limiters to the LAN network as well for some tests, where in production environment a need to troubleshoot a slow network/latency is needed.

I am extremely grateful to your help and I hope that this short tutorial plus your extensive instructions would be useful for others who need to emulate VSAT or just any other bandwidth, latency, package drop etc. limitations. The options are limitless and it is up to us to see how can we use it.