Are there any plans to move traffic shaper from PF to IPFW?
-
Possible pros:
-
Get rid of ALTQ and performance problems on bandwidth over 4G (http://marc.info/?l=openbsd-misc&m=131004567300627&w=2 if it applies to current freeBSD/pfSense builds)
-
Ability to use FQ_CODEL
cons:
Please add some, if you know any -
-
Yeah, the cons are that it'd require redoing very much the entire firewall. ::)
-
Thank you doktornotor for pointing it out.
As I understand pfSense uses both PF and IPFW (https://forum.pfsense.org/index.php?topic=37457.msg196651#msg196651), is it impossible to delegate shaping only to IPFW?
Only for FQ_CODEL, for example?
I understand that if somebody wants "classic" shaping modes like HFSC, then there is only one way to do it and it'd require redoing very much like you said.
Sorry for asking stupid questions anyway ;DAFAIK original PF project came from OpenBSD and nowadays do not use ALTQ anymore, but lacks SMP even now, as I understand there is nothing changed regarding PF ALTQ use on FreeBSD for the last 3-4 years, am I wrong?
-
Firewall and network performance are getting a lot of attention within FreeBSD. Probably best to wait to see which way FreeBSD goes before making any large changes.
-
@w0w:
As I understand pfSense uses both PF and IPFW (https://forum.pfsense.org/index.php?topic=37457.msg196651#msg196651), is it impossible to delegate shaping only to IPFW?
As noted there, pretty much the only part of pfSense using ipfw is the captive portal. (There are packages like HAProxy using it for client IP transparency, which is a can of worms on its own, but that's not relevant here.)
-
As noted there, pretty much the only part of pfSense using ipfw is the captive portal.
Captive portal and limiters, which I think are still using dummynet.
-
Yes, limiters are using IPFW and dummynet.
'ipfw pipe show' gives clear answer on that question. -
Firewall and network performance are getting a lot of attention within FreeBSD. Probably best to wait to see which way FreeBSD goes before making any large changes.
I don't think anybody in FreeBSD community wants to improve ALTQ and moving the entire PF to other queue system or built-in, like OpenBSD did — sounds more like "mission impossible" to me, but I hope I am wrong.
If I am right, at the beginning, it would be good to use both shapers PF and IPFW but not in the same time on the same task.
Just adding FQ_CODEL in the list and using it with IPFW pipes and altq disabled. -
I wonder if developers of FreeBSD regret now importing PF, as at the time it happened it seemed ipfw days were numbered, it was a only a matter of time.
However as it turns out PF went a long time without much been done to it even bug fixes, its getting some attention now but it will remain an old version of PF not the latest from openbsd. Whilst ipfw has carried on and even now getting feature enhancements.
It would not surprise me if ALTQ was ditched at some point in the future (in FreeBSD) but I think PF itself will remain as too many people use it and would be a lot of upset people if it got EOL'd.
I personally much prefer PF over ipfw as a firewall, but thats just as the firewall, I never really used ALTQ at all until I got my pfsense box.
-
IPFW also supports setting up queues that can shape bidirectionally on a single interface. This makes shaping with multiple WANs/LANs possible.
One of my pet peeves with pfSense is this limitation. OPNsense doesn't have this limitation as it uses IPFW:
https://docs.opnsense.org/manual/how-tos/shaper.html#prioritize-using-queues -
IPFW also supports setting up queues that can shape bidirectionally on a single interface. This makes shaping with multiple WANs/LANs possible.
One of my pet peeves with pfSense is this limitation. OPNsense doesn't have this limitation as it uses IPFW:
https://docs.opnsense.org/manual/how-tos/shaper.html#prioritize-using-queuespfSense already supports ipfw's dummynet with it's "traffic-shaping limiters", which is capable of solving the situation you describe: https://doc.pfsense.org/index.php/Limiters
-
Actually I have tested limiters with FQ_CODEL enabled and it works, but I did not notice any big difference, need more tests but have no time.
-
The future isn't set in stone yet, I heard FreeBSD is removing ALTQ from -current soon. It may be gone from 12, or after. Not sure what the replacement might be. Having some form of QoS is essential, but ALTQ isn't going to be it for much longer. We're keeping an eye on options.
-
Just good reading
http://bsdly.blogspot.com.ee/2011/07/anticipating-post-altq-world.html
I will be happy to see "Enable FQ-CoDel" check box on limiters or "FQ-CoDel" selection on shaper type, where CODEL is already present in pfSense. -
I also vote for FQ-CoDel
-
bear in mind freebsd (and also PFsense since thats based on freebsd), has not been following openbsd's PF for a long while, so this doesnt mean ALTQ is going anywhere.
-
bear in mind freebsd (and also PFsense since thats based on freebsd), has not been following openbsd's PF for a long while, so this doesnt mean ALTQ is going anywhere.
It does when FreeBSD says they're considering removing ATLQ.
-
any source for this info? can only find references to openbsd.
If you are right and it does go, it be a shame as ALTQ with HSFC is the best shaper I have ever used for ingress.
-
No public source (yet)
-
any source for this info? can only find references to openbsd.
If you are right and it does go, it be a shame as ALTQ with HSFC is the best shaper I have ever used for ingress.
In fact that it is the best for you it does not mean it could not be better or even already is, may be you do not use it nowadays.
Also the new subsystem that already came to openbsd to replace ALTQ may be even better.
https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Computer%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%203rd%20%282015%29.pdf
page 118, 131
In fact, it's "always HFSC".
I think ALTQ do not disappear immediately from FreeBSD and it will be available for many years, but will not moving forward.
I have seen some reddit user posts about openbsd 5.x pf working faster then freebsd one, even without SMP support, hard to believe anyway :)
