Looking for Traffic Shaping Clarity.



  • I have been trying to get some aliased IP's  on my production box to be shaped in the penalty queues without success.
    Nothing I have done seems to work.
    So I have been reading all of the stickies ,wiki's ,how to's etc and I'm having trouble working out what the current status is on the functionality and correct deployment of the shaper in 1.23-release.
    Most importantly in the Sticky by Ermal http://forum.pfsense.org/index.php/topic,11986.0.html He mentions in the bottom of his post (which is dated October 2008 and so could be now outdated in 1.2.3)

    "Now back to why you need to disable the anti-lockout rule and the default LAN rule.
    The pf packet filter is stateful and if it registers a state about a stream of traffic it will not check the ruleset again.
    On this packet filter that is used in pfSense traffic is assigned to a queue by specifying it explicitly with the rule that matches the traffic/ the rule that creates the state.
    The default anti-lockout rule is the same as the default lan rule just createt automatically for the user to prevent his from doing stupid things.
    But this rule is to generic as it matches all the traffic passing from lan and nothing else in the ruleset gets executed. As such it sends all the traffic to the default queue which is not what the user wants with a QoS policy on.
    The same applies to the default LAN rule pfSense ships with. Since now you have to explicitly choose the queue the traffic has to go when creating a rule there is no easy solution to this other than disable these settings and have more fine tuned rules for classifying traffic to the proper queue."

    With all of the other things I have read this is a glaring issue.
    From what I can understand it means that the wizards are essentially useless and you could take the time to tune your queues and rules but until you have implemented this then everything is going to the wrong queues.
    Can someone please clarify this?
    If this is still the case why is this information not part of the wizard or in the wiki ?
    I have no problem disabling the anti lockout as I already use a specified port for the gui.
    But I don't understand the implication of disabling the default lan rule.
    What needs to be done to replace it if anything ?
    Can I just delete the rule or should I make a rule to allow access from the specific address that I would be accessing the router on ?
    If this is a necessary procedure in order to gain true the functionality of the shaper why is it so hidden?
    Does this apply to 2.0 ?


Log in to reply