Codel Shaping with Limiters - unable to connect to websites

jake

I just loaded 2.5 on my test firewall. Everything loaded up fine. I'm able to ping & do traceroutes but http connections timeout. I narrowed it down to my shaper floating rule with in/out pipes set to my limiter settings using CODEL. If I disable the floating rule and my connections start to work again. I haven't dug further yet to see why. BTW I followed the Aug 2018 Hangout to setup CODEL limiters a while back.

jimp

Were the same rules working before (not on 2.5)?

Dazog

Mar 18 21:59:39 php-fpm 334 /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: igb0.3000: driver does not support altq - The line in question reads [0]:

Mar 18 22:02:31 php-fpm 334 /firewall_shaper.php: The command 'killall qstats' returned exit code '1', the output was 'No matching processes were found'

I get these error's with CodelQ enabled.

Once I disable it I can browse again.

No issues with this in 2.4.5 development snapshots.

Let me know what else you require to fix this.

jimp

@Dazog said in Codel Shaping with Limiters - unable to connect to websites:

Mar 18 21:59:39 php-fpm 334 /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: igb0.3000: driver does not support altq - The line in question reads [0]:

That's ALTQ, not limiters, wouldn't be related. Needs to be in its own thread.

Mar 18 22:02:31 php-fpm 334 /firewall_shaper.php: The command 'killall qstats' returned exit code '1', the output was 'No matching processes were found'

Also not related, qstats is for ALTQ, but that particular message can be ignored.

I get these error's with CodelQ enabled.

Once I disable it I can browse again.

You might have the same issue as OP, but it's not related to those other error messages in your logs.

jake

This post is deleted!

jake

@jimp Yes, the same rules were working in 2.4.5 dev. However, I smartened up and remembered I also had a floating rule above the shaping rule to pass outgoing ICMP so that pinging actually works with CODEL. I disabled the ICMP rule and now nothing is passing with only the shaping rule.

jimp

What shows up under Diagnostics > Limiter info?

Have you tried any other limiter schedulers/AQMs?

jake

@jimp

code_text
```Limiters:
00001: 896.000 Kbit/s    0 ms burst 0 
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0  AQM type PIE target 15ms tupdate 15ms alpha 5 beta 2 max_burst 10fs max_ecnth 1 NoECN CapDrop DRE Derand
 sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002:  10.240 Mbit/s    0 ms burst 0 
q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0  AQM type PIE target 15ms tupdate 15ms alpha 5 beta 2 max_burst 10fs max_ecnth 1 NoECN CapDrop DRE Derand
 sched 65538 type FIFO flags 0x0 0 buckets 0 active
00003:  41.000 Mbit/s    0 ms burst 0 
q131075 1000 sl. 0 flows (1 buckets) sched 65539 weight 0 lmax 0 pri 0  AQM CoDel target 5ms interval 100ms ECN
 sched 65539 type FIFO flags 0x0 0 buckets 0 active
00004:   4.800 Mbit/s    0 ms burst 0 
q131076 1000 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0  AQM CoDel target 5ms interval 100ms ECN
 sched 65540 type FIFO flags 0x0 0 buckets 0 active


Schedulers:
00001: 896.000 Kbit/s    0 ms burst 0 
q65537  50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail
 sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 NoECN
00002:  10.240 Mbit/s    0 ms burst 0 
q65538  50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail
 sched 2 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 NoECN
00003:  41.000 Mbit/s    0 ms burst 0 
q65539  50 sl. 0 flows (1 buckets) sched 3 weight 0 lmax 0 pri 0 droptail
 sched 3 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 1 
00004:   4.800 Mbit/s    0 ms burst 0 
q65540  50 sl. 0 flows (1 buckets) sched 4 weight 0 lmax 0 pri 0 droptail
 sched 4 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN
   Children flowsets: 2 


Queues:
q00001  50 sl. 0 flows (1 buckets) sched 3 weight 0 lmax 0 pri 0  AQM CoDel target 5ms interval 100ms ECN
q00002  50 sl. 0 flows (1 buckets) sched 4 weight 0 lmax 0 pri 0  AQM CoDel target 5ms interval 100ms ECN```
code_text

jake

@jimp I just tested using PIE and FQ_PIE on both the root and child limiters and still cannot connect to the web. I did see however that states are being created and small amounts of traffic.

askmyteapot

I had exactly the same issue.
Managed to fix it by setting my floating rule to

• Action: Match

• Quick: unticked

• Interface: WAN and LAN highlighted

• Direction: in

• Protocol: TCP/UDP

• Source: any

• Destination: any

• Gateway: WAN_DHCP

• In / Out pipe: queue_out / queue_in

Queue_Out is Tail drop
pipe_out is:

• CoDel for Queue Management
• FQ_codel for scheduler
• ECN is ticked.

This is for the outbound traffic (upload)

Queue_In setup the same but with a bandwidth limit just under my download speed.

I hope this helps.

jake

@askmyteapot Thanks! It's working perfect now! Bufferbloat is gone again!