The traffic shaping rules do not seem to be applied.



  • Summary:


    The traffic shaping rules do not seem to be applied.

    Questions:


    Where can I look to find out more about it (other than what I did below).
    What might be the issue.

    Setup:


    I have a Netgate SG-1000 running 2.4.0-BETA (arm) built on Sat Jul 01 03:33:59 CDT 2017  FreeBSD 11.0-RELEASE-p10.

    I have configured Traffic shaping with the help of the Wizard at least a week ago.  The rules that are added to the floating rules seem correct, I have cleared the states several times, the WAN connection changed a few times and the SG-1000 has also been rebooted several times.  The filter has been reloaded several times etc.  I can't think of a reason why the rules are not loaded (but there might be one).

    'pftop -s1 -v queue' shows this:
    pfTop: Up Queue 1-10/10, View: queue, Cache: 10000                                                                                            17:01:08

    QUEUE                            BW SCH  PRIO    PKTS    BYTES  DROP_P  DROP_B QLEN BORROW SUSPEN    P/S    B/S
    qACK                                priq    6        0        0        0        0    0
    qDefault                            priq    3    5441  879972        4      240    0
    qGames                              priq    5        0        0        0        0    0
    qOthersHigh                          priq    4        0        0        0        0    0
    qOthersLow                          priq    2        0        0        0        0    0
    qLink                                priq    2    5558  2776420        0        0    0
    qACK                                priq    6        0        0        0        0    0
    qGames                              priq    5        0        0        0        0    0
    qOthersHigh                          priq    4        0        0        0        0    0
    qOthersLow                          priq    3        0        0        0        0    0

    Given the active traffic other queues should be active.

    To verify this, I have checked one of the rules as there wree several connections falling in its category:

    This is the line shown in the floating rules overview:
    0 /55 KiB
    IPv4 TCP * * * 6881 - 6999 * qACK/qOthersLow m_Other Battle.NET-Downloader outbound

    Destination port "6881" should be filtered.  The popup says there have been 1552144K evaluations, 382 packets.  All the rules give the same statistics:

    evaluations: 152.141 K
    packets: 382
    bytes: 55 KiB
    states: 0
    state creations: 0

    Using pfTop and filtering, I conclude that there are connexions and as the list changes in length all the time, these are dynamic are I'ld expected them to end up in the low priority queue:

    pfTop: Up State 1-48/190 (1348), View: default, Order: none, Cache: 10000                                                                      17:09:18

    PR        DIR SRC                                  DEST                                          STATE                AGE      EXP    PKTS    BYTES
    udp      In  192.168.5.70:6881                    46.10.86.164:6881                          SINGLE:MULTIPLE    00:00:27  00:00:03        2      470
    udp      Out 192.168.1.80:36319                    46.10.86.164:6881                        MULTIPLE:SINGLE      00:00:27  00:00:03        2      470
    udp      In  192.168.5.70:6881                    83.134.236.154:6881                        SINGLE:MULTIPLE    00:00:22  00:00:08        2      470
    udp      Out 192.168.1.80:5619                    83.134.236.154:6881                      MULTIPLE:SINGLE      00:00:22  00:00:08        2      470
    udp      In  192.168.5.70:6881                    93.29.10.67:6881                        MULTIPLE:MULTIPLE    00:00:20  00:00:41      12    1814
    udp      Out 192.168.1.80:11073                    93.29.10.67:6881                        MULTIPLE:MULTIPLE    00:00:20  00:00:41      12    1814
    udp      In  192.168.5.70:6881                    62.63.30.24:6881                          SINGLE:MULTIPLE    00:00:17  00:00:13        2      470
    udp      Out 192.168.1.80:9126                    62.63.30.24:6881                        MULTIPLE:SINGLE      00:00:17  00:00:13        2      470
    udp      In  192.168.5.70:6881                    100.37.159.254:6881                        SINGLE:MULTIPLE    00:00:07  00:00:23        2      470
    udp      Out 192.168.1.80:61141                    100.37.159.254:6881                      MULTIPLE:SINGLE      00:00:07  00:00:23        2      470
    tcp      In  192.168.5.70:64880                    172.195.120.168:6881                  ESTABLISHED:ESTABLISHED  00:00:06  23:59:55        5      425
    tcp      Out 192.168.1.80:44010                    172.195.120.168:6881                  ESTABLISHED:ESTABLISHED  00:00:06  23:59:55        5      425
    tcp      In  192.168.5.70:64885                    84.240.64.10:6881                      TIME_WAIT:TIME_WAIT    00:00:05  00:01:25        8      515
    tcp      Out 192.168.1.80:3989                    84.240.64.10:6881                      TIME_WAIT:TIME_WAIT    00:00:05  00:01:25        8      515
    udp      In  192.168.5.70:6881                    109.10.132.124:6881                        SINGLE:MULTIPLE    00:00:05  00:00:25        2      491
    udp      Out 192.168.1.80:46688                    109.10.132.124:6881                      MULTIPLE:SINGLE      00:00:05  00:00:25        2      491
    udp      In  192.168.5.70:6881                    85.57.224.39:6881                          SINGLE:MULTIPLE    00:00:05  00:00:25        2      469
    udp      Out 192.168.1.80:46210                    85.57.224.39:6881                        MULTIPLE:SINGLE      00:00:05  00:00:25        2      469
    udp      In  192.168.5.70:6881                    85.226.175.80:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:46242                    85.226.175.80:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    78.92.46.117:6881                      NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:1517                    78.92.46.117:6881                          SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    74.101.8.108:6881                          SINGLE:MULTIPLE    00:00:05  00:00:25        2      470
    udp      Out 192.168.1.80:2343                    74.101.8.108:6881                        MULTIPLE:SINGLE      00:00:05  00:00:25        2      470
    udp      In  192.168.5.70:6881                    90.162.130.76:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:28451                    90.162.130.76:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    190.234.61.92:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:26        2      180
    udp      Out 192.168.1.80:65154                    190.234.61.92:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:26        2      180
    udp      In  192.168.5.70:6881                    76.105.212.252:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:56700                    76.105.212.252:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    68.36.135.110:6881                        SINGLE:MULTIPLE    00:00:05  00:00:25        2      470
    udp      Out 192.168.1.80:2148                    68.36.135.110:6881                      MULTIPLE:SINGLE      00:00:05  00:00:25        2      470
    udp      In  192.168.5.70:6881                    107.141.248.203:6881                  NO_TRAFFIC:SINGLE      00:00:05  00:00:26        2      180
    udp      Out 192.168.1.80:60135                    107.141.248.203:6881                      SINGLE:NO_TRAFFIC  00:00:05  00:00:26        2      180
    udp      In  192.168.5.70:6881                    144.136.26.214:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:11237                    144.136.26.214:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    178.60.19.150:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:45753                    178.60.19.150:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    97.121.139.88:6881                    NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:35332                    97.121.139.88:6881                        SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    88.64.21.211:6881                      NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:21708                    88.64.21.211:6881                          SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132
    udp      In  192.168.5.70:6881                    91.236.33.97:6881                      NO_TRAFFIC:SINGLE      00:00:05  00:00:55        2      188
    udp      Out 192.168.1.80:49864                    91.236.33.97:6881                          SINGLE:NO_TRAFFIC  00:00:05  00:00:55        2      188
    udp      In  192.168.5.70:6881                    125.166.213.242:6881                      SINGLE:MULTIPLE    00:00:05  00:00:25        2      470
    udp      Out 192.168.1.80:38763                    125.166.213.242:6881                    MULTIPLE:SINGLE      00:00:05  00:00:25        2      470
    udp      In  192.168.5.70:6881                    83.4.100.129:6881                      NO_TRAFFIC:SINGLE      00:00:05  00:00:55        1      132
    udp      Out 192.168.1.80:11763                    83.4.100.129:6881                          SINGLE:NO_TRAFFIC  00:00:05  00:00:55        1      132

    Using pfctl, I got all the rules and some statistics:
    pfctl -vvsr
    @0(0) scrub on cpsw0 all fragment reassemble
      [ Evaluations: 448112    Packets: 222111    Bytes: 34401262    States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @1(0) scrub on cpsw1 all fragment reassemble
      [ Evaluations: 226001    Packets: 225936    Bytes: 34930866    States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @0(0) anchor "relayd/" all
      [ Evaluations: 8876      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @1(0) anchor "openvpn/
    " all
      [ Evaluations: 8876      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @2(0) anchor "ipsec/" all
      [ Evaluations: 8876      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @3(1000000101) block drop in quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
      [ Evaluations: 6955398  Packets: 293      Bytes: 26423      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @4(1000000102) block drop in quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
      [ Evaluations: 3728071  Packets: 37        Bytes: 9117        States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @5(1000000103) block drop in inet all label "Default deny rule IPv4"
      [ Evaluations: 3728034  Packets: 414601    Bytes: 33956812    States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @6(1000000104) block drop out inet all label "Default deny rule IPv4"
      [ Evaluations: 6925771  Packets: 455      Bytes: 143887      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @7(1000000105) block drop in inet6 all label "Default deny rule IPv6"
      [ Evaluations: 6955068  Packets: 20918    Bytes: 1675561    States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @8(1000000106) block drop out inet6 all label "Default deny rule IPv6"
      [ Evaluations: 3227037  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @9(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      [ Evaluations: 33775    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @10(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      [ Evaluations: 33738    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @11(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      [ Evaluations: 33738    Packets: 12        Bytes: 864        States: 0    ]
      [ Inserted: pid 34046 State Creations: 6    ]
    @12(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      [ Evaluations: 33732    Packets: 12        Bytes: 768        States: 0    ]
      [ Inserted: pid 34046 State Creations: 12    ]
    @13(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      [ Evaluations: 935      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @14(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 933      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @15(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 933      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @16(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
      [ Evaluations: 933      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @17(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
      [ Evaluations: 933      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @18(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      [ Evaluations: 382      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @19(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      [ Evaluations: 382      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @20(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      [ Evaluations: 382      Packets: 44        Bytes: 4224        States: 1    ]
      [ Inserted: pid 34046 State Creations: 1    ]
    @21(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
      [ Evaluations: 381      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @22(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
      [ Evaluations: 381      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      [ Evaluations: 590      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 589      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 589      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
      [ Evaluations: 589      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
      [ Evaluations: 589      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @28(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @29(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @30(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @31(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @32(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @33(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      [ Evaluations: 517      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @34(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      [ Evaluations: 517      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @35(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      [ Evaluations: 517      Packets: 44        Bytes: 4224        States: 1    ]
      [ Inserted: pid 34046 State Creations: 1    ]
    @36(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
      [ Evaluations: 516      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @37(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
      [ Evaluations: 516      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @38(1000000113) block drop quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
      [ Evaluations: 6942379  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @39(1000000113) block drop quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
      [ Evaluations: 6938390  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @40(1000000114) block drop quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
      [ Evaluations: 6921312  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @41(1000000114) block drop quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
      [ Evaluations: 6917360  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @42(1000000115) block drop quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
      [ Evaluations: 6942372  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @43(1000000115) block drop quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
      [ Evaluations: 6933514  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @44(1000000116) block drop quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
      [ Evaluations: 21067    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @45(1000000116) block drop quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
      [ Evaluations: 21030    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @46(1000000117) block drop quick from snort2c:0to any label "Block snort2c hosts"
      [ Evaluations: 6942383  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @47(1000000118) block drop quick from any to snort2c:0label "Block snort2c hosts"
      [ Evaluations: 6942379  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @48(1000000201) block drop in quick proto carp from (self:9) to any
      [ Evaluations: 6942381  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @49(1000000202) pass quick proto carp all no state
      [ Evaluations: 3193398  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @50(1000000301) block drop in quick proto tcp from sshlockout:0to (self:9) port = ssh label "sshlockout"
      [ Evaluations: 6942383  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @51(1000000351) block drop in quick proto tcp from webconfiguratorlockout:0to (self:9) port = https label "webConfiguratorlockout"
      [ Evaluations: 1658577  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @52(1000000400) block drop in quick from virusprot:0to any label "virusprot overload table"
      [ Evaluations: 3754351  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @53(1000000561) pass in quick on cpsw0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
      [ Evaluations: 3748984  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @54(1000000562) pass in quick on cpsw0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
      [ Evaluations: 639455    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @55(1000000563) pass out quick on cpsw0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
      [ Evaluations: 3638868  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @56(11000) block drop in log quick on cpsw0 from bogons:3815to any label "block bogon IPv4 networks from WAN"
      [ Evaluations: 3831514  Packets: 132      Bytes: 42874      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @57(11000) block drop in log quick on cpsw0 from bogonsv6:86636to any label "block bogon IPv6 networks from WAN"
      [ Evaluations: 3827146  Packets: 132      Bytes: 42874      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @58(1000001570) block drop in on ! cpsw0 inet from 192.168.1.0/24 to any
      [ Evaluations: 415237    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @59(1000001570) block drop in inet from 192.168.1.80 to any
      [ Evaluations: 415200    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @60(1000001570) block drop in on cpsw0 inet6 from fe80::9a5d:adff:fed5:eac0 to any
      [ Evaluations: 415237    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @61(12000) block drop in log quick on cpsw0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
      [ Evaluations: 640196    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @62(12000) block drop in log quick on cpsw0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
      [ Evaluations: 640196    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @63(12000) block drop in log quick on cpsw0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
      [ Evaluations: 640196    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @64(12000) block drop in log quick on cpsw0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
      [ Evaluations: 640196    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @65(12000) block drop in log quick on cpsw0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
      [ Evaluations: 640196    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @66(1000001591) pass in on cpsw0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 396208    Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @67(1000001592) pass out on cpsw0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 3397532  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @68(1000002620) block drop in on ! cpsw1 inet from 192.168.5.0/24 to any
      [ Evaluations: 3032215  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @69(1000002620) block drop in on ! cpsw1 inet from 10.10.10.1 to any
      [ Evaluations: 3023353  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @70(1000002620) block drop in inet from 192.168.5.251 to any
      [ Evaluations: 3027847  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @71(1000002620) block drop in inet from 10.10.10.1 to any
      [ Evaluations: 3027810  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @72(1000002620) block drop in on cpsw1 inet6 from fe80::1:1 to any
      [ Evaluations: 3027847  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @73(1000002641) pass in quick on cpsw1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 3108901  Packets: 518      Bytes: 172832      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @74(1000002642) pass in quick on cpsw1 inet proto udp from any port = bootpc to 192.168.5.251 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 324      Packets: 657      Bytes: 217913      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @75(1000002643) pass out quick on cpsw1 inet proto udp from 192.168.5.251 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 2306152  Packets: 2        Bytes: 656        States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @76(1000002651) pass quick on cpsw1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
      [ Evaluations: 1668567  Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @77(1000002652) pass quick on cpsw1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
      [ Evaluations: 1289      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @78(1000002653) pass quick on cpsw1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @79(1000002654) pass quick on cpsw1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
      [ Evaluations: 1289      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @80(1000003711) pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 6612773  Packets: 38847    Bytes: 15974320    States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @81(1000003712) pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 1443      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @82(1000003713) pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 1463      Packets: 340      Bytes: 77280      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @83(1000003714) pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 907      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @84(1000003715) pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      [ Evaluations: 6612758  Packets: 830941    Bytes: 406111965  States: 51    ]
      [ Inserted: pid 34046 State Creations: 265  ]
    @85(1000003716) pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      [ Evaluations: 3146585  Packets: 567      Bytes: 97392      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @86(1000003811) pass out route-to (cpsw0 192.168.1.1) inet from 192.168.1.80 to ! 192.168.1.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 416503    Packets: 8586578  Bytes: 3624463855  States: 639  ]
      [ Inserted: pid 34046 State Creations: 4103  ]
    @87(10000) pass in quick on cpsw1 proto tcp from any to (cpsw1:3) port = https flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 6708967  Packets: 197079    Bytes: 132661914  States: 1    ]
      [ Inserted: pid 34046 State Creations: 1    ]
    @88(10000) pass in quick on cpsw1 proto tcp from any to (cpsw1:3) port = http flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 6700105  Packets: 196892    Bytes: 132572972  States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @89(10000) pass in quick on cpsw1 proto tcp from any to (cpsw1:3) port = ssh flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 6700105  Packets: 196892    Bytes: 132572972  States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @90(0) anchor "userrules/
    " all
      [ Evaluations: 8861      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @91(0) match on cpsw0 inet proto tcp from any to any port 6111 >< 6120 flags S/SA label "USER_RULE: m_Game Battle.NET-game1-tcp outbound" queue(qGames, qACK)
      [ Evaluations: 8861      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @92(0) match on cpsw0 inet proto udp from any to any port 6111 >< 6120 label "USER_RULE: m_Game Battle.NET-game1-udp outbound" queue qGames
      [ Evaluations: 2463      Packets: 1        Bytes: 132        States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @93(0) match on cpsw0 inet proto tcp from any to any port = 4000 flags S/SA label "USER_RULE: m_Game Battle.NET-diablo2 outbound" queue(qGames, qACK)
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @94(0) match on cpsw0 inet proto tcp from any to any port = 1119 flags S/SA label "USER_RULE: m_Game Battle.NET-game2 outbound" queue(qGames, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @95(0) match on cpsw0 inet proto tcp from any to any port = 3724 flags S/SA label "USER_RULE: m_Game Battle.NET-game3 outbound" queue(qGames, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @96(0) match on cpsw0 inet proto udp from any to any port = kerberos-sec label "USER_RULE: m_Game Games4WinLive-1 outbound" queue qGames
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @97(0) match on cpsw0 inet proto udp from any to any port = 3074 label "USER_RULE: m_Game Games4WinLive-2 outbound" queue qGames
      [ Evaluations: 2462      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @98(0) match on cpsw0 inet proto tcp from any to any port = 3074 flags S/SA label "USER_RULE: m_Game Games4WinLive-3 outbound" queue(qGames, qACK)
      [ Evaluations: 1906      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @99(0) match on cpsw0 inet proto udp from any to any port 26999 >< 27031 label "USER_RULE: m_Game Steam-game-udp outbound" queue qGames
      [ Evaluations: 4368      Packets: 103      Bytes: 25132      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @100(0) match on cpsw0 inet proto tcp from any to any port 26999 >< 27031 flags S/SA label "USER_RULE: m_Game Steam-game-tcp outbound" queue(qGames, qACK)
      [ Evaluations: 2009      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @101(0) match on cpsw0 inet proto udp from any to any port 27014 >< 27031 label "USER_RULE: m_Game Steam-hltv outbound" queue qGames
      [ Evaluations: 4368      Packets: 103      Bytes: 25132      States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @102(0) match on cpsw0 inet proto udp from any to any port = 4380 label "USER_RULE: m_Game Steam-1 outbound" queue qGames
      [ Evaluations: 2462      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @103(0) match on cpsw0 inet proto udp from any to any port = 1200 label "USER_RULE: m_Game Steam-2 outbound" queue qGames
      [ Evaluations: 2462      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @104(0) match on cpsw0 inet proto udp from any to any port 3477 >< 3481 label "USER_RULE: m_Game Steam-voice outbound" queue qGames
      [ Evaluations: 2462      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @105(0) match on cpsw0 inet proto udp from any to any port 4999 >< 5501 label "USER_RULE: m_Game LeagueofLegends-1 outbound" queue qGames
      [ Evaluations: 2462      Packets: 1        Bytes: 132        States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @106(1498994745) match log quick on cpsw0 inet proto tcp from any to any port = 2099 flags S/SA label "USER_RULE: m_Game LeagueofLegends-2 outbound" queue(qGames, qACK)
      [ Evaluations: 3245806  Packets: 8        Bytes: 416        States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @107(0) match on cpsw0 inet proto tcp from any to any port 5221 >< 5224 flags S/SA label "USER_RULE: m_Game LeagueofLegends-3 outbound" queue(qGames, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @108(0) match on cpsw0 inet proto tcp from any to any port = 25565 flags S/SA label "USER_RULE: m_Game Minecraft-tcp outbound" queue(qGames, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @109(0) match on cpsw0 inet proto udp from any to any port = 25565 label "USER_RULE: m_Game Minecraft-udp outbound" queue qGames
      [ Evaluations: 2463      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @110(0) match on cpsw0 inet proto tcp from any to any port = 3724 flags S/SA label "USER_RULE: m_Game WoW outbound" queue(qGames, qACK)
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @111(0) match on cpsw0 inet proto udp from any to any port = 1119 label "USER_RULE: m_Game WoW-voice outbound" queue qGames
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @112(0) match on cpsw0 inet proto udp from any to any port = 3724 label "USER_RULE: m_Game WoW-voice outbound" queue qGames
      [ Evaluations: 2462      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @113(0) match on cpsw0 inet proto tcp from any to any port = 14534 flags S/SA label "USER_RULE: m_Other TeamSpeak-1 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @114(0) match on cpsw0 inet proto tcp from any to any port = 51234 flags S/SA label "USER_RULE: m_Other TeamSpeak-2 outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @115(0) match on cpsw0 inet proto udp from any to any port 8766 >< 8769 label "USER_RULE: m_Other TeamSpeak-3 outbound" queue qOthersHigh
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @116(0) match on cpsw0 inet proto tcp from any to any port = 30033 flags S/SA label "USER_RULE: m_Other TeamSpeak3-FileTransfer outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @117(0) match on cpsw0 inet proto tcp from any to any port = 10011 flags S/SA label "USER_RULE: m_Other TeamSpeak3-ServerQuery outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @118(0) match on cpsw0 inet proto udp from any to any port = 9987 label "USER_RULE: m_Other TeamSpeak3-Voice outbound" queue qOthersHigh
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @119(0) match on cpsw0 inet proto tcp from any to any port = 41144 flags S/SA label "USER_RULE: m_Other TeamSpeak3-TSDNS outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 4368      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    ######################## RULE THAT SHOULD MATCH ############################
    @120(0) match on cpsw0 inet proto tcp from any to any port 6880 >< 7000 flags S/SA label "USER_RULE: m_Other Battle.NET-Downloader outbound" queue(qOthersLow, qACK)
      [ Evaluations: 1905      Packets: 166      Bytes: 8632        States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @121(0) match on cpsw0 inet proto tcp from any to any port 27013 >< 27051 flags S/SA label "USER_RULE: m_Other Steam-Downloader outbound" queue(qOthersLow, qACK)
      [ Evaluations: 1905      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 34046 State Creations: 0    ]
    @122(0) match on cpsw0 inet proto tcp from any to any port = git flags S/SA label "USER_RULE: m_Other git outbound" queue(qOthersHigh, qACK)
      [ Evaluations: 1905      Packets: 0   </bogonsv6:86636></bogons:3815></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>



  • I've probably found the reply to my question.

    The following bug report and answers gives some good suggestions:
    https://redmine.pfsense.org/issues/7116I

    After adding some of the floating rules to the LAN rules, the traffic now ends up in the queues.

    Basically there is a bug reported about 6 months ago and it seems to be unfixed.

    Bad points for pfsense!



  • That bug report is for a beta version. Expect bugs.



  • a. The beta was delivered with the device.
    b. The bug is open for 6 months, has been reported for more than 6 months;
    c.
    https://www.netgate.com/docs/sg-1000/faq.html#why-did-you-ship-beta-firmware

    Why did you ship BETA firmware?
    The SG-1000 is our first firwall that uses an ARM architecture. ARM support required a base operating system of FreeBSD 11 to function acceptably. pfSense 2.4 is based on FreeBSD 11 and is nearing completion, so it was a perfect fit. Though the firmware is labeled “BETA” it has proven to be very stable with only a few minor items remaining to be addressed before its release.

    Rather than hold back the delivery of the SG-1000, we decided to ship it once we were satisfied with the stability of the operating system on the SG-1000.

    "it has proven to be very stable with only a few minor items remaining before its release".
    Traffic shaping is not a minor item, especially when the issue is known since 6 months.  Netgate is shipping products with the BETA!



  • @le_top:

    a. The beta was delivered with the device.
    b. The bug is open for 6 months, has been reported for more than 6 months;
    c.
    https://www.netgate.com/docs/sg-1000/faq.html#why-did-you-ship-beta-firmware

    Why did you ship BETA firmware?
    The SG-1000 is our first firwall that uses an ARM architecture. ARM support required a base operating system of FreeBSD 11 to function acceptably. pfSense 2.4 is based on FreeBSD 11 and is nearing completion, so it was a perfect fit. Though the firmware is labeled “BETA” it has proven to be very stable with only a few minor items remaining to be addressed before its release.

    Rather than hold back the delivery of the SG-1000, we decided to ship it once we were satisfied with the stability of the operating system on the SG-1000.

    "it has proven to be very stable with only a few minor items remaining before its release".
    Traffic shaping is not a minor item, especially when the issue is known since 6 months.  Netgate is shipping products with the BETA!

    A valid complaint. I wish I could help. :(



  • My condolences. Someone must have had a tough decision to make to ship beta. I'm pretty sure devices have some sort of support that may be able to get you more info regarding your specific product.

    Good luck!



  • The device comes with 1 year of "pfSense Gold Membership" which is

    designed to provide special benefits to our members while supporting ongoing development of the Open Source pfSense project. It includes resources, like our library of developer lead videos and digital living book on pfSense, that help you work smarter and not harder and services including automatic backups.

    Which is basically online documentation resources and configuration backup.

    I've looked for support, but the promise is only to have better community support through a more empowered support team:

    If you purchase your hardware appliance directly from us, our support team will be more empowered to provide end-to-end solutions which encompass the hardware or the firewall application.

    Which is what I have in mind when posting this kind of issue on a community forum.

    Otherwise it is minimum $1044 for 36 months of Professionnal support.  However that implies that I'ld have selected a more expensive non-beta device to begin with.

    Anyway, thanks for your anwsers ;-).



  • Which is basically online documentation resources and configuration backup.

    For some reason you forgot to mention the 30+ hours of training videos available via Gold.



  • @KOM:

    For some reason you forgot to mention the 30+ hours of training videos available via Gold.

    Which is IMHO a documentation resource … .  I watched the video about traffic shaping but it was not helpfull in being informed about the fact that there is a known bug with it on the SG-1000.



  • Which is IMHO a documentation resource

    No, it's not or at least it's not unless you're trying to be reductive.  A manual is documentation.  Release notes are documentation.  A wiki is documentation.  Someone showing you how to do something and then answering specific questions is not generally called documentation.

    I watched the video about traffic shaping but it was not helpfull in being informed about the fact that there is a known bug with it on the SG-1000.

    You expect a training video to specifically mention a bug that applied to one specific unit, a bug which may or may not be active at any point after the video was made?



  • 1. [Not the main topic, but important to me]
    Considering that documentation can only be written documentation is reductive.
    There are several references to the wordings "video documentation", "audiovisual documentation", "written documentation".
    An official source explains that documentation has its origin in latin and refers to that what serves to educate (amongst other significations).

    Therefore, I consider that the videos are video documentation and a documentation resource.  My kids mainly use video documentation to document themselves - they rarely use written documents.  Video is the new form of documentation.

    2. It is clear that when one has issues with Traffic Shaping on the SG-1000, one of the first reflexes is to look into the documentation.  As the documentation is for all kinds of devices and softwares, it is clear that the general limitation of this function is best mentionned in an appropriate location.
    Documentation is a good place to indicate that certain devices do not support a function.

    It could be mentionned below the video until the issue is fixed on the SG-1000.

    However, thinking about it, another good (better) place to mention that the function does not work is the user interface: indicate on the floating rules page that they are not properly applied in this version of the software, and indicate on the wizards page that the resulting rules will not be functionnal until the issue is actually fixed.

    Applying the situation to another context:
      Would you find it normal that your mobile phone has a text messaging interface, that you can type messages in it and apply the send button, but that messages do not get sent and have no mention of it in the documentation or the user interface?



  • Terribly sorry.  Looks like you've got everything all figured out.



  • As of today's build of 2.4 the roadmap here: https://redmine.pfsense.org/projects/pfsense/roadmap
    it says that bug 7114 is fixed.

    Has anyone tried to see if floating match rules for traffic shaper rules are working now?



  • Seems to be - just updated to the latest BETA.

    Been trying to get this to work for days - this bug was the problem…



  • Hi

    Great, with the latest beta, the floating traffic shaping rules are working - i.e., the pftop "queues" report shows that traffic is classified in the different queues.

    However, the next question is: does traffic shaping really work?  On a 3.5Mbit/s up/320kbit/s down ADSL connection, with a download going on, traffic being placed in the higher priority queues still suffer substantially from the download.

    I do not know what the best way is to test if traffic shaping is working.    I have put together a simple test using netcat on a server with 2 IPs and my PC sitting behind the SG-1000.

    On the server I create 6 netcat listeners: one for each port on each IP.
    One of these ports is governed by a floating traffic shaping rule, the other is not.

    These are my scripts (part of the IPs are modified with XXX):de

    The queue rules are basically:

    • 2099 - IPv4 TCP / qACK/qGames (LeagueOfLegends-2-outbound)
    • 2112 - No rule - default queue.
    nc XXX.187.75.135  2112 < qt-opensource-windows-x86-mingw492-5.6.0.exe &
    nc XXX.33.47.154  2112 < qt-opensource-windows-x86-mingw492-5.6.0.exe &
    nc XXX.187.75.135  2099 < qt-opensource-windows-x86-mingw492-5.6.0.exe &
    nc XXX.33.47.154  2099 < qt-opensource-windows-x86-mingw492-5.6.0.exe &
    

    On the server:

    pkill  netcat
    nohup netcat -l -p 2099 -s  XXX.33.47.154  > /dev/null &
    nohup netcat -l -p 2099 -s  XXX.187.75.135  > /dev/null &
    nohup netcat -l -p 2112 -s  XXX.33.47.154  > /dev/null &
    nohup netcat -l -p 2112 -s  XXX.187.75.135  > /dev/null &
    

    The result with a packet sniffing tool indicating the total amount of bytes transferred was this:

    • 486.7kB transferred up on 2112 - first process ;
      -  16.8kB transferred up on 2112 - second process ;
    • 339.6kB transferred up on 2099 - third process ;
    • 225.8kB transferred up on 2099 - fourth process ;

    The same trial later gave:
    The result with a packet sniffing tool indicating the total amount of bytes transferred was this:

    -  21.3kB transferred up on 2112 - first process ;
    -  21.3kB transferred up on 2112 - second process ;

    • 267.7kB transferred up on 2099 - third process ;
    • 362.5kB transferred up on 2099 - fourth process.

    So while the second try was pretty much inline with the queue priorities, the first reported try was not for the first process.

    By the way, trying this actually breaks the SSH connection to the server.

    After adding a traffic shaping rule for SSH (qAck/qGames), it seemed to resist a bit more, but the SSH connection was still interrupted.

    While there are some indications that shaping is working generally, the first reported trial above and user feedback does not confirm this.

    A rule in the wizard for SSH would also be nice.



  • I'm not quite sure what you are trying to test with your netcat stuff. Can you clarify?

    If you are still using PRIQ, are you aware of it's limitations? https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Priority_Queueing_.28PRIQ.29


    Cons
    • Lower priority queues can be completely starved for bandwidth easily.



  • this is the bug I first raised in some controversy, its likely not resolved as no solution is offered upstream in FreeBSD (yet).

    The issue is that earlier versions of pfsense were configuring altq in a way that was never supported upstream in FreeBSD, and it seems a change in FreeBSD 11.x stopped it working.

    The workaround for now is either to make your own rules, or just copy the wizard created rules to the LAN section and set them as pass rules.  Dont set them as pass rules in the floating section as you will create holes in your firewall.

    –edit--

    this has been fixed in the latest snapshot 4 days ago.



  • @Nullity:

    I'm not quite sure what you are trying to test with your netcat stuff. Can you clarify?

    I am trying to check that the traffic shaping rules work.
    Using netcat to setup a listener on an IP/port is one of the easiest methods.

    By setting up listeners, a local machine can connect to them through the firewall and trigger the shaping rule(s).

    By comparing speeds/number of bytes transferred on simultaneaous connections, we can get an idea of the effectiveness of the shaping rules.

    @Nullity:

    If you are still using PRIQ, are you aware of it's limitations? https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Priority_Queueing_.28PRIQ.29


    Cons
    • Lower priority queues can be completely starved for bandwidth easily.

    I am not surprised that the SSH connection is starved out.  I am surprised that a lower priority queue scored better than the higher priority queue.



  • @le_top:

    By comparing speeds/number of bytes transferred on simultaneaous connections, we can get an idea of the effectiveness of the shaping rules.

    Understood. Though, because of PRIQ's limitations I think it's pretty useless beyond very simple setups, eg. VOIP prioritization.

    You should consider migrating to a more tunable algorithm like HFSC, CBQ, or FAIRQ so that you can allocate bandwidth however you choose. PRIQ, since it is unable to allocate bandwidth, will probably always yield unpredictable bandwidth sharing among the queues. PRIQ is most useful for latency, not bandwidth.



  • Pfsense gold support documentation has a Hangout about Traffic Shaping in which using the PRIQ is explained to be the easiest type flexible enough for most use cases including mine.
    I have used the wizard to set up the base rules (which I ran again after the recent bug fix).  And I added a rule for SSH.

    I agree with the pfsense documentation (Hangout) that PRIQ scheduling should be ok for my usage.  The higher priority queues (qGames) are in practice not using up all the bandwidth and therefore not have a significant impact on the lower priority queues.

    The first problem that is observed is that the lower priority queues still have a significant impact on the higher priority queues.
    pfTop shows that the bandwidth is used by the lower priority queues and the latency in the qGames queue is high.
    So as theoretically "PRIQ is usefull for latency", latency should be ok but it isn't.

    Secondly, after putting the SSH connection in the qAck/qGames queue, it was still starved out (the connection was closed) and my ssh connection is usually pretty robust (it survives small network interruptions).  As the SSH connection is in the same queue as the one for port 2099, I expected that the SSH packets would still pass.  But let's suppose that there was too much traffic to the remote 2099 ports, leaving insufficient bandwidth to keep the SSH going.

    Thirdly, in at least one of the tests bandwidth in a lower priority queue was higher, which both were generated with similar netcat uploads.  While PRIQ is not managing the bandwidth, it is supposed to put the higher queues first which should IMHO result in a lower bandwidth for the lower priority queues - especially when the transfers are using the same methods, remote port numbers and server.

    In my use case, latency is the priority so when not using PRIQ, I have to use CBQ.  So I have now changed Traffic Shaping to CBQ and will see if user experience will be better.
    My tests with netcat are still inconclusive but the SSH connection stays alive while doing the tests so there is a change in behavior.



  • You might consider HFSC, complex to setup but it offers a dedicated throughput per queue and this can be set just high enough to ensure latency is preserved, e.g. dedicating say 3% of capacity to ssh packets can be enough to keep ssh sessions at high quality even whilst downloading from steam.

    FairQ and codel combo works well for upstream traffic, Downstream is harder to shape, as you have to manipulate the sender to not saturate your connection, HFSC for me was the most effective for that.

    Now this bug is fixed on pfsense, I plan to move my shaping rules back to floating and as match rules, as I observed the other day, using LAN pass rules also affects traffic originating from the pfsense unit out to the lan.