High RTT latency on wan [SOLVED]
-
Check out dslreports if you believe bufferbloat is a myth. It will give you lots of examples and the majority of test results are less than optimal.
http://www.dslreports.com/speedtest/results/bufferbloat
-
Shaping downloads is non-trivial. Especially as the inside network gets more complex.
-
I certainly can't speak for pro networks, but on home networks with pfsense and fq_codel it takes just a few minutes.
two thumbs up for freebsd & pfsense for bringing in fq_codel!
-
@Derelict Hello, I have been struggling, with the high latency problem with one of my WAN of the two Wan connection and various attempt for traffic shaping, and reading this thread, I changed the problematic WAN interface speed from Default to Auto, which lead to first super slow WEBGUI interface of the pfsense, and now no access at all. Any recomendation ??
-
@tejas said in High RTT latency on wan [SOLVED]:
@Derelict Hello, I have been struggling, with the high latency problem with one of my WAN of the two Wan connection and various attempt for traffic shaping, and reading this thread, I changed the problematic WAN interface speed from Default to Auto, which lead to first super slow WEBGUI interface of the pfsense, and now no access at all. Any recomendation ??
Recovered Now after reboot, and again set to default.
-
You should start your own thread for this.
Please detail exactly what sort of latency you're seeing. Has it got much worse or always been bad?
It is only bad when passing traffic?
Steve
-
@derelict said in High RTT latency on wan [SOLVED]:
Give a grunt a knob to turn and he'll turn it.
This is TRUE WISDOM!!!
I am thankful for the necro on this old thread just for those words - I missed them when first posted..
They are true words to live buy - I would add them to my sig, but real close to the max characters ;)
-
@stephenw10 I have multi wan setup with one Lan. Wan 1 is 6mbps and wan 2 10 mbps plan. Problem is with the Wan2, with high load RTTsd increases upto >1500ms and status first Latency and then Offline. I go thru documentation for the traffic shaping, but no where there is any mentioned for the Multiwan setup and strangely the traffic shaper/by interface is showing just one Wan2 interface(why not second Wan and Lan). If I go with the Wizard, there is no Intenet access. That's in the short. If I could not solve this problem today, will start a Fresh Thread.
-
If you set the alarm thresholds higher in WAN2 monitoring does it continue to pass traffic OK?
Just enabling codelq on the root of both WANs could work well here. Just set the bandwidth to something very slightly less that what you can actually achieve.
Steve
-
@stephenw10 strangely I could only see one Wan only in traffic shaper
-
@stephenw10 said in High RTT latency on wan [SOLVED]:
If you set the alarm thresholds higher in WAN2 monitoring does it continue to pass traffic OK?
Just enabling codelq on the root of both WANs could work well here. Just set the bandwidth to something very slightly less that what you can actually achieve.
Steve
I enabled codelq on the root of the problematic WAN2, which was the only showing, shows the latency, but atleast not showing the status offline. I set 9mbps for the 10mbps Wan. Should I lower it more down or rather tune the latency threshold limit ?
Could you suggest me the solution for putting the limiter for the youtube and the video media.
-
You only need to set the bandwidth slightly lower that what you can actually achieve over the link to make sure it queues at the local interface, where you have control over it, rather than somewhere upstream.
So you might be able to use 9.5Mbps there. 500kbps matters on a 10Mb connection.
Limiting Youtube is far harder. You need to define Youtube as a destination alias and then create a rule that passes it but assigns a limiter on LAN. Defining that alias is the problem. Youtube uses a very large and changing number of IPs.
You might get close by using ASNs in pfBlocker to create the alias.Steve
-
@stephenw10 I like you, simple answer no hassle and big technical b.s. straight to the point.
Will try the alias for the youtube.You didn't said anything, why my pfsense is only showing one wan interface and no second wan and lan interface in limiter >> by interface ??
-
What are the interface assignments your two WANs are using? In Interfaces > Assign?
There are some NIC types that do not support ALTQ traffic shaping. If you need to though it's possible to use Limiters there too. In 2.4.4 we have FQ_CODEL scheduling available there.
Steve
-
@stephenw10 said in High RTT latency on wan [SOLVED]:
What are the interface assignments your two WANs are using? In Interfaces > Assign?
There are some NIC types that do not support ALTQ traffic shaping. If you need to though it's possible to use Limiters there too. In 2.4.4 we have FQ_CODEL scheduling available there.
Steve
I am using Pfsense 2.3.5-release-p2(i386) on Intel Pentium G2020 @ 2.90GHz with one Onboard ethernet as LAN, and two Express PCI Lan Card as WAN 1 and WAN 2.
In my Interface >> Assignments there are three Interface WAN1, WAN2 and LAN. The argument of some NIC's not supported dosen't seems valid, due to the fact that both WAN1 and WAN2 PCI card are of same make with Realtek nic, and LAN nic is Intel build.
Couple of question Please :-
-
When I have both pfBlockerNG and Squid enabled, which rule applied first and does both of them interfere with each other.
-
Pls clear my doubt about the States. When and how would the states expires. Is it necessary to reset the states and firewall state table after every Rules edit or change.
-
In firewall >> Rules >> Lan the states column shows number of states/data tranfer. Is it accurate, because if that is true than many of my rules are not working as desired. E.g a custom rule of forcing group of Client IP's from a specific Gateway whose states and data showing 0/0.
-
The SSL monitoring of Squid proxy have to disabled since I could install Pfsense CA certificate via group policies on our system, but how could I do that on the Guest PC's and many of financial, transaction, and bank websites shows error specially our Accounts Department complaint very much.
-
What should I do with the tons of the error and warning message generated by the Snort which is still in the non blocked mode yet.
-
-
@tejas said in High RTT latency on wan [SOLVED]:
I am using Pfsense 2.3.5-release-p2(i386) on Intel Pentium G2020 @ 2.90GHz
Why are you running 32bit on that CPU? You should be running 2.4.4 there really.
About the only reason those interfaces would not show in the Firewall > Traffic Shaper > By interface tab is if they don't support ALTQ. You would have to check exactly what hardware they are to know for sure though. I would expect the Intel NIC to support it but their ix NICs do not. What are the actual port names listed? re0, re1, em0?
pfBlocker and Squid do different things they should not interfere. But bare in mind connections coming from Squid will always have the default WAN as the source IP. pfBlocker can block connections on LAN before they reach squid if you have it configured to do so.
Existing states are not removed when you change the ruleset. So if you want to move a client to use a different gateway you would have to kill any open states on the old gateway or just wait for them to timeout. Only new states will use the changed rule.
It is accurate. If traffic is passing and you see no states there it is not being passed by that rule.
If you want to do full SSL traffic inspection you have to install the generated CA on the clients there is no way past that. However you can do 'peek and splice' to filter by FQDN only. See: https://youtu.be/xm_wEezrWf4?t=637
If any of those alerts are against legitimate traffic you need to suppress them or disable the rule that is being triggered before you switch to blocking mode or you will block required traffic.
https://www.netgate.com/docs/pfsense/ids-ips/setup-snort-package.html#alert-thresholding-and-suppressionSteve
