FQ_CODEL limiters with VLANs and WireGuard Client
-
Dear Community members, I really need some help here.
Some basic information first.
pfSense box: DELL Wyse 5070 Extended (Pentium Silver J5005, 8 GB RAM, 16 GB SSD)
NIC: Quad port HP NC364T
Managed switch: NETGEAR GS108Ev3
ISP line: 400 Mb/s Down, 15 Mb/s UpMy pfSense config is very similiar to this
The main difference is that I'm using WireGuard (Mullvad VPN) instead of OpenVPN.
WireGuard tunnel and peer created by following this guide.
My interfaces are:
WAN (em0)
LAN (em1)
VL10_MGMT (VLAN 10 on em2)
VL20_VPN (VLAN 20 on em2)
VL30_GUEST (VLAN 30 on em2)
VPN_WAN (wg0)
Now, to avoid bufferbloat I setup limiters and floating rules as decribed in this guide.
Limiters:
FQ_CODEL_OUT = 12 Mb/s
FQ_CODEL_IN = 360 Mb/s
It looks like limiters are working OK for all my interfaces (WAN_DHCP gateway monitoring RTT shows ~20/30ms with maximum download speeds) except VL20_VPN (WireGuard)
When I start to download large files (e.g. Ubuntu Linux torrents) through VPN tunnel with high speeds (30-40 MB/s) then latency goes very high which leads to VPN_WAN gateway goes offline.
I've changed my VL20_VPN rule allowing traffic to the VPN and make changes to the In/Out pipe (gateway is set to VPN_WAN on that rule) but that doesn't solved my problem. I've also tried to change my FQ_CODEL_IN bandwidth to something lower, like 250-280 Mb/s but it also didn't help. I don't think my CPU is underpowered so it's obviously that I'm missing something but I don't know what. I was looking for a solution on forum but find nothing.
I would really appreciate your help. -
@emikaadeo FQ_Codel properly does help you out, but for some reason when you reach the set limits it starts dropping ICMP packets heavily, which isn't new and has been mentioned several times in the mile long FQ_Codel thread. As also mentioned in the thread try and make rules that clears ICMP packets from FQ_Codel and read up on the tweaks, which might be necessary due to your low upload bandwidth.
-
@bobbenheim said in FQ_CODEL limiters with VLANs and WireGuard Client:
@emikaadeo FQ_Codel properly does help you out, but for some reason when you reach the set limits it starts dropping ICMP packets heavily, which isn't new and has been mentioned several times in the mile long FQ_Codel thread. As also mentioned in the thread try and make rules that clears ICMP packets from FQ_Codel and read up on the tweaks, which might be necessary due to your low upload bandwidth.
@bobbenheim I've made floating rules for ICMP packets just like here
Should I make floating rules also for my VL20_VPN interface ? -
@emikaadeo you should do it on the interfaces you have applied limiters with FQ_Codel on.
-
@bobbenheim I will try that. Thanks.
-
@emikaadeo In case your not aware already, the limiters are applied per gateway meaning if you apply limiters on your WAN gateway it does not apply to your VPN gateway regardless of being on the same interface. There is also several threads on using the same limiter on multiple gateways and none seemed to be able to get it to work if i remember right.