Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    What exactly is ackQueue supposed to be doing?

    Traffic Shaping
    4
    5
    1514
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fmatthew5876 last edited by

      As I was playing around with the traffic shaper I tried using the ackQueue. This is on 2.3.3-p1.

      The idea of prioritizing TCP ack packets makes sense. They are tiny and delaying or dropping them can make your connections retransmit unnecessarily.

      So in firewall rules, we have a queue and an ackQueue. From the name "ackQueue", and the way firewall rules keep state one would naturally assume this means if you set this value it will put the TCP acks into the ackQueue and all other traffic of the connection into the regular queue.

      From my testing however this is not at all what happens. I setup a LAN rule on my test network to tag outbound packets with "test". Then I setup outbound WAN floating rule to match "test" and apply queue=qDefault and ackQueue=qAck.  In this test, I only have queues setup on WAN, none on LAN. I'm using the PRIQ algo.

      My test was to download a freebsd iso over http.

      From pftop, what it looks like is that the outbound request to download the iso went into qDefault, but then all of the return traffic (the entire multi-GB iso itself) all went to qAck.

      From that test, it looks like the ackQueue feature is actually a separate queue assignment for all of the return traffic, not just TCP acks.

      Is this the expected behavior of "ackQueue"? If so, why does it have the misleading name of "ackQueue" vs something else that would better indicate its real purpose?

      1 Reply Last reply Reply Quote 0
      • N
        Nullity last edited by

        @fmatthew5876:

        As I was playing around with the traffic shaper I tried using the ackQueue. This is on 2.3.3-p1.

        The idea of prioritizing TCP ack packets makes sense. They are tiny and delaying or dropping them can make your connections retransmit unnecessarily.

        So in firewall rules, we have a queue and an ackQueue. From the name "ackQueue", and the way firewall rules keep state one would naturally assume this means if you set this value it will put the TCP acks into the ackQueue and all other traffic of the connection into the regular queue.

        From my testing however this is not at all what happens. I setup a LAN rule on my test network to tag outbound packets with "test". Then I setup outbound WAN floating rule to match "test" and apply queue=qDefault and ackQueue=qAck.  In this test, I only have queues setup on WAN, none on LAN. I'm using the PRIQ algo.

        My test was to download a freebsd iso over http.

        From pftop, what it looks like is that the outbound request to download the iso went into qDefault, but then all of the return traffic (the entire multi-GB iso itself) all went to qAck.

        From that test, it looks like the ackQueue feature is actually a separate queue assignment for all of the return traffic, not just TCP acks.

        Is this the expected behavior of "ackQueue"? If so, why does it have the misleading name of "ackQueue" vs something else that would better indicate its real purpose?

        Did you reset states? https://doc.pfsense.org/index.php/Reset_States

        1 Reply Last reply Reply Quote 0
        • K
          klou last edited by

          I've been wondering about this as well.  Does the assigned ackQueue actually look at TCP flags, or is it simply the return traffic on an outbound rule?

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66 last edited by

            If you're only assigning ACK traffic to the queue, then it is only ACK packets.

            1 Reply Last reply Reply Quote 0
            • N
              Nullity last edited by

              For detailed info about pf's integrated ACK classification you should probably look to OpenBSD's pf documentation.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy