Limiters OpenVPN client

Antibiotic

Hi, did set Limiters in accordance with a official guidelines. But one of my interface roiting via pfSense OpenVPN client. The question is, do I need to create additional floating rule for OpenVPN interface or for WAN should enough?

HLPPC

@Antibiotic Generally, I tag my openvpn traffic on the LAN and use floating rules to policy route it through the vpn, and put my traffic shapers on the tagged allow rules in the outbound direction, without the quick or matching option. I also block anything going out the WAN tagged as the VPN but sometimes this causes issues. I also turn off msi/msix to help with context switching.

OpenVPN is supposed to be single threaded, but depending on your setup, it can get complicated managing context switching and making sure all traffic goes through the limiter correctly. Protocols like quic, or anything from google really, are seen on incorrect threads by my suricata instance, but maybe it is because suricata.

Then the limiter itself can have issues with low bandwidth traffic. net.inet.ip.dummynet.tick_delta_sum

This timer needs to float around zero. Too mich -tick delta and games become less stable at low bandwidth.

Also, sometimes it can have issues on igb cards, as igb is built on top of the em driver.

It matters if you have a jank motherboard with a NIC built into it too.

I might go try interface polling and see how it affects the standard setup. My NICs are also capable of Precision Time Protocol (PTP), and maybe sometimes NICs that do this on the physical layer without proper or actual PTP configuration can cause issues.

Good luck, and here is a neat reference: https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4

HLPPC

I do like my i225s. Just noticed you have i226s. Be careful with an intel issue relating to interpacket gaps. Interpacket gaps can lower your physical link speed inadvertently. Sometimes maybe causing autonegotiation with a motherboard's built in NIC driver to occur 🤭 I speculate the mobo built in nic being an issue because sometimes my i225s have their download and upload speeds drop to a gigabit when I run tcpdumps. And I have no clue what driver tcpdump points to. These NICs also do checksum shifting, and I have no idea how to enable or disable it 🫠, BUT, suricata can drop bad checksums, which is pretty neat.

HLPPC

https://man.freebsd.org/cgi/man.cgi?query=polling&sektion=4&apropos=0&manpath=FreeBSD+14.0-RELEASE+and+Ports

polling is not supported on igc yet I guess and I haven't found PTP settings in pfSense.

Antibiotic

@HLPPC said in Limiters OpenVPN client:

BUT, suricata can drop bad checksums

Can you please more about this setting in Suricata?

HLPPC

@Antibiotic You'd have to set suricata up inline, locate the bad checksum rule and enable it.

https://youtu.be/u1gZrJEQ_30?si=yKVsvsyq7mlCdJy7

It takes awhile to get working correctly.

Supposedly disabling all offloading is supposed to disable checksum shifting but who knows

Antibiotic

@HLPPC Ah, understood. I have use Snort registered rules on Suricata with a Policy state only for one interface NIC. This already included this, regarding Limiters, the main problem that me using OpenVPN only for dedicated interfaces and in this case Limiters not working correctly for all interfaces ( with and without OpenVPN)

HLPPC

@Antibiotic

Sometimes it is better to NOT make your connection better to other hackers.