Emulation of VSAT speed with pfSense
-
Looks like you need to set the gateway on the floating WAN out rule.
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=45 time=763.081 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=762.011 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=763.005 ms–- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 762.011/762.699/763.081/0.487 ms:)
-
Note also this is going to perform horribly compared to what you will actually experience on a VSAT link. They will put your traffic through performance enhancers that keep the TCP sessions on both sides happy so they don't think they are really being subjected to 800ms of latency.
Seems to be working here:
 -
Derelict, thank you hugely for the info. I was allowed today to order the definitive guide of pfSense which should be in my possession in the next few days. I hope the value of the book would support the development and the author.
A brief story of the reasons to need the emulations. We have on the company roof an actual VSAT antenna that was planned to be used for our needs to emulate a vessel that has the same identical hardware. Due to the winter season, the antenna was suspended. As far as we need to imitate the speed of VSAT to the rack, I decided to use pfSense of which I have only heard that can do the job easily and supports the functionality out of the box.
Now back to the networks. 192.168.170.1 presently the LAN interface of pfSense on the actual vessel is the VSAT connection with the defined speeds that is used for incoming and outgoing communication. While in the office and working as an IT, we need to connect to the vessels and fix ongoing issues or test/improve existing functionality. Because of the fact that we connect over the VSAT to the vessel, this is why I am trying to duplicate all the conditions just like we are connecting to a real ship. Achieving this would allow us to run some tests over a rack that is physically in the office instead of testing something in a real working environment where if the things go wrong, would affect the ship operations.
In other words, 192.168.170.X devices need to go to the Internet through 192.168.170.1 -> 192.168.9.112 and any 192.168.9.X interface to go to 192.168.170.X device through 192.168.9.112 -> 192.168.170.X
The reason to ask for a few IP's to have unlimited access is that sometimes to test new functionality, we need to be able to transfer large files which in a real environment can take days. In a scenario where the rack is near by us, we can copy the files and bring them on USB/HDD, however, if we allow 1-2 IP's access to 192.168.170.X to be passing through the real LAN (with no limiters) - the job is done perfectly. In a case, where you think this would confuse the situation, we can say that a communication 192.168.170.0 <–>192.168.9.112 <--> the Internet with the VSAT limit would work fine as we all will have an access to the firewall administrative interface so can temporary manipulate the box to have full LAN speed and once finished to return it to proper values.
I will try what you suggested first place tomorrow morning and inform how that goes. Once we figure it out, I am planning to write down a descriptive howto for our needs but will share it here, so that the next time somebody is looking for similar functionality/structure, knows where to find it.
Thanks again for your superb and prompt assistance. As far as I had some dealing with BSD/Linux, the firewalls/networking were never my strongest part to be honest. Slowly I am getting there but as of now, I feel like pfSense can replace quite a few of our office ASA boxes that we use sort of for the same functionality (if less than pfSense can offer with the proper setup and knowledge).
-
Figured it was something like that. Bypassing limiters on those WAN in rules will be pretty trivial once you know the limiters are working.
Still going to totally suck compared to the optimized connections the VSAT provider will give you.
-
Derelict, for sure there is nothing better than the original equipment as the initial idea was to have a 1x1 copy of a vessel in the office in order to have prompt tests metrics. However we've been told that the satellite dish might be nonoperational for a while and I did not want to loose more time but start the planned work. Having an emulation of VSAT simply put would eliminate the possibility to troubleshoot the modem, ACU, and PCU but having a limited speed would at least be something compared to nothing so far. I took the challenge to start with pfSense (even after knowing about the lack of advanced networking skills) in order to start improving that and most of all - learn. As you said, once the basic principles are acknowledged, we might start thinking of other ways to use pfSense other than just have it as a simple traffic shaper, however, it is just the beginning :)
With a risk to repeat myself, I really really really appreciate your shared info and will come back tomorrow as soon as I try it. Either with the how-to manual or with a question ;)
-
Btw, I see several videos in Internet testing pfSense in a virtual environment. Could you share what you find as the best approach to start with as I thought to play some tests at home and not wait for the office working hours but to start installing now 2 VM's and setting up a pfSense seemed a bit of overwhelming? So do you consider HyperV, ESX or VirtualBox as a good alternative to start with or there are other tools that would make it easier to just fire up and test? I also heard of some testings with GNS3 but did not play with it yet…
-
I am testing this in XenServer. I believe it works fine in all of those listed.
https://doc.pfsense.org/index.php/Category:Virtualization
https://forum.pfsense.org/index.php?board=37.0
-
Hello again.
I reset the box to factory settings just to make sure no previous rules or settings are activated and messing up with the result. Here is what steps I took:
1. Went to Limiters and as per your instructions created the FROM_VSAT and TO_VSAT (proper values added).
2. Went to add a floating rule: MATCH-WAN-OUT-IPv4-ANY-ANY-ANY-TO_VSAT/FROM_VSAT (here I had to select the GW as you mentioned)
3. Added another floating rule: MATCH-WAN-IN-IPv4-ANY-ANY-ANY-FROM_VSAT/TO_VSAT
4. Disabled NAT
5. Made sure private and bogus networks are not blocked on both WAN & LANTested to ping from 192.168.9.148 and was able to reach successfully the 192.168.170.10 (a client PC)!!!
I was able to ping from 192.168.170.10 the 192.168.9.148 successfully as well!!
However, I was not able to browse the Internet from 192.168.170.10 or any other device on the network (and yes, I made sure there is no firewall blocking the connection, nor antivirus etc.) Before today, I had a connection from the 192.168.170.0 network to Internet, however was not able to get from the 192.168.9.0 network to 192.168.170.0 but now is something different. Did I miss something?
-
Just set the WAN interface with a gateway to, IIRC, the .9 address.
None of those floating match rules have anything to do with actually passing traffic.
Disabling NAT is probably not what you want to do. If you do you will have to add a route for the IP subnet on LAN side of pfSense to the edge router.
I see where I said disable NAT below but that was for a specific scenario. Reenable auto nat and you will probably be fine.
-
Hello Derelict.
Sorry for the delay of my response as I promised to comeback and advise if it works or not.
I applied your rules on a fresh pfSense install and started testing. The PC had Internet until I applied the FROM_VSAT and TO_VSAT to WLAN out traffic. After setting up the in/out settings, I was able to resolve, ping and traceroute to the host, but could not browse the page itself.
What I did was to add a rule in Firewall>Rules>LAN with the following:
Action: Pass
Interface: LAN
Address Family: IPv4 (we do not use IPv6 in the company)
Protocol: any
Source: any
Destination: any
Description: LAN ANY TO ANY
In/Out: To_VSAT / From_VSATSaved the rule, moved it to the top, applied the settings and after that all works like a charm. Incoming connections are limited to the speed and latency setup in limiters for both directions but at the same time any LAN traffic is unlimited so a ping from the LAN Net to LAN Net is not affected. I find it useful to have an option to apply the limiters to the LAN network as well for some tests, where in production environment a need to troubleshoot a slow network/latency is needed.
I am extremely grateful to your help and I hope that this short tutorial plus your extensive instructions would be useful for others who need to emulate VSAT or just any other bandwidth, latency, package drop etc. limitations. The options are limitless and it is up to us to see how can we use it.
