Traffic Shaping: qACK queue



  • I'm new to 2.0 and am learning it. How does one create an ACK queue? Unlike 1.x.x you can specify the ACK queue.. Using the wizard in 2.0, it creates the 2.0 queue, but I intend to create my rules from scratch. So yeah, how do I create an ack queue?



  • What snapshot are you using? The wizard doesn't even finish for me.

    Sorry, I don't know how to make an ACK queue, but I think it has to do with the first of the two drop-down menus when setting the queue for any packet. In other words, if I understand correctly, you can have a corresponding ACK queue for every queue that you create.



  • lol, that confused me further…

    is there something i should understand about 2.0 shaping compared to 1.xx?



  • I'm also confused about the ack queue…



  • I am confused about far more than that. The shaper for 2.0 appears to be in development, with the documentation therefor a little behinder than that.



  • would be nice if someone could write up a mini guide for simple traffic shaping. that way, you get more beta testers.



  • Yes that would be awesome!!

    Shaping does work for me.. I think :D
    however I have no clue about the ack queue.. as to when ack packets in what direction will pass through it.

    I also don't know if this is the right way doing that, but it seems to work:

    I used the wizard only to create the queues, modified them and then I created the rules to pass traffic into the queues in the floating tab.
    Selecting quick, outbound, ports/protocols et.c. and the queue.. didn't specify any gateway and didn't select any interfaces.
    Then in the lan tab I created all the rules for traffic I wanted to allow and selected my load balancer as gateway, but didn't select any queue(s).

    That way I can watch traffic going into the right queues and the load balancer is used too. But still I'm confused about the ack queues..



  • Maybe it's just that the left queue is for traffic going out and the right is for traffic coming in? That way ack packets would be sent out the left "qACK" queue and the "real" traffic coming in was fed into the right queue?

    But then I don't understand why I see on occasion that more traffic going out the ack queue of a certain interface than any other queue of the same interface..? Well maybe just because my setup is totally wrong.. or I just don't understand networking



  • Well, you're ahead of me. None of the wizards will complete for me, and all attempts to manually create some have thus far failed.



  • @biatche:

    I'm new to 2.0 and am learning it. How does one create an ACK queue? Unlike 1.x.x you can specify the ACK queue.. Using the wizard in 2.0, it creates the 2.0 queue, but I intend to create my rules from scratch. So yeah, how do I create an ack queue?

    In 2.0 there is no such thing since every queue may be selected to queue ACK packets for certain kind of TCP traffic – on the per-rule basis -- and such a queue may be used to queue non-ACK packets too.

    Nevetheless, if you follow a Wizard then it will create a queue named qACK which, by default, will be used for all ACKs, and ACKs only. Thus the qACK may be regarded as "the ACK queue" in 1.x.x sense.



  • @biatche:

    lol, that confused me further…

    Word.



  • @clarknova:

    @biatche:

    lol, that confused me further…

    Word.

    Haha add me ;)

    I used the wizard from snapshot 14th june 2pm to create the queues. Used Lan to multiwan…

    I don't understand what's exactly about this "left" and "right" box where you select the queues in a rule. How does it determine which packets go into the left and which ones into the right one?
    If this has something to do with packet direction flow inside a connection, packets leaving would end up in the left queue, the "ack" queue and receiving packets would end up in the right queue? Is that true or pure nonsense?

    But If it was like that, what would happen when someone was doing an upload.. with this same rule his data packets would end up in the left "ack" queue and ack packets from the remote host would end up in the "right" queue (whatever its name is)?

    It would be really great if someone could explain that a bit.

    Thnx very much!



  • dusan, so, let me get this right..

    to get shaping right in 2.0, firewall rules and shaping are corelated? for each fw rule i make, i need to specify the appropriate queues, and in fact, i saw an option "ackqueue/queue"

    dusan mind giving a mini guide on how you setup your shaping? will help a lot. I know you're one of the more advanced users here. thanks!



  • I could be wrong, so hopefully Dusan or Ermal will chime in. In the mean time, here's what I undertand.

    Packets moving through the firewall are either part of an existing connection state or not. There is a firewall rule which does not appear in pfsense's UI that allows packets that are part of an existing connection. Packets that match this rule will not be evaluated against any of the rules you have created, which is why you have to reset your states sometimes after creating a new rule before packets will be matched to it.

    When classifying packets/traffic to queues, you want to do this on the floating interface. When allowing, denying or routing packets you want to make rules on a specific physical/logical interface. Every packet will be evaluated against firewall rules on both the logical interface it came in on, as well as the floating interface. Because packets moving through the firewall in any direction will be evaluated by the floating rules, there are two dropdown menus corresponding to ackqueue and queue. If a packet matches a rule on the floating interface and is part of an existing connection, it will be put into the ackqueue, otherwise queue.

    So let's use the simple example of connecting to a web site and see how it will be queued. I type google.com into my web browser and hit enter. A packet destined to google's IP address on port 80 enters the firewall on the LAN interface. pfsense first compares said packet to its state table and sees no existing connection, so the packet is now checked against the LAN firewall rules for a match. It matches my default pass rule, so now the packet is evaluated on the floating interface rules.

    On the floating interface, the packet matches a rule which states that any packet destined to port TCP/80 goes into ackqueue 'ackbulk' and queue 'bulk' respectively. Because this packet constitutes a new connection, as determined earlier, it will be queued into the bulk queue, and then leave the firewall via that queue on a randomly selected port, say port 10321 for example.

    Now google.com responds with a packet. This packet comes from the IP address which we sent our original packet to, TCP port 80, and is destined to pfsense TCP port 10321. pfsense recognizes this as an existing connection and accepts it, bypassing evaluating it against the other WAN firewall rules (ignoring NAT for the sake of this example). The packet is then evaluated against our floating rules, matches the same rule that our initial outgoing packet matched, but is this time queued according to the acqueue, 'ackbulk', because it is recognized as a response to an existing connection.

    Subsequent packets to google.com that are part of the same connection will be recognized as being from the source of that connection and will thus enter the bulk queue, while all responses will enter the ackbulk queue.

    We could do the same example in reverse, where a host on your LAN is accepting new connections from the internet, say a web server. Connection requests from the internet to your web server on port 80 will enter the corresponding queue, while responses from your web server will be classified into the matching ackqueue.

    So ackqueue and queue don't necessarily have anything to do with the direction of the packet from pfsense's perspective, only whether the packet is from the source or destination IP when evaluated against the connection state table.

    In summary, I don't understand this completely, but this is what I have been able to synthesize in searching the forum and playing with the shaper when I can. Hopefully somebody will be able to jump in and clarify or verify what I've said. I'm also optimistic that you were able to run the wizard on the June 14 snapshot. The wizard from June 10, and others before it would not complete. I'll have to try updating my firmware.



  • Thnx, this absolutely makes sense. Very good explanation!
    And I totally forgot about states matching.

    Hmm, do you have any idea what could cause that sometimes more traffic is going on in an ack queue of a certain interface than the sum of traffic of all other queues of this same interface? This happens sporadically when I watch the queues' status



  • Well, if I'm right, and all traffic going from destination to source is entering the ackqueue, then you would get this situation during a web download, for example. You click a link to download openoffice.org, 158 MB or whatever. The request goes into the web queue, the download comes back in the ackqueue, all 158 MB of it. That doesn't actually make much sense to me, but I guess that's what would happen if I described the process correctly. And if you're seeing something like that, then I could be right.



  • Hm, yes but that shouldn't happen. In that case "my" ack responses should end up in the ack queue.. it's really confusing



  • @mxx:

    it's really confusing

    I think we can all agree on that. I'm loving 2.0, but me+shaper=broken for now.



  • :D
    can't take long and we get answers ;)



  • @biatche:

    dusan, so, let me get this right..

    to get shaping right in 2.0, firewall rules and shaping are corelated? for each fw rule i make, i need to specify the appropriate queues, and in fact, i saw an option "ackqueue/queue"

    Yes and no. In 2.0 routing and shaping are both specified by firewall rules. But generally they are not specified by the same rules. For example, lets have a single local network interface (LAN) and several Internet interface (WANx). Local users surf the Web via a routing rule in the LAN tab and by shaping rules in WANx tabs – or, better, a single shaping rule in the Floating tab.

    @biatche:

    dusan mind giving a mini guide on how you setup your shaping? will help a lot. I know you're one of the more advanced users here. thanks!

    I think clarknova did it.

    Also there is an Ermal's explanation, in case you've not read it:
    http://forum.pfsense.org/index.php/topic,24773.msg129341.html#msg129341

    The traffic shaper in the default settings works pretty well.

    And also, here is my settings that works well for several 10 mbps symmetric optical fibre (very low latency) links:
    qACK = qP2P = 5%
    qOthersLow = 10%
    qOthersDefault = qOthersHigh = qGames = qVoIP = 20%

    I'm using it in a production enviroment, an enterprise with neutral service policy, i.e not prioritize anything over anything, just maximize bandwidth utilization.

    Edit – qOthersDefault is used only for HTTP. The actual default queue is qP2P.



  • The moral of the story then being that if you want your outbound ack packets to match a firewall ackqueue, then you need to make a floating rule that will match packets coming in on the WAN. For example, for an http download, make a floating rule that will match packets from source TCP/80 and ackqueue/queue to ackhttp/http or something like that.

    Now, if I could just figure out how to set up my queues…


Locked