Flooded log
-
@stephenw10
Yes i have few limiters, and actually i was rolling back to 2.6.0..
upgraded 2 pfsense to 2.7.0, then to 2.7.1. Both by pfSense-upgrade.
Both are using pfsync and carp. After that.. limiters not working, users have way less then limited.
Rolled back to 2.6.0 for now.. but got these messages in log instead.Sorry.. limiters are for each vlan. Have 4 vlans,
Limiters created using standard Upload / Download with Taildrop & Worst-case WFQ.
Then I applied the limit on each vlan alias ( by network /24 ) in Advanced settings in Firewall Rules, LAN Interface ( not floating ). -
How did you roll back? Were both nodes rebooted since?
I haven't seen that error in years.
-
@stephenw10
They are both are kvm guest..
Sorry rollback is not the correct term I guess..
I just re-start with the old guest image. But it's limiter problem was the reason why i decide to go to 2.7.x -
Hmm, Limiters should work in 2.7.(1). Did it just not pass traffic? Not limit as expected?
-
@stephenw10
Yes it starts to slow down clients to the point they're only having a quarter of allocated bandwidth.
I know it possibly have something to do with kvm, since the crawl happened since 2.6.I just havent got any idea where tho', it starts happening few weeks ago.
Its just fine since 2.3.
I have disabled all kinds of hardware offloading since they are vm guests, used virtio driver for all nics.
I might have to reinstall from scratch with 2.7.1.
These 2 pfsense vm are actually sync'd and use CARP. -
So it's still slow even for clients that are not limited? How are you applying the Limiter(s)?
-
@stephenw10
oh right.. it works fine once i removed the limiter for them. I am running on 2.6 now tho', removed limiter from fw rules, but somehow those messages still shows up in log. If im not mistaken, during the few hours running 2.7, no messages loke thise above in logs, but the speed was awful withi limiter as well.
I might gonna try to just use 1 pfsense instead of 2 as HA for testing. -
Ah, Ok so not a regression just not solved in 2.7(1)?
Any reason to stay at 2.6 then?
How are you applying the Limiters? There were some issues with Limiters in 2.6 but as far as I know they were all solved in 2.7.
-
@stephenw10
Yes with 2.6 it just happened few last weeks. Never log in much since it just worked. In fact that is the reason why log in to it to check, and noticed there was an update to 2.7.I will post some limiters i applied, later on here
-
Hmm, so it was working as expected in 2.6 until recently? Nothing changed in the pfSense config?
-
@stephenw10
Yes.. it shows all those messages in logs.
Btw, I've tested 2.71 from fresh install.. All good but limiter also have problems.
I put 2 mbps upload and 5 mbps download for test for one vlan,
Upload speed seems to be correct, but download speed seems off quite a bit.
Here is one default Download Limiter created ( upload limiter exactly the same with 2 mbps set ),
and how it applied to fw rules.
Client got only 1.85 Mbps Download + 1.8 Upload
Thank you for your help.
-
@stephenw10
Okay.. I think i've found something new ?I've reinstalled 2.71, restore fw rules & aliases from backup.
This pfsense is basically just do firewalling & b/w limit / shaper.
We have 2 WAN / ISP. Several vlans as clients.
all vlans are directed to a Layer 3 switch in LAN.
So this pfsense vm have 3 interface.I create 2 Limiter 5mbps & 3 Mbps. ( Let's say i wanted 5 Mbps Down and 3 Up )
If I directed this one vlan via ISP 1, I have to put 3 Mbps in IN Pipe & 5 Mbps in Out Pipe ( that's the normal, right ? ).
But if i wanted this vlan to go through ISP2, still using the same down / up limit, I have to substitute the place..
I have to put 5Mbps limiter in IN pipe, and put 3 Mbps in Out Pipe.
I've tried it few times and tested it with speedtest-cli, and iperf ...
I'm quite surprise tbh.. -
@nicknuke said in Flooded log:
But if i wanted this vlan to go through ISP2, still using the same down / up limit, I have to substitute the place..
I have to put 5Mbps limiter in IN pipe, and put 3 Mbps in Out Pipe.The only time that would be true is if you're using an outbound rule on the ISP2 interface? If you did that and used the same pipes in opposite directions you could see some odd things. The same limit both ways at least.
-
@stephenw10
Thanks for looking in to this. Reinstalled with 2.7.1.
It is working fine for the main ISP with cable.Somehow limiter acting weird with backup ISP with radio. Radio link is 10Mbps, i limit 1 subnet/vlan with 3 Up and 5 down, but somehow clients get 2.5 Mbps down and 0.5 - 2 mbps up... without limiter they got the full 10Mbps down and up.
But no more flooded logs with 2.7.1. I guess i have to look for more clue in the backup ISP.Thank you so much.
-
Hmm, curious. Are you using one rule to both apply the limiters and route traffic to the ISP2 WAN?
-
@stephenw10
well actually yes...
the vm actually just act as redirector and shaper for different vlans to different ISP's gateway.
Been doing that and it just works.. until lately..
Do I miss something ? -
Nope I would expect that work fine. It seems suspicious that something just changed seemingly without any changes made to the pfSense config. Like something else is limiting it.
-
This post is deleted! -
@stephenw10
That's the hair pulling prob.Let's call this pfsense box : shaper ( vm ).
It has 3 interfaces, 1 to LAN ( L3 Switch ), 1 interface to ISP1, and 1 other to ISP2
Turned off NAT on shaper, so it's just doing routing and traffic shaping only.
Gateway of ISP1 is actually another pfsense doing NAT ( a vm )
Gateway of ISP2 is the debian box ( another VM )I suspected there's something wrong on the gateway side.
I have debian box act as gateway on top of pfsense.But when I tried removing the limiter to ISP2 , vlan client got full bandwidth.
- Limit Off : vlan pc - iperf3 - gateway = Full b/w.
- Limit On : vlan pc - iperf3 - gateway = inconsistent b/w. ( this is done with no other client online ).
But ONLY on this particular gateway to ISP2.
I've been re-installing pfsense like 5 times in vm already, lol..
-
Hmm, you're testing using iperf3 to the gateway directly? Though that should still work.
