Problem setting up tail drop/codel
-
Hi.
I have been trying to setup https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html
I have tried it a couple of times ensuring ny config matches the document, as soon as I apply the firewall rules I get no Internet traffic and the gateway goes to 100% Packet loss...Can anyone help please?
Ce edition 2.8 1
Single wan
Ipv4 onlyThanks
-
I am using CoDel Limiters and this is working really well for me ("A") on my asynchronous VDSL connection. I set it up a while ago so I can't remember all the details but, rightly or wrongly, I ended up with different floating firewall rules than described in the article.
I've got two (one for incoming connections and one for outgoing connections) floating firewall rules, and they use 'match' rather than 'pass':
Outgoing rule:
The incoming rule is similar, but uses direction "in" and has the "in / out pipe" entries switched over. I don't think you'll need this rule, unless you have open ports on your WAN connection.
I found this article really useful to tune the CoDel parameters.
-
@AberDino
hi, thanks for taking the time to respond. I have tried your rule as above but I still cant get any traffic once I enable the rule. I have a test machine behind my live machine and it seems to do the same thing as what was happening on my live machine. Soon as the rule gets enabled I lose all access to the net through the test machine. Turn the rule off and internet is restored.Can you think or proivide any further info please?
thanks very much
-
Hi @zennb1, I see you still have the 'Quick' option enabled, which I don't think is compatible with the 'Match' option. Various bits of info from an Internet search:
- The match action is unique to floating rules and does not explicitly pass or block traffic. It is used solely for assigning traffic to queues or limiters for traffic shaping. A match rule sets a tag or assigns the packet to a traffic shaping queue, and then rule processing continues to the next ruleset (interface rules) to determine if the packet should ultimately be passed or blocked.
- If a rule has quick enabled and a packet matches it, the firewall stops processing any further rules and applies the action (pass, block, or reject) of that specific rule immediately ("first match wins").
- Match rules are not compatible with the quick option because they are not meant to be a final action; they need subsequent rules to pass or block the traffic.
I'd suggest you disable the "quick" option and see if it makes a difference. I presume you have an appropriate "pass" rule set on the LAN firewall rules page? You could temporarily enable logging on a firewall rule to see if it reveals any more information. To check if the limiter is working, click Diagnostics -> Limiter Info.
-
The Netgate guide suggest a floating rule with PASS and quick enabled.
I have strictly followed that guide and it works very well, got A+ with a 1000/300 line (PPPoE) -
@Wolf666 hi. Thanks I tried this but stil no traffic. I setup the limiters as per the article . Is yours any different. Any chance you could share your setup.. just can't seem to resolve it.. thank you
-
@AberDino ill try again but just can't seem to resolve it. I setup the limiters as per the article , are yours the same as this? Thanks
-
@zennb1
I am travelling, I will post it in the weekend.
My config is 1:1 with netgate guide, only 1 floating rule on WAN interface and "WAN address" as source.
I see you put "any" as source, you want to do it only on WAN address. -
@Wolf666 thank you. Ill try again.
-
@zennb1 said in Problem setting up tail drop/codel:
I setup the limiters as per the article , are yours the same as this?
Yes, they are, but with the target value adjusted to the 'unloaded' ping time to the first ISP hop (26ms in my case, on VDSL), as per the CoDel tuning link I posted above.
-
@AberDino ok thanks . I tried again but it just doesn't seem to want to work for me. Its as soon as I apply the rule. Very confused
-
@zennb1 Since it seems that you've been over the rule creation to assign traffic to the limiter queues multiple times and it all looks okay, perhaps double check the limiters and their associated queues and maybe post some screen shots of how you have them configured? I wonder if there's any chance your rules are working just fine, but there's something wrong with how the limiters/queues are set up.
-
@TheNarc thanks. agreed. I need a bit of time but will post the lot
-
-
@zennb1 Okay, what stands out to me are target and interval values of 0 for your WAN down limiter. I don't think that is valid. I feel like I've seen other posts from people claiming that somehow those can end up being defaults, but I'm betting that's what's breaking things for you.
I would start by setting target to 5 and interval to 100 like your upload limiter. As to all the other parameters, I don't feel like I can give great advice, especially for such a fast symmetric connection. To be honest, in my experience it seems like almost everywhere you look for information about how to set the few "knobs" available with FQ_CODEL, the advice is different :) But I bet that just changing those target and interval values will get traffic flowing for you.
Clearly, you can try changing various settings and test to see what works best for you. I have found some advice that the "queue length" should be set equal to "limit", and also that for an 8Gbps symmetric connection you may want "limit" and "flows" both set to something like 4096. But, I am not an expert on these FQ_CODEL settings so if anyone chimes in who is, I would defer to them.
