Playing with fq_codel in 2.4
-
I got asked in a PM to post some screenshots of my settings.. Figured post it here as reference.
Just apply the in/out pipe to firewall rule on your interface.. So that these do not effect your intervlan traffic if you have any. Put a rule above to allow access to your other vlans without the pipe's applied.
These settings changed my bufferbloat tests on dslreports to A..
-
Why a /32 IPv4 mask?
-
Because that is what comes up in the gui when this is the rules.limiter
[2.4.0-RELEASE][root@pfsense.local.lan]/root: cat /tmp/rules.limiter
pipe 1 config bw 85Mb
queue 1 config pipe 1 mask dst-ip6 /128 dst-ip 0xffffffffpipe 2 config bw 11Mb
queue 2 config pipe 2 mask src-ip6 /128 src-ip 0xffffffffIs something wrong there? It was working great!!!
-
Haha, I don't know to be honest. I had mine set the same way until I noticed that, then set it to /24 to match my network (I'm IPv4 only). I haven't been on that network in awhile now but I don't remember noticing a difference. My config is otherwise pretty much the same as yours.
Maybe someone can chime in on whether that setting matters or not and exactly what it is doing?
I know that in some parts of traffic shaping GUI there are options presented that don't apply to all types of shaping.
-
The person that asked for the screenshot says its working great for him as well..
I just am not knowledgeable enough when it comes to shaping and limiters to know one way or the other either. I understand the basic principles is about all. I just took the settings as given and applied them to my bandwidth at the time and yeah it drastically reduced the bufferbloat test without noticing any serious hit to the top end numbers on speedtest or during normal use.
But to be honest I had not really noticed any issues before that ;) Other than the test showing me my bufferbloat was bad..
Looking forward to when I can apply it to my new 500/50 line when get new pfsense hardware. I can tell you for sure that on the usg that currently stuck with that when you turn on their smart queues my download is limited to 80ish down vs the 530 I see on speedtest currently. Seems to handle the upload ok but the download gets shit on..
-
Yikes, that's pretty limited!
-
Which is why its not on ;) When you turn on their queues you loose the hardware offload it seems.. So yeah speed takes a hit ;)
-
And that is why I am thankful for pfSense!
-
Oh believe me I will be back to pfsense as soon as get new hardware that can handle the speed.. The usg was a temp solution that was cheap enough to sneak through the budget committee (wife).. its was only a 100$ ;)
It can handle the speed in hardware offload.. But its feature set is so lacking.. Still running my pfsense vm for dhcp and dns since those features on usg need a huge amount of work to be viable in anything other than the most basic of home user networks.. And really just forget about ipv6 and or openvpn without manipulate of json files and having to reload them any time you reprovision the usg from the controller.. And the firewall rules are just nuts to setup on it as well.. I counting the days til I have pfsense back that is for sure ;)
-
I ran this on my router at my LAN party and it worked out great. 184 people with a 300mbit modem and 2 100mbit modems , made 2 download shapers and 1 upload shaper.
i made the system patches as well so it would apply after updates.
-
I should skip this since I don't know what I'm doing but still really curious to make it work. I have gigabit service and get D's and F's on buffer bloat.
I'm sure its in the post and I have indeed read though but still don't understand. What are the steps to enable this? I have 2.4 installed.
Looks like install patches package, run patch posted on page 8 which I was going to do until it said I could not remove this so I thought I better study a bit before I keep going. If you have the energy, please tell me what are the steps and I will follow them. Thanks.
-
You don't have to install the patch.
Just set up limiters (look at Johns screenshots a few pages above this) then run the ipfw commands for fq_codel and add them to shellcmd.
Run a speed test and set your limiters to 95% of the speeds you get.
Now go to your firewall rules to pass traffic and in the advanced section just select the queues you just made.
That's it.
-
You don't have to install the patch.
Just set up limiters (look at Johns screenshots a few pages above this) then run the ipfw commands for fq_codel and add them to shellcmd.
Run a speed test and set your limiters to 95% of the speeds you get.
Now go to your firewall rules to pass traffic and in the advanced section just select the queues you just made.
That's it.
I don't think it's that simple. If you don't override rules.limiter with own one like TS suggests by patching php code, then any firewall config or even WAN IP change that wants and would reload this file will destroy your manually configured fq_codel, until you manually run ipfw commands again or restart firewall to let shellcmd to do it. Am I wrong?
-
No sorry it is that simple.. You do not need to make any files changes at all.. Just create the limiters and then put in the commands via shellcmd to put them in every time you reboot, etc.
-
Yeah, I just tried adding and deleting firewall rules then checking ipfw and it still has my fq_codel flows.
If there's some other action you're worried might remove fq_codel then just try doing that action then check ipfw after to see if fq_codel is still in place.
ipfw sched show -
OK so may be quick start quide?
1. RTFM for FQ_CODEL http://caia.swin.edu.au/freebsd/aqm/patches/README-0.2.1.txt
2. Config limiters (pipes) via GUI.
3. View /tmp/rules.limiterfor example it will be
pipe 1 config bw 280576Kb queue 1 config pipe 1 mask src-ip6 /128 src-ip 0xffffffff pipe 2 config bw 280576Kb queue 2 config pipe 2 mask dst-ip6 /128 dst-ip 0xffffffff4. USE shellcmd package to recreate pipes with commands like
ipfw pipe flush ipfw pipe 1 config bw 280576Kb ipfw sched 1 config pipe 1 type fq_codel target 7ms quantum 2000 flows 2048 ipfw queue 1 config pipe 1 mask src-ip6 /128 src-ip 0xffffffff ipfw pipe 2 config bw 280576Kb ipfw sched 2 config pipe 2 type fq_codel target 7ms quantum 2000 flows 2048 ipfw queue 2 config pipe 2 mask dst-ip6 /128 dst-ip 0xffffffff5. Add your limiters to firewall rules (IN/OUT pipes), this step can be any after step 2 actually.
Is it correct?
Maybe it's better to run script at startup? Just placing it into /usr/local/etc/rc.d? I found that using shellcmd is a little bit uncomfortable with multiple command lines at once, have I missed something? -
Excuse my ignorance on this. I've just learned about and started using pfSense a couple weeks ago.
I have my limiters attached to my "Default allow LAN to any rule" in order to evenly split bandwidth to my LAN clients. And then fq_codel applied to those limiters. Seems to be working great for reducing bufferbloat, ensuring low latency for all clients, etc. Thanks for all the guidance in this thread!
Is there any benefit or harm to doing it that way vs. attaching the limiters to a floating rule as @johnpoz did?
Also, how does all this apply to OpenVPN clients (with pfSense as the server)? Would either setup also work with the OpenVPN clients, or is one setup better than the other?
Thanks for all your help!
-
Floating rules vs interface rules won't make a difference. It will also work well on VPN clients. VPN traffic will always have higher latency relative to the same traffic not routed through a VPN. fq_codel can't fix that, but it will still work with fairly queuing the traffic and reducing bufferbloat.
-
I came back here to say thanks because it works well. I completed my setup differently than some of what has just been posted.
I setup limiters just as seen in the screenshots. (post 121)(upload, download, wan, lan)
I ran the single command for IPFW pipes. (ipfw sched 1 config pipe 1 type fq_codel && ipfw sched 2 config pipe 2)
I installed shellcmd and added the single IPFW statement.
Modified the two stock LAN firewall rules (IPV4 and IPV6 advanced configuration) so that wan and lan would be used just as seen in the screenshots.
I restarted the firewall.That is all I have done. Prior my buffer bloat was a D to F. Post I get an A each time. I may/may not be setup correctly but whatever it is works. I originally used the wizard for setup of traffic shaping which used HFSC and which gave @425 upload on my gigabit connection. This new setup gives @750. So, good for me.
-
Definitely I am blind what screenshots are you all talking about? :D
