Unsure How to Configure Limiter



  • Hi all,

    I am going to use the pfSense limiter to limit traffic from a specific host.

    What I have here is a two-site installation with two pfsense 2.3.2 boxes. Both connected by OpenVPN.
    On site 1 there is the backup server for both sites.  Backup is scheduled to start at night hours.

    Sometimes backup takes more time and is still running when work times start. As we have only a 10Mbit/s connection this influences the work flow.

    So I wanted to create a limiter based on a schedule which limits the traffic from site2 to the backup server to 1Mbit/s at daytimes but allows full traffic in the night.
    I read Docs and Posts but still unsure how to configure.

    Schedule rules are created so I went to  Firewall -> Traffic Shaper -> Limiters and created two limiters
    bu_in and bu_out
    For bu_out the Mask is set to Destination Address and the limit (based on schedule) is set to 1Mbit/s.
    For bu_in the Mask is set to Source Address and the limit (based on schedule) is set to 100Mbit/s. (no limit for restores)

    Then I created a firewall rule with following settings on the LAN Interface:
    "Pass", "IPv4", "any".  As "Source Adress" I set the IP of my backup server.
    In "Advanced Options" I configured the In/Out Pipe to "bu_in" and "bu_out".

    So I thought it might be perfect. But it is not- the backup hosts still runs with aprox. 10Mbit/s! This is the output of ipfw command:

    
    >ipfw pipe show
    00001: 100.000 Mbit/s    0 ms burst 0
    q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
     sched 65537 type FIFO flags 0x1 256 buckets 0 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    00002:   1.000 Mbit/s    0 ms burst 0
    q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
     sched 65538 type FIFO flags 0x1 256 buckets 0 active
        mask:  0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
    
    

    Anyone an idea what I did wrong?

    Greetings /KNEBB



  • Using traffic-shaping queues is probably easier and more powerful.

    Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.



  • Hi,

    @Nullity:

    Using traffic-shaping queues is probably easier and more powerful.

    I have had bad experiences with traffic shaper so I do not like to use this path.

    Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.

    Well, of course there is a reason. As the guys on site 1 will have only verly limited speed while a backup is consuming nearly full bandwidth…

    /KNEBB



  • @knebb:

    Hi,

    @Nullity:

    Using traffic-shaping queues is probably easier and more powerful.

    I have had bad experiences with traffic shaper so I do not like to use this path.

    Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.

    Well, of course there is a reason. As the guys on site 1 will have only verly limited speed while a backup is consuming nearly full bandwidth…

    /KNEBB

    I let BitTorrent use all of my free bandwidth with no issues. Idle bandwidth is wasted bandwidth. With proper shaping, you can guarantee every service will get a minimum amount of bandwidth while allow the unused bandwidth to be utilized in a fair way.

    I've had very good experiences with the traffic shaper, it works exactly how I expect it to. Correct your expectations and you will find the shaper is very powerful. Based on what I've read, it does have a few rough edges with poor driver support if you use lower quality hardware or a 10Gb NIC and they decided not to implement ALTQ.



  • @Harvy66:

    I've had very good experiences with the traffic shaper, it works exactly how I expect it to. Correct your expectations and you will find the shaper is very powerful.

    Well, one issue is that traffic shaper does not shape on OpenVPN connections. So I can not divide between different types of traffic inside of the OpenVPN tunnel. But this is what I need!

    Traffic Shapper does not work if you want to priorize/ limit traffic within the same OpenVPN tunnel.



  • @knebb:

    @Harvy66:

    I've had very good experiences with the traffic shaper, it works exactly how I expect it to. Correct your expectations and you will find the shaper is very powerful.

    Well, one issue is that traffic shaper does not shape on OpenVPN connections. So I can not divide between different types of traffic inside of the OpenVPN tunnel. But this is what I need!

    Traffic Shapper does not work if you want to priorize/ limit traffic within the same OpenVPN tunnel.

    I thought you could match individual traffic types with firewall rules on the OpenVPN interface itself.



  • @knebb:

    Hi,

    @Nullity:

    Using traffic-shaping queues is probably easier and more powerful.

    I have had bad experiences with traffic shaper so I do not like to use this path.

    Also, there's no reason that you can't use the full 10Mbit (minus a few percent) when uploading.

    Well, of course there is a reason. As the guys on site 1 will have only verly limited speed while a backup is consuming nearly full bandwidth…

    /KNEBB

    Site 1 is where the backup server is? (I am unclear about your network topolgy.)
    If so, yeah, you would need to shape the download at that end, which queues can accomplish, but it's not as optimal as  an uncongested pipe. You could allocate 1Mbit (HFSC link-share) to backup and leave the rest for normal traffic, then when there is no normal traffic the backup will get the full 10Mbit. You could additionally use HFSC upper-limit to hold the backup traffic to some arbitrary max like 9Mbit, so that the link is never fully saturated by backup traffic.



  • @Nullity:

    Site 1 is where the backup server is? (I am unclear about your network topolgy.)

    Yes, it is.

    If so, yeah, you would need to shape the download at that end,

    This is what I was going to do with the Limiters of the Traffic shaper.
    I am just unsure how this all works together regarding the correct configuration. Currently it does not limit at all.
    So you say I should configure traffic shaper Seems to be possible, but as you mention it is far away of being perfect. I had a look what the pfSense docs say regarding HFSC:

    It can be very effective for VoIP on links that degrade quickly, such as 3G/4G, but it can be complex to configure and tweak for proper operation. 
    

    For PRIQ it says:

     Lower priority queues can be completely starved for bandwidth easily.
    

    Which is bad as I need to have the backup to continue any time. Otherwise it would re-start from scratch…
    And CBQ limits trafffic non-dynamically. Bad idea.

    Still, it loks like I can not use traffic shaper.

    So I am back at my first question: How to configure properly to have it up and running?

    I thought you could match individual traffic types with firewall rules on the OpenVPN interface itself.

    No way. Only physical interfaces.



  • @knebb:

    No way. Only physical interfaces.

    Are you sure?



  • @Nullity:

    @knebb:

    No way. Only physical interfaces.

    Are you sure?

    Pretty much, yes. See attached image. There might be a possibility to configure them on virtual interfaces, but this is not possible with the pfSense GUI. And I am not going on the command line (as these settings will be hidden when you do troubleshooting later).




  • @knebb:

    @Nullity:

    @knebb:

    No way. Only physical interfaces.

    Are you sure?

    Pretty much, yes. See attached image. There might be a possibility to configure them on virtual interfaces, but this is not possible with the pfSense GUI. And I am not going on the command line (as these settings will be hidden when you do troubleshooting later).

    I said firewall rules, not traffic-shaping (which your image shows).

    You may need to do some reading about how VPN, firewall rules, and traffic-shaping queues/limiters work together…



  • @Nullity:

    I said firewall rules, not traffic-shaping (which your image shows).

    Ok, misunderstood.
    Still, with firewall rules I can not limit my traffic. I can select it and let it pass or block/ drop it.

    You may need to do some reading about how VPN, firewall rules, and traffic-shaping queues/limiters work together…

    This is exactly where I need help. As I wrote in my initial post I did some reading.

    My point is that I do not know why it is not working (where I assume I did some misconfiguration). So what I have is a firewall rule on the LAN interface which matches my traffic (destination host is my backup host). On the advanced options of this rule I configured the In/ Out pipe to use the limiter rules.
    The limiter itself is configured for an IN and an OUT pipe where the limits are defined.

    But still- the backup server consumes 10Mbit/sec instead of configured 1Mbit/s.



  • Still, with firewall rules I can not limit my traffic. I can select it and let it pass or block/ drop it.

    Expand the Advanced section and look for In / Out Pipe.  This is where you direct traffic into a limiter.



  • First, confirm about your firewall rule is catching the proper traffic. Once that is confirmed you can begin to deal with where that traffic is assigned (limiters or queues).

    Personally, I think limiters are best used for other things, like dynamic sharing among IPs.
    Queues, like HFSC, CBQ (with borrowing), or FAIRQ are what I would use here.



  • How to read this limiter logs?

    Thanks.




  • Please don't hijack someone else's thread with unrelated stuff.  Start a new thread.



  • Sorry but i think this thread is still related to limiter.
    I configure limiter and I don't know how to read this details so I think anyone here can help me about this.

    Thanks and sorry for this.



  • Every question in this forum has to do with the shaper or limiter.  This post is specifically about how to configure.  You want to know how to read a log.  Not the same thing.  Start your own thread.



  • Ok. Thank you.