Limiters shared?



  • I have around 80 vlans running 6 different limiters. But it seems there is alot of latency when i used the limiters also the speed is running a bit slow.
    1 of the limiters is 10mbps in download, most of the vlans is running this one. But it seems the speed is more likely to be around 3-4 mbps.

    So i just tried to make a new limiter with only 1 vlan interface running with the same speed and that one is running at full speed without problems.
    So my question is if you should make new limiters to each vlan and are limiters shared?



  • Shared in the sense that they obviously share the wan bandwidth. Also in the sense that if all 80 VLANs are on the same limiter then you are splitting that limit across 80 VLANs.



  • As an example let's assume you have symmetrical gigabit fiber and it is rock solid even in peak hours. In reality gigabit is ~940Mbps, so you'd want to set your overall limiters (all limits combined) to 95% of that or ~893,000Kbps.

    If you are splitting that further into six different limiters (for simplicities sake we'll say they are all equal although I doubt that's the case, the principle remains the same).

    So now you have 6 limiters at ~148,000Kbps.

    Let's further some that you are spreading those 80 VLANs as equally as possible across the 6 limiters. So about 13 VLANs per limiter.

    Final assumption is that you want each of those VLANs to receive a fair share of the traffic.
    So in this situation of the network is Uber load or you've used an algorithm that does Not share bandwidth when it isn't being used then the most you could get on each VLAN would be ~11,100Kbps.

    Now, this setup assumes everything is split equally all the way down your network, which is probably not the case. So you would have to do the math to see if your division of bandwidth is the problem.

    Another possible option would be to use fq_codel. It's new (to BSD) so not yet available in the GUI, but easy to implement in the CLI and easy to keep across reboots with shellcmd.
    It is generally more advanced than the other algorithms available and is praised for its ability to fairly split bandwidth and greatly reduced latency. The exact two things you seem to be having trouble with.
    It will also share unused bandwidth.
    So if one or more VLANs is using less than it's prescribed bandwidth while another is maxing out its own, it will automatically share that unused bandwidth to the VLAN(s) that need it until the owning VLAN starts using it.



  • Well i ask because we are hosting some of these vlan to external people and the connection need to be more rock solid and to my understanding from what you write is that if 10 vlans use the same limiter they are shared in that limiter connection. So if i want rock solid 10mbit in each vlan i would need 10 limiters. My wan connection is not a problem here.


  • Netgate

    Or you need one limiter that is masked to provide a pipe of that size for every /?? (/24?) subnet that is assigned to the limiter.

    It doesn't really have anything to do with VLANs/interfaces, but the mask set on the source and destination addresses.

    If you mask on /32, then every address gets its own pipe. If you mask on /24 then every /24 gets its own pipe.

    This is all done on the top level limiter.

    If you define a child-level limiter then you can further define groups of addresses (under the top-level mask, if any) that are treated as one for the purposes of sharing the top pipe bandwidth, or assigning secondary dummynet characteristics such as delay or loss, should that be something you want to do.

    If you had a bunch of /24 LAN interfaces and you assigned them all this limiter inbound, each /24 would get their own 10Mbit upload to be shared (inbound from WAN perspective masked on the source address /24. The download limiter would be on the outbound direction from the interface perspective and masked on the destination addresses).

    As long as you had enough overall upload bandwidth, each LAN should get the full 10Mbit/s upload speed with very little deviance from that.

    If you do not have sufficient upload bandwidth for the aggregate traffic, then loss will occur and some might get 10Mbit, some not.

    ![Screen Shot 2017-09-05 at 11.21.07 PM.png](/public/imported_attachments/1/Screen Shot 2017-09-05 at 11.21.07 PM.png)
    ![Screen Shot 2017-09-05 at 11.21.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-09-05 at 11.21.07 PM.png_thumb)



  • But then my next problem would be not every  /24 subnet needed to be same limiter.
    So i have 10 vlans with 10mmbit and 10vlans with 5/2mbit.

    I have not set any mask on the limiters, i added firewall rules to use the limiters on the vlan where it is needed.


  • Netgate

    So you create two sets of limiters One set for 10 and one set for 5/2. The /24 networks that have the set for 10 defined will get a 10 pipe. The interfaces that have the 5/2 set will get a set of those pipes.

    Where you would run into trouble would be varying interface netmasks. You would have to make a set of limiters specifically for each netmask and limiter characteristic.

    This does not say "all /24 networks get these limiters." It says "all hosts in each /24 network that have had their traffic put through this limiter using firewall rules will share one pipe."



  • Thanks for the help, it seems to be working alot more smoothly.