The confusion of Limiters and associated bugs



  • Hi Everyone,

    I've been having an issue for what seems like forever.  In conjunction with the famous #4310 bug:

    https://redmine.pfsense.org/issues/4310

    There seems to be so much confusion concerning limiters, and the like.  That I'm going crosseyed trying to make sense out of it all.  Just when I think I've got it all digested and figured out, I feel like another bug or at least claim comes along to disrupt my understanding.  Perhaps it's just me.    I've spent a lot of time researching the whole Limiter / HA issue.  I had this working in 2.3 at least during some point.

    I've recently updated to the latest stable release of 2.4.1.    and have implemented HA with Limiters through queues trying to limit 5Mbdown and 5Mbup per host.    The thing is.  When running bandwidth tests.  the tests show an absolutely terrible download speed.  Basically .01 Mb.  While upload speeds tip near 3.5 to 4.  Leaving it alone for a while.  It gets worse to the point where browsing the web seems non-existent.

    My Limiters are configured as follows:

    Limiter:  5MegIn
    Bandwidth:  5 Mbit/s
    Mask:  Destination Addresses
    IPV4Mask: 32
    IPV6Mask: 128

    Queue 5MegIn-LAN
    Mask:  Destination Addresses
    IPV4Mask: 32
    IPV6Mask: 128
    Weight: 100

    Limiter:  5MegOut
    Bandwidth:  5 Mbit/s
    Mask:  Source Addresses
    IPV4Mask: 32
    IPV6Mask: 128

    Queue 5MegOut-LAN
    Mask:  Source Addresses
    IPV4Mask: 32
    IPV6Mask: 128
    Weight: 100

    RULE
    Action: Match
    Interface: LAN
    Direction: In
    Address Family:IPv4
    Protocol: Any
    Source: LAN Subnet
    Destination:  ANY

    Advanced Options:  In/Out  Pipe
    First Dropdown:  5MegOut-LAN  Second Dropdown 5MegIn-LAN  (I've also reversed them as a test.  No real difference).

    With these settings there's definitely throttling but it chokes it WAY back.  Download speeds seem to gradually drop. (dropped packets). and sometimes will only show as literally .01 Mb/s.  Again, leaving it in place for a bit brings everything to a screeching halt and browsers get choked up.  There's plenty of bandwidth to fulfill this.  If I remove the Limiters or Disable the rule.  our full bandwidth is shown when doing speedtests.

    I came across another issue that was mentioned to be fixed.

    https://redmine.pfsense.org/issues/4326

    Then I came across this thread where qubit mentions downloads randomly behind halved

    https://forum.pfsense.org/index.php?topic=126637.0

    I'm not running squid / squidguard at the moment.  I even purged the entire config for these from the XML file and reuploaded it.

    I feel like I'm missing something, but for the life of me I can't figure out what's going on.    I had limiters running just fine for sometime until a 2.3.x upgrade (I dont know which one broke it)  and it continues with 2.4.1

    Help or guidance would be appreciated.

    EDIT/UPDATE:  For the rule.  Testing it out with JUST my workstation IP as the SOURCE  instead of the entire Subnet  seems to work just fine.  Speedtests show what I would expect.

    EDIT2/UPDATE:  I tried it with several other random IPs on the LAN subnet as well as the WIFI Subnet.  As long as individual IPs are put in.  Everything works as planned / expected.  Once I use Subnets.  Everything falls apart and downloads (mainly, but not always) start gradually grinding to a halt.



  • I followed this guide for mine but i only limit certain devices not whole subnets.  https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/



  • Thanks, I do appreciate the attempt at helping.  I've been using Limiters for a long time and something broke with 2.2 and HA as mentioned in the bugs above.  So a way around this is using queues.  I have everything setup properly  but now I'm noticing it all works well if I put in a single IP, but not if I I use a subnet of some sort.  Which is a new development as of 2.3.x(don't know which version exactly broke this.)

    The fact that it works with just a single IP vs. a subnet  or an alias with multiple networks leads me to believe that the masks aren't being applied properly somewhere or there is a bug of some sort at play.



  • I have been struggling with getting limiters to work in 2.4.2 since I installed PFSense about 6 weeks ago. The link posted by @1smallsausage is the first one that (a) actually made sense, (b) describes the process well, and © works. The difference between a "pipe" and a "queue" as it pertains to limiters is crucial.

    Moreover, that having created two sets of limiters on my network, one for "registered" (static assignment) devices and one for "unregistered" (DHCP assignment) devices, I have finally been able to throttle my guests to a 3x1 Mib link and induce a 100ms latency, while allowing registered devices to share the available bandwidth completely equitably, including being able to maintain top grade VOIP quality while full bandwidth downloads/uploads are in progress.

    The "Flexible vs. Fixed Limiters" article belongs in the docs in the Traffic Shaping category. [Although, personally, I think that limiters probably don't belong as a tab on Traffic Shaping at all, but belong on their own page.]