Limit PPS for UDP Traffic
-
We have put traffic shaping in place and used a rule to force all UDP traffic into a lower priority queue with a hard limit of 50mb upload so this helps to prevet the uplink being saturated but i'm not sure if its the best way to do it.
Ideally we would like something similar to the TCP option where we have limited TCP traffic on Lan to max 200 new connections per second which works very well to stop TCP floods dead in their tracks but there doesn't seem to be a similar feature for UDP traffic.
Probably because UDP doesnt use states in the same way TCP does so it's harder to control. -
https://forums.freebsd.org/threads/udp-blocking-with-rate-limits.42933/
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189721 -
So it looks like the feature now exists in freeBSD, I wonder can it be used in pfSense or if it will be added as an option to the GUI!
-
@craggy:
So it looks like the feature now exists in freeBSD, I wonder can it be used in pfSense or if it will be added as an option to the GUI!
Is it implemented?
-
How about putting your upload traffic under a dummynet limiter and setting two queues, one for DNS weighted for whatever you need (maybe 10?) And the other for everything else weighted at the remainder of 100 (in this case 90).
It would allow all 140kpps out while the network is idle, but as soon as other traffic came on it will be prioritized over the DNS - never allowing it to override the rest of your traffic.
-
How about putting your upload traffic under a dummynet limiter and setting two queues, one for DNS weighted for whatever you need (maybe 10?) And the other for everything else weighted at the remainder of 100 (in this case 90).
Clients use my own DNS server running on pfSense. I want to rate-limit other UDP transmits.
What about pfSense developers would demand this feature from pf developers or (maybe better) make pf's fork and then implement UDP rate-limiting?
PF misses MAC filtering and UDP rate-limiting. This is a must these days. -
Clients use my own DNS server running on pfSense. I want to rate-limit other UDP transmits.
I'm not seeing why you couldn't do that?
If you can write a firewall rule for the traffic then you can apply a dummynet limiter to the traffic.
-
If you can write a firewall rule for the traffic then you can apply a dummynet limiter to the traffic.
Limiters work with bits/s and I need packets/s. There may be 1000 UDP packets per second producing only 100 kB/s.
-
How about putting your upload traffic under a dummynet limiter and setting two queues, one for DNS weighted for whatever you need (maybe 10?) And the other for everything else weighted at the remainder of 100 (in this case 90).
Clients use my own DNS server running on pfSense. I want to rate-limit other UDP transmits.
What about pfSense developers would demand this feature from pf developers or (maybe better) make pf's fork and then implement UDP rate-limiting?
PF misses MAC filtering and UDP rate-limiting. This is a must these days.UDP rate limit and MAC filtering are a must for switches, not edge firewalls. UDP rate limiting is primarily used for broadcast storm preventing and MAC filtering is used to prevent unknown devices from even gaining access to the physical network. Not that it's very effective, but it is another layer.
Technically, MAC filtering on a firewall is implemented as a layering "violation". Not to mention that MAC addresses should NEVER be trusted in the first place. Filtering on MAC addresses is just extra work for weak obscurification with virtually no additional security.
In general, many common "must haves" are just simplistic bandaids for a problem the end user does not fully understand.
That being said, UDP rate limiting does have some useful characteristics, but mostly in trying to help protect others from themselves. DNS amp attacks, which should not happen if DNS is configured correctly.
My home pfSense router is able to fairly easily NAT+route+shape 1.4Mpps of UDP. If your firewall is dying from it, you may have something wrong.
-
UDP rate limit and MAC filtering are a must for switches, not edge firewalls.
Linux iptables has it all.
DNS amp attacks, which should not happen if DNS is configured correctly.
Yes, but DNS is not only protocol which uses UDP.
My home pfSense router is able to fairly easily NAT+route+shape 1.4Mpps of UDP.
I have different use case, huge difference is that my router does not fit in "home" scale.
-
Exactly what UDP traffic problems are you having?
-
harvy66 I know not on topic, but how are you collecting those stats in your graphs? the supplied bsnmp in its stock config doesnt supply the data, me and some others asked in another thread but noone with the knowledge wanted to help.
Although your answer could still help the OP as well as monitoring may help him manage his situation better.
-
Exactly what UDP traffic problems are you having?
Since PF and consequently pfSense lack limit pps for UDP feature, I had to do it on an upstream router.
Well I think, unless proper MAC filtering, NetFlow MAC exporting and UDP PPS limiting is implemented, I cannot use pfSense for my customers (SMB and small enterprises).
It has many great features and I really appreciate all work that developers have done.