problems with flexible limiters set using floating rules

Derelict · Sep 28, 2019, 7:49 AM

If that will solve the problem.

AdamL · Sep 28, 2019, 7:55 AM

@Derelict I will definitely test this out. Thanks!

eriknuds · Sep 28, 2019, 3:40 PM

I now tested with PIE and FQ_PIE, and I tested with limits above what the line can normally do (it's a WISP conection - both are actually...) and it doesn't happen anymore. I have the same firewall rules. Yes I know to reverse the queues for in/out wan rules, and I have the same setup for the other wan rules which worked all the time and I haven't changed the rules now that they work with PIE/FQ_PIE...really weird because yesterday I tried other settings than PIE and codel and none worked...I also did a state reset between the tests, not just making new connections, but it didn't fix the issue yesterday.

AdamL · Sep 28, 2019, 3:46 PM

@eriknuds And what about flexible limiter? Honestly Qos(queuing) is not so important to me. Flexible limiter is...

eriknuds · Sep 28, 2019, 3:47 PM

Yes, it's set up as flixible now with masks on the queues and not the limiter, and it seems to work fine...

manu77 · Sep 30, 2019, 9:55 AM

@eriknuds
Hello

Very interessant . But I don't see exactly your configuration.
Could you please send us screenshots for :
1 -Rules in LAN ( list view) and marking options in Rules you chose -> I m curious to see how you say to PF to mark the packet properply with two different possible gateway
2 - Rules in Floating ( list view) and options in Rule for matching traffic -> I'm also curious to know how you match packet with 'out' direction on this step
3 - Options chosen at this step bellow

thanks a lot

eriknuds · Sep 30, 2019, 7:36 PM

@manu77

FW Rules:

The gateway is the gateway group (Loadbalance) in all the rules. To test each wan connection separately I just select another Tier in the gateway group so only one gateway is used.

I only have the 4 floating match rules related to Limiters/queues. None for the LAN interface.

Not sure if I have done everything right, but it seems to isolate the traffic and not disturb other hosts even though I exhaust the line with speed checking...and the isolation is really all I need. AQM etc is not a requirement. My wan connections are pretty symmetric, though not very high bandwith, WISP connections. But I would really like triple isolation like in CAKE. It really sucks that OpenWRT have had CAKE functionality for so long and pfsense seem to be no closer to getting it.

manu77 · Oct 1, 2019, 8:09 AM

@eriknuds
Thanks to take time for showing us your conf. I will test it and tell you .
I've a lab here with 6 firewalls to emulate multiwan. so we will see.

eriknuds · Oct 1, 2019, 2:18 PM

@manu77

Great stuff, let me know if you need more details:-)

Regards,
Erik Knudsen

manu77 · Oct 3, 2019, 11:53 AM

Hello All,

I confirm this configuration works and works well. Each time the gateway changes, the Pipe is well affected too with 10 secondes of floating bandwitdth ( no traffic )
Now I must go further to see how to add specific traffic in a specific queue and described from WAN ! because the floating rules for this test are set up as you post , I mean from * to *

nice day

eriknuds · Oct 3, 2019, 2:36 PM

@manu77 ,

I have selected the appropriate wan interface in each rule (in-rule and out-rule for each wan interface) - in the WanIn/Out rules I have selected only the wan interface, and in the corresponding wan2 rules I have selected only the wan2 interface.

Good luck with any further testing:-)