fq_codel limiter/queues causes nearly complete ping packet loss when limiting
After reading about fq_codel, it seems like it would be a great tool to allow for QoS without a bunch of complicated setup, but I've run across an issue.
Overall setup: Cable Internet with 300/30 Mbps down/up, a few internal networks/VLANs.
I've got it set up as documented just as in the Netgate video as follows:
WANDown Limiter along with WANDown Queue. Limiter set to 295 Mbps, CoDel Queue Algo, FQ_CODEL Scheduler. ECN enabled. All other settings at their defaults.
WANUp Limiter / Queue, limiter set to 28 Mbps, otherwise same as the down limiter/queue.
And a floating rule that matches IPv4 traffic, Gateway set to the WANGW and the In/Out pipe set to the WAN Up/Down Queues.
So the problem is that ICMP pings to a variety of hosts completely stop on the download portion of a speed test. They continue just fine on the upload portion of the speed test. ICMP pings over an OpenVPN connection work just fine.
Turning bandwidth limits way down (200/20 Mbps) limits bandwidth appropriately, but pings do the same thing. Turning off ECN also does the same thing. Interesting, increasing the download limit well above the max (400 Mbps) still causes ping packet loss.
Any idea what's going on?
Please read following Bug #9024
The issue presents itself when match out limiter rules are used on interfaces creating NAT states
There are some workarounds you can find in this long topic https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4
Two I tried are:
- create floating rule for ICMP without limiters (this did not work for me)
- create floating rule with limiters (with match action) not on "WAN out" but on "LAN/VLAN in" (in one floating rule you can select multiple interfaces/vlans) for traffic with source "any" and destination "not-your-local-networks-alias" - that works great for me, and for my easy setup I need only one floating rule for all my VLANS and with "in" traffic you don't need to set gateway
(sorry for brief description without details but currently I'm away from my network)
Thanks - I'll give those a shot and report results back later today.
I did something simple after reading, I changed my floating rule to only match TCP/UDP instead of matching all - this seemed to do the trick - no more ICMP / ping packet loss.
I still get a quick burst of latency when just starting a speedtest, but it seems that I have to drastically reduce the limiter all the way down to 250 Mbps to get rid of it. We'll see if it's noticeable in real life.