Traffic shaper changes [90% completed, please send money to complete bounty]
-
Entering hex values to convert TOS to diffserv: please file this under unnatural :)
I remember the diffserv options used to be listed out like TCP Flag radio buttons were:
Low Delay: yes no don't care
Reliability: yes no don't careI googled for the hex value equivalent of low-delay TOS … I can't find a specific value, and I don't have time to become an expert on diffserv. Where did the radio button go? Or do I remember it from m0n0? But for now, can you give me a value that will work for VoIP? Pretty Please? Plus, I would really love the list of rules the wizard puts out so I can get a config running by this afternoon.
Aaron
TOS is not DiffServ. Please consult wikipedia if unsure about this and what the difference is between TOS and DiffServ. For TOS you could have these radiobuttons but DiffServ is different. You also can only use either or as both techniques use the same bits in the IP-Header.
http://en.wikipedia.org/wiki/Type_of_Service
http://en.wikipedia.org/wiki/Differentiated_servicesm0n0 only supports TOS but DiffServ is superior as it allows more levels of control.
-
TOS is not DiffServ. Please consult wikipedia if unsure about this and what the difference is between TOS and DiffServ. For TOS you could have these radiobuttons but DiffServ is different. You also can only use either or as both techniques use the same bits in the IP-Header.
http://en.wikipedia.org/wiki/Type_of_Service
http://en.wikipedia.org/wiki/Differentiated_servicesm0n0 only supports TOS but DiffServ is superior as it allows more levels of control.
Thanks for the clarification. I'll take a look at that. Ermal told me to use Diffserv when I asked about TOS. "You have a box labeled DSCP(diffserv codepoint) and you do not need TOS for that if you have DSCP."
The question remains: WHERE and HOW do I set the rule that will identify my VoIP traffic? I can't find the option for generic Low-Delay TOS and I don't know the DiffServ value. If I need to enter a DiffServ value, what hex value do I use? I can't run the shaper wizard or it will destroy my queue sets, and I need to set manual rules anyway. I don't really want to use IP or MAC to identify traffic, but I guess I can in the immediate term.
This is why I have asked a couple times for the detailed list of rules the wizard generates ;) I can use them as a template. I know just enough to be dangerous ;) I know high level stuff, and even some low level things. But I do not possess the knowledge for getting into bit level details of diffserv and stuff like that.
I just need to create rules to ident traffic… something like this:
High Priority flag: dest 80, 443, 53, 5100, 22, etc
VoIP: low-Delay TOS (or equivalent diffserv) .. or I may have to list individual IPs
catchall (Not sure how to create this one???)Then rules for each /16 subnet to put the ident flags in the appropriate ack & queue for that subnet.
If this does not sound correct, please let me know.Thanks for your help!
Aaron -
Here is a trick.
Keep your QUEUE config in opt1 interface.
Run the wizard and select only one conection(either multiwan or multilan) follow the wizard and it will create the queues and rules.
After finishing the wizard and having the rules ready to modify you can than go to Firewall->Traffic shaper ->By queues view
Select the opt1 interface from the list and select "copy/clone queues" over the Lan interface and than Wan if you want the same there to.Now just follow the rules on the floating tab and modify those at your will.
That should keep your config and give you a template of rules.
Is this ok for you?
I cannot give you the template since it is generated in code and they are not hardcoded rules.
-
@ermal:
Here is a trick.
Is this ok for you?
I cannot give you the template since it is generated in code and they are not hardcoded rules.That sounds like a good trick! I just ran it like that, but got this error on on the last screen that has "finish" button.
Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Invalid argument supplied for foreach() in /etc/inc/shaper.inc on line 41 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/shaper.inc:41) in /usr/local/www/wizards/traffic_shaper_wizard.inc on line 535
D'oh! The end result is this error and these queues (the rules generated, but with only 2 queues)
php: : New alert found: There were error(s) loading the rules: pfctl: should have one default queue on vr1 pfctl: errors in altq config The line in question reads [ should have one default queue on vr1 pfctl]:since my queues are destroyed now anyway (I did copy them to OPT1..?? But I think I ran the wrong wizard) I'll start over fresh one more time. crosses fingers
Aaron
![after shaper wizard.jpg](/public/imported_attachments/1/after shaper wizard.jpg)
![after shaper wizard.jpg_thumb](/public/imported_attachments/1/after shaper wizard.jpg_thumb) -
could you tell me what options did you choose during the wizard? And which wizard you ran?
-
I believe I ran:
Single Lan multi Wan traffic_shaper_wizard.xml1 "connection" (again, is this referring to LAN or WAN connections?)
LAN: HFSC
WAN: HFSC, 4mb upload, 16mb download
voip, generic low delay, 512/512
penalize IP: 10.0.0.244, 20% (dummy address just to get the rules for templates)
p2P check, catchall check, 20%
no gaming options
Other network protocols: defaults except I set Higher on: VNC, ARD, PPTP, IPSEC, HTTP, DNS, ICMPI just ran the wizard again without error. The difference this time is that I REMOVE SHAPER before running the wizard. Perhaps it was having problem with the existing queues in the config? I dunno
Aaron
-
When you choose multiple Wan wizards it refers to internet connections.
For multi LAN wizards it refers to number of internal networks ie number of local interfaces that will be connected to local networks.
-
@ermal:
When you choose multiple Wan wizards it refers to internet connections.
For multi LAN wizards it refers to number of internal networks ie number of local interfaces that will be connected to local networks.
I know that after multiple runs thru the wizard, but my point is that it's not obvious. Some wizard(s) do specify Local and WAN, some just say num of connections.
Anyway, more bug time! ::)
1. The rules page loads VERY slowly and often fails to complete loading. Attaching a couple screen caps. Almost every time I have to refresh the list to get a full populate. Mostly on the floating rules, but WAN is having same issue. I am guessing this an issue outside of the shaper?
2. Rules created by the wizard
-
First thing I noticed is my VoIP goes to my P2p catch all queue. The voIP rule seems to have UDP as the only identifying portion of the rule? Where is the TOS/DiffServ flags? This used to work flawlessly in 1.2RC4
-
Do we still need to delete the default LAN rule and create one on the float tab?
-
Do we still need to disable the anti-lockout rule?
3. Floating rules interface:
I like the concept of tagging a LOT. But, I think that mixing the queues in with the firewall rules is confusing. Maybe I'm just not knowledgeable enough, but I am paranoid of the interaction of creating Pass rules in the firewall to use the shaper queues. I just reloaded 1.2 Release and making shaper rules with targets, TOS & TCP flags just seems a lot more intuitive. Plus, it idents my VoIP correctly.I have decided that I am going to use 1.2 Release for the time being. I'll get out of your hair, let you work.
Please, Please, Pretty please… test everything and polish things up before releasing this again. Walk through what a user would do in a few scenarios. Forget your intimate knowledge of what you created, and try to go thru it like you have never seen it. Of course test with real traffic to make sure rules are matching (I think absolutely everything is ending up in the catch all queue for me right now! I didn't check the lockout rule tho.) Read each label and try to config using only the directions on the screen. You will see what I mean.
I look forward to a 1.3 beta where others have tested the shaper and things are working much better.
I'll keep an eye on this thread. Please feel free to ping me if you would like me to do some testing or get some feedback.Regards,
AaronEDIT: I am still committed to writing a HowTo.. But I'd like thing to be in more final form before I prepare it.
-
-
How much do I need to contribute to get a 1.2 package for this? I can't send much immediately but I could send $50 immediately if it means I can:
1.5mb T1 connection
a) Limit DMZ upload/download to/from WAN to 512kb/sec
b) Not limit DMZ upload/download to/from LANIs this possible/is $50 enough to get access to the 1.2 packages?
-
Hi,
i know that maybe i wasn't supposed to do that, but i've downloaded the last update image from the location ermal gave me the last time, named
pfSense-Full-Update-1.2-RELEASE-20080402-1748.tgz
Do not use it!! The kernel doesn't load on my machine after the update, i will try to figure out how to fix that…
albe
-
k3rmit is this an embedded update?!
Since others have reported to upgrade just fine!
-
sorry to have such few time to follow this thread ermal, i still owe you an answer regarding a shaper error… which is: i managed to disable it, reset the configuration and reconfig again correctly. I suppose something got wierd with the first shaper setup, that subsequently created an interpretation error with the update.
To answer your last question, no, is not embedded and thanks for the new link you sent me, i will have a look at it tomorrow morning (it's midnight here).
cheers
albe
-
Well, I haven't been around for some time and if I see the postings during my absence it looks like no many people having problems to setup and configure the new shaper.
Sorry, but I do have some difficulties to get it working.
The lastest available update (20080409-1911) does not have the new shaper, or at least to wizard looked like to old one.
So I downloaded 20080402-1748 and applied it to a fresh 1.2-RELEASE installation (downgrading from 20080409-1911 does not worked).
Once finished the basic configuration I moved the "Default LAN rule" to the floating tab and disabled the webGUI anti-lockout rule.
To keep it simple the load-balancing pools have been created but no rules to use them have been created.
Only the floating tab is having one rule.
So far everything good, I still could access to webGUI and the clients could access the internet.Now I walked through the single LAN Multi WAN Wizard:
numberofconnections: 3
Put in the values of my ADSL connections (still don't know if I should substract the PPPoE overhead? But guess, yes!) and select HFSC scheduler.
Enable Prioritize Voice over IP traffic.
No Penalize IP or Alias.
No Lower priority of Peer-to-Peer traffic (At a later stage I do want this but for now I want it as simple as possible).
No Prioritize network gaming traffic.
Yes Other networking protocols, set HTTP and MSN to higher priority and SMTP. POP3, IMAP and Lotus Notes to Lower priority.
Finish.The following rules at the floating tab have been created:
Proto Source Port Destination Port Gateway Queue Schedule Description UDP * * * * * qVoIP DiffServ/Lowdelay/Upload TCP * * * 1863 * qACK/qOthersHigh m_Other MSN1 outbound TCP * * * 6891 - 6900 * qACK/qOthersHigh m_Other MSN2 outbound TCP * * * 6901 * qACK/qOthersHigh m_Other MSN3 outbound UDP * * * 6901 * qOthersHigh m_Other MSN4 outbound TCP * * * 80 (HTTP) * qACK/qOthersHigh m_Other HTTP outbound TCP * * * 443 (HTTPS) * qACK/qOthersHigh m_Other HTTPS outbound TCP * * * 25 (SMTP) * qACK/qOthersLow m_Other SMTP outbound TCP * * * 110 (POP3) * qACK/qOthersLow m_Other POP3 outbound TCP * * * 143 (IMAP) * qACK/qOthersLow m_Other IMAP outbound TCP * * * 1352 * qACK/qOthersLow m_Other LotusNotes1 outbound UDP * * * 1352 * qOthersLow m_Other LotusNotes2 outbound * LAN net * * * * none
I would expect that HTTP traffic would go into qOthersHigh and receiving an email (8MB attachment) with Thunderbird into qOthersLow.
OK, the outgoing port is set to 587 because port 25 is blocked here, but the incoming is default on port 110.But it does not, everything goes into qDefault (WAN and LAN).
Do I need to configure something else?
Cheers
-
Hi guys,
Happy to pledge 50$ to get openvpn tunnels working with the Shaper.. Is this possible? Will it be implemented?
Regards,
-
Well, I haven't been around for some time and if I see the postings during my absence it looks like no many people having problems to setup and configure the new shaper.
Sorry, but I do have some difficulties to get it working.
The lastest available update (20080409-1911) does not have the new shaper, or at least to wizard looked like to old one.
So I downloaded 20080402-1748 and applied it to a fresh 1.2-RELEASE installation (downgrading from 20080409-1911 does not worked).
Once finished the basic configuration I moved the "Default LAN rule" to the floating tab and disabled the webGUI anti-lockout rule.
To keep it simple the load-balancing pools have been created but no rules to use them have been created.
Only the floating tab is having one rule.
So far everything good, I still could access to webGUI and the clients could access the internet.Now I walked through the single LAN Multi WAN Wizard:
numberofconnections: 3
Put in the values of my ADSL connections (still don't know if I should substract the PPPoE overhead? But guess, yes!) and select HFSC scheduler.
Enable Prioritize Voice over IP traffic.
No Penalize IP or Alias.
No Lower priority of Peer-to-Peer traffic (At a later stage I do want this but for now I want it as simple as possible).
No Prioritize network gaming traffic.
Yes Other networking protocols, set HTTP and MSN to higher priority and SMTP. POP3, IMAP and Lotus Notes to Lower priority.
Finish.The following rules at the floating tab have been created:
Proto Source Port Destination Port Gateway Queue Schedule Description UDP * * * * * qVoIP DiffServ/Lowdelay/Upload TCP * * * 1863 * qACK/qOthersHigh m_Other MSN1 outbound TCP * * * 6891 - 6900 * qACK/qOthersHigh m_Other MSN2 outbound TCP * * * 6901 * qACK/qOthersHigh m_Other MSN3 outbound UDP * * * 6901 * qOthersHigh m_Other MSN4 outbound TCP * * * 80 (HTTP) * qACK/qOthersHigh m_Other HTTP outbound TCP * * * 443 (HTTPS) * qACK/qOthersHigh m_Other HTTPS outbound TCP * * * 25 (SMTP) * qACK/qOthersLow m_Other SMTP outbound TCP * * * 110 (POP3) * qACK/qOthersLow m_Other POP3 outbound TCP * * * 143 (IMAP) * qACK/qOthersLow m_Other IMAP outbound TCP * * * 1352 * qACK/qOthersLow m_Other LotusNotes1 outbound UDP * * * 1352 * qOthersLow m_Other LotusNotes2 outbound * LAN net * * * * none
I would expect that HTTP traffic would go into qOthersHigh and receiving an email (8MB attachment) with Thunderbird into qOthersLow.
OK, the outgoing port is set to 587 because port 25 is blocked here, but the incoming is default on port 110.But it does not, everything goes into qDefault (WAN and LAN).
Do I need to configure something else?
Cheers
Did you remove the qucik from the Default lan rule?!
Please send me even your rules.debug to me privately to give you a more complete answer.
Go to Diagnostics->Edit file on the textbox enter /tmp/rules.debug and send that output.Ermal
-
Yes, quick is not selected.
My rules.debug should have arrived.
-
Just an update for all those interested before I get into the next issue.
Finally, we managed to get the queues correctly utilized.
It looked like the all rules were correctly created but in /tmp/rules.debug Ermal found that no queues were assigned to the rules.So I started (try and error) to get the queues assigned.
First I disabled all rules using the toggle button in front of each rule and applied the changed.
Then I started enabling the first rule using the toggle button and applied the changes..checking the rules.debug..same before.
But when I opened the same rule and changed the queue to some other…press save and apply... checking the rules.debug..jepp, queue assigned.
Ok, changing back to the correct queue and now the correct queue was assigned in rules.debug, gooood!
The rest of the rules I just opened and removed the disabled flag and applied one by one.Now the traffic shaper is working with single WAN, lets get to the next level - load balancing.
I do not remember if it was mentioned in this thread before but I'm not sure how to get my traffic balanced over my three connection.
Yes, I have it working with 1.01, 1.2 betas and RCs but it seems to be different with the new shaper.
As soon I create the LB rule on the LAN tab I'm out (yes, anti lockout-rule disabled).Well, after enabling the anti lockout-rules I'm back in and it seems to work.
Two parallel http downloads were using two different connections.
For me it looks like that with my current setup the anti lockout-rule is not an issue.
May be later when I try to catch all p2p which is the major reason for me do traffic shaping?But why I got locked out?
This is how the new rule looks like in rules.debug:
pass in quick on $lan route-to { ( vlan1 192.168.20.254 ) , ( vlan2 192.168.30.254 ) , ( vlan2 192.168.30.254 ) } round-robin from 192.168.100.0/24 to any keep state label "USER_RULE"
Pass in quick! That was the first Ermal asked. But on the LAN tab it does not appear in the rule properties.
So I cannot enable/disable it.Any idea?
Cheers
Btw.
Where are all the success stories?
I believe it would help a lot if more people could post a brief description how they did and what pitfalls they run into! And even more important, how to get around or avoid!
Not only that others would benefit but also free-up Ermals back. -
So now it is working?!
Anyway you get locked out since the route-to rule catchs up your request and gets sent out of the firewall and not to the server running on the pfSense machine. So it seem that you need to keep that anti-lockout rule.
-
Yes, it is working now.
Thank you very much for your support.Now I have to re-read about what you said about load-balancing, squid and traffic shaper.
Cheers
-
I have a simple question how does this differ to the normal traffic shapper ?
which one would suite me better.
we host websites on port 80 and 443 , i want to set the http/mail/ssh to be priority traffic in and out, mostly out for one netwrok and low proiroty traffic for another network no matter what it is