Problems getting traffic into queues other than the default
-
I'm trying to set up some traffic shaping with HFSC and have run into a difficulty I have not been able to figure out. It doesn't seem to make any difference if I set up the queues and floating rules manually or by using the wizard. In either case I just can't seem to get much traffic into any queue other than the default queue. Here's an example:
-
I go through the wizard and leave everything normal except that I tell the wizard I want to prioritize HTTP traffic. All the queues and floating rules I expect are created.
-
I start a very large HTTP download on a system behind pfSense
-
I look at the Status -> Queues page and see all the traffic in the LAN qLink queue (which is the default) and not in qOthersHigh which is where I would expect it. It's not that I see nothing in qOthersHigh, but it's very little traffic (i.e. 2.4Kbps vs 70+Mbps in qLink).
Any idea what's going on?
-
-
same here, after upgrage to 2.1.3.
it worked before
i reset to default and do the setting again , nothing can help -
I have a 2.1.3 system with the problem but my 2.1.2 seems to have the same problem.
-
Can you post your Firewall Rules ?
-
These are the system rules as well as the user rules – but only through the floating rules, I left off all the user interface rules, but none of them are queue related anyway.
$ pfctl -sr
scrub on em1 all fragment reassemble
scrub on em0_vlan99 all fragment reassemble
scrub on em0_vlan301 all fragment reassemble
scrub on em0_vlan88 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto carp from (self) to any
pass quick proto carp all keep state
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in log quick on em1 from <bogons>to any label "block bogon IPv4 networks from IHCC_DMZ"
block drop in log quick on em1 from <bogonsv6>to any label "block bogon IPv6 networks from IHCC_DMZ"
block drop in on ! em1 inet from 134.29.182.0/24 to any
block drop in inet from 134.29.182.252 to any
block drop in inet from 134.29.182.246 to any
block drop in inet from 134.29.182.248 to any
block drop in inet from 134.29.182.247 to any
block drop in on em1 inet6 from fe80::250:56ff:febf:38f5 to any
block drop in log quick on em1 inet from 10.0.0.0/8 to any label "Block private networks from IHCC_DMZ block 10/8"
block drop in log quick on em1 inet from 127.0.0.0/8 to any label "Block private networks from IHCC_DMZ block 127/8"
block drop in log quick on em1 inet from 100.64.0.0/10 to any label "Block private networks from IHCC_DMZ block 100.64/10"
block drop in log quick on em1 inet from 172.16.0.0/12 to any label "Block private networks from IHCC_DMZ block 172.16/12"
block drop in log quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from IHCC_DMZ block 192.168/16"
block drop in log quick on em1 inet6 from fc00::/7 to any label "Block ULA networks from IHCC_DMZ block fc00::/7"
block drop in on em0_vlan99 inet6 from fe80::250:56ff:febf:5d4f to any
block drop in on em0_vlan88 inet6 from fe80::250:56ff:febf:5d4f to any
block drop in on ! em0_vlan99 inet6 from 2607:f930:1c00:99::/64 to any
block drop in inet6 from 2607:f930:1c00:99::5 to any
block drop in on ! em0_vlan99 inet from 172.17.99.0/24 to any
block drop in inet from 172.17.99.5 to any
block drop in on ! em0_vlan88 inet from 192.168.0.0/24 to any
block drop in inet from 192.168.0.1 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (em1 134.29.182.254) inet from 134.29.182.252 to ! 134.29.182.224/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em1 134.29.182.254) inet from 134.29.182.246 to ! 134.29.182.224/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em1 134.29.182.254) inet from 134.29.182.248 to ! 134.29.182.224/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em1 134.29.182.254) inet from 134.29.182.247 to ! 134.29.182.224/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em0_vlan99 2607:f930:1c00:99::1) inet6 from 2607:f930:1c00:99::5 to ! 2607:f930:1c00:99::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em0_vlan301 2607:f930:1c00:301::1) inet6 from 2607:f930:1c00:301::2 to ! 2607:f930:1c00:301::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em0_vlan99 proto tcp from any to (em0_vlan99) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em0_vlan99 proto tcp from any to (em0_vlan99) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on em0_vlan99 proto tcp from any to (em0_vlan99) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
match on WAN inet proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK)
match on em1 inet proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK)
match on em0_vlan301 inet proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK)
match on WAN inet6 proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK)
match on em1 inet6 proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK)
match on em0_vlan301 inet6 proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK)
match on WAN inet proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK)
match on em1 inet proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK)
match on em0_vlan301 inet proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK)
match on WAN inet6 proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK)
match on em1 inet6 proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK)
match on em0_vlan301 inet6 proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK)</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> -
Does anyone have any ideas why this isn't working? Thanks!
-
I had the same issue before, most of my traffic went to p2p, what I did was to every change I did inside the TS I restart the server because the manual say that u need to reset the states because it use floating rules and u know how those works.
I switch my queues to CBQ.
Is working now, I will look at my rules and post to compare with yours, I delete some rules because I don't why the wizard add rules for a windows share is for me a security risk.
I see that once the wizard finish u have to do changes to the rules to fit your network.
And if u setup everything manually this won't appear in your rules for pfsense.
-
I have tried flushing the state table as well as rebooting the system and it doesn't seem to cause any change.
-
After further testing I'm beginning to think that this is an IPv6 problem and that IPv6 traffic is not being placed into any queues other than the default. It's a bit hard to tell but it looks like IPv4 traffic may be going into the queues as expected but IPv6 traffic is stuck in the default queues. At least when I try to pull large files from IPv4 only sites it looks like the correct queues are filling but if I try to pull a file from an IPv6 or dual-stack site it seems to be stuck in the default queue.
Is anyone else able to test IPv6 and traffic shaping to confirm this hypothesis?
-
Nope, nevermind, it's not IPv6 that's the problem. I am able to correctly queue traffic by port number (i.e. move all port 80 traffic into a different queue) but do not seem able to successfully do it based on IP address.
I want to queue the traffic based on the final destination IP address (e.g. the inside address). For example, I want all traffic destined for 172.17.110.61 (an inside host) to end up in a certain queue. It seems like the firewall rules are being applied before the NAT so the destination address is my WAN IP when the traffic passes through the rules and thus it never matches the rule for the destination IP of 172.17.110.61. I thought that floating rules were supposed to be applied to traffic in the outbound direction (i.e. traffic leaving the LAN interface). What am I missing/how can I do this?
-
Well, after playing around some more with rules I think I got it to do what I want but I don't understand why. If someone can explain I would appreciate it.
The rule I created which ended up working (it seems) is a floating match rule applied in all directions on all interfaces with a SOURCE IP address of the inside system who's traffic I want to put through the queue (172.17.110.61 in my example). Why it's the source IP is the mystery to me because the traffic I want to shape is traffic DESTINED for 172.17.110.61 and originating from the Internet not traffic originating from 172.17.110.61…
Can anyone explain how/why this works?