Traffic Shape Penalty Box not working.

periko · Feb 10, 2020, 5:01 AM

Hi.

Need some help with TC penalty box. I follow the wizard, 2 nics WAN/LAN simple.

I create a Aliases and add the IP's I want to penalize.

Went start testing, all the http/https traffic from those IP's goes into the queue: qDefault
and the others devices traffic into the same queue, talking about traffic http/https.

The floating rules has the first rule for the penalty box and queue qOthersLow, but that queue won't get any traffic.

I haven't customize my rules, are the same the wizard create to me, I show u here my rules.

login-to-view
login-to-view
login-to-view
login-to-view

I had flush the states.

Any suggestion I will appreciated, thanks.

Pfsense 2.4.3_p3.

Grimeton · Feb 10, 2020, 10:40 AM

Use a floating rule and tick this box, then try again.

login-to-view

periko · Feb 10, 2020, 1:44 PM

Hi.
I had try that option, I restart my pfsense box but still won't see any traffic in my qOthersLow.

login-to-view

Any other suggestion?

Thanks Grimeton.

bobbenheim · Feb 10, 2020, 2:39 PM

Have you tried the guidelines in the Pfsense docs for floating rules?

periko · Feb 10, 2020, 4:42 PM

@bobbenheim not yet, I follow the Traffic Shape wizard.

But I will read about, thanks.

bobbenheim · Feb 11, 2020, 8:36 AM

@periko by looking at your picture it seems that your using a match rule,
and according to the Pfsense docs the last match wins the race.
Have you tried putting your penalty rule at the bottom?

Grimeton · Feb 12, 2020, 4:53 AM

@periko What interface is the rule applied to? If you use the wrong interface....

periko · Feb 12, 2020, 4:53 AM

@Grimeton WAN interface.
Thanks.

periko · Feb 17, 2020, 9:18 AM

I had been working with Traffic Shape, following the wizard.

Trying to penalize some users in the network but no luck.

I had move my rule in the top, bottom, Apply the action immediately on match. etc.

Reset my states, reset my fw, is my lab don't affect user :-).

My test is easy, I would like to affect some user on http/https(penalize them) , I create a Alias.

My rule is to move those Alias users to p2p which are lower priority.

But anything they try to download data or youtube, that traffic appear in the standard queue that the wizard create 'qOthersHigh'.

I manually create my own rules following the current rules, but won't matter, all that traffic never goes in the p2p queue, talking about http/https that I can say, I see traffic in the p2p queue but is a little amount.

Them I can think that this feature is not working or I don't understand the meaning?

user1 192.168.20.111 Penalize
user2 192.168.20.102 Penalize
user3 192.168.20.100 No Penalize

Right now the 3 users are downloading data from difference sites, the Penalize users suppose to get 3% of the traffic during the wizard steps.

login-to-view

Reading about floating rules, they are all check, the last one wins, now lets me show u my pftop queues.

login-to-view

There u can see at the bottom, I create my custom rules and they don't have any records.
Don't know the meaning of the 'Q' before the interface(igb0) at the right?

Now how is the traffic on each user:
login-to-view

Most of the pfsense docs talk about PRIQ which is more easy to setup, is based on priority, them is possible to control bandwidth and have some users eat lets like Limiters do? Or didn't understand the Penalize meaning?

Other question, we cannot control burst data from the outside right?
Youtube is http/https traffic?

I trying to understand this pfsense feature, any comment I will appreciated, thanks.

bobbenheim · Feb 17, 2020, 9:18 AM

@periko can you take some screenshots of what the floating rule look like?

periko · Feb 17, 2020, 6:55 PM

@bobbenheim yes, here they are.
login-to-view
Thanks.

bobbenheim · Feb 17, 2020, 6:55 PM

@periko If you push that pencil(edit) button at your "Traffico HTTP Penalizado" rule and take a screenshot of that, that was what i was going for. I assume that is the rule you want to penalize the host with :)

periko · Feb 18, 2020, 3:59 AM

@bobbenheim yes, that is the users I want to penalize, here is the screenshot, is big..
login-to-view

bobbenheim · Feb 18, 2020, 10:38 PM

@periko i assume that your alias Penalizados contains local ip adresses i.e. 192.168.1.x, and you are trying to match those adresses to traffic on the WAN interface when those adresses resides on the LAN interface. Can you try and set interface to LAN and see if it makes a difference?

periko · Feb 19, 2020, 7:17 AM

@bobbenheim Yes I can, won't affect LAN2LAN?

bobbenheim · Feb 19, 2020, 7:18 AM

@periko traffic among hosts on your local subnet is not sent to pfsense.

periko · Feb 20, 2020, 2:11 PM

@bobbenheim Looks like that was the trick, I can see the rule working choosing LAN for the Penalty users, thanks Sir.