Quick Penaly Box Question



  • Hi,

    I recently set up some HSFC traffic shaping on pfSense 2.3 using the wizard but the penalty box didn't work as I expected.

    No traffic from the specified IP address went into the penalty box queue until I edited the floating rule for it and added the WAN interface.

    Is this normal? I would have expected the wizard to add the required interfaces to the floating rule?

    Was I wrong to add the WAN interface to the penalty box floating rule?

    Thanks,



  • WAN should always be selected, I believe, since that's where the shaping is done – at egress.  You control what leaves the WAN as that has a direct relationship with what enters.  I haven't used the TS wizard in 2.3.x but in 2.2 it selected WAN as the default interface.



  • Hi, thanks for the reply,

    Sorry, I got it the wrong way round, it's the LAN I had to add before the queue filled up. Remove that and the low queue empties.

    Is that to be expected if the Pentalty Box host is uploading and downloading - will I always need both WAN and LAN in the floating rule?



  • Are you trying to reduce the volume of data transferred or reduce congestion. I only ask because they are two completely unrelated problems that many people conflate.



  • Reduce congestion,

    I have one machine which I'd like to use for downloading and seeding torrents (mainly to help Linux distros) etc.

    I'd like to be able to just leave it on 24x7 and it never have it interfere with other, more important, internet traffic.



  • @Simoo:

    Reduce congestion,

    I have one machine which I'd like to use for downloading and seeding torrents (mainly to help Linux distros) etc.

    I'd like to be able to just leave it on 24x7 and it never have it interfere with other, more important, internet traffic.

    The simplest and most reliable solution is to limit the throughput (80% or lower) directly at the torrent client.



  • Thanks, that would be the simplest solution.

    But if I wanted to use packet shaping on pfSense (to learn and because I want to expand the rules in the future) and I wanted to put a single hosts' upload and download traffic in a low priority queue, would I need to apply the floating firewall rule to both the WAN and LAN interface the host resided in?



  • @Simoo:

    Thanks, that would be the simplest solution.

    But if I wanted to use packet shaping on pfSense (to learn and because I want to expand the rules in the future) and I wanted to put a single hosts' upload and download traffic in a low priority queue, would I need to apply the floating firewall rule to both the WAN and LAN interface the host resided in?

    Traffic is shaped on egress from an interface, so WAN = upload, LAN = download.

    The methods for achieving an optimal setup differ between upload & download. A good intro to these fundamental differences can be found here: http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/



  • If you want to get your feet wet and have something that helps immediately, just enable CoDel on your WAN and LAN interfaces and set your WAN to 80-90% of your upload and LAN to 80-90% of your download. Don't forget to run the DSLReports speedtest before and after to check your bufferbloat scores. After that, start asking more about HFSC if you want to micromanage.



  • Thanks everyone,

    Really helpful (the link is a very good read). One last question regarding pfSense's placement of the Pentalty Box floating rule…

    It places it at the top of the rule list, but if I understand correctly, because I want all egress traffic originating from the penalty boxed IP address to be in the low queue, I should move it to the bottom. Otherwise, 'web' traffic from it will hit the 'Web' rule lower down and so be placed in the higher priority 'web' queue - is that right?



  • Yes.  For floating rules, last match wins.  For all other rules, first match wins.  You can change this behaviour with floating rules by editing the rule and checking the Quick checkbox.