Traffic shaper changes [90% completed, please send money to complete bounty]
-
I have a simple question how does this differ to the normal traffic shapper ?
which one would suite me better.
we host websites on port 80 and 443 , i want to set the http/mail/ssh to be priority traffic in and out, mostly out for one netwrok and low proiroty traffic for another network no matter what it is
-
Just out of curiosity, how much was the total bounty, and how much of the bounty is still outstanding?
I'm just looking for a dollar amount, not a list of shame.
-
Ciao everybody,
had a chance to install the latest iso (the firmware update wasn't updating at all) and everything is working nicer now, with floating rules created automatically by the wizard according to definitions.
Still, i'd like to report a couple of bugs:
1. multi lan single wan wizard at the last passage is like
![](http://wizard 1.jpg)
and then
![](http://wizard 2.jpg)
2. the rules creation after the wizard reports the following errors:
php: : There were error(s) loading the rules: pfctl: should have one default queue on em0 pfctl: should have one default queue on bfe0 pfctl: should have one default queue on rl0 pfctl: errors in altq config - The line in question reads [ should have one default queue on em0 pfctl]:
php: : New alert found: There were error(s) loading the rules: pfctl: should have one default queue on em0 pfctl: should have one default queue on bfe0 pfctl: should have one default queue on rl0 pfctl: errors in altq config The line in question reads [ should have one default queue on em0 pfctl]:didn't have the chance to test rules effectiveness, will let you know as soon as i have the occasion (=continuous non interrupted time :-)
cheers
albe
![wizard 1.jpg](/public/imported_attachments/1/wizard 1.jpg)
![wizard 1.jpg_thumb](/public/imported_attachments/1/wizard 1.jpg_thumb)
![wizard 2.jpg](/public/imported_attachments/1/wizard 2.jpg)
![wizard 2.jpg_thumb](/public/imported_attachments/1/wizard 2.jpg_thumb) -
Hi again,
i'm testing the shaper now and must say that besides minor glitches it is working quite fine.
First, the above reported bug is one in the wizard, because i didn't fill the p2p shaping percentage text filed, it didn't check that while clicking Next, went on and BAM, error in the end: i specified that now, so it is creating queues and floating rules correctly.
I'd like to ask something though:
1. I can't reproduce the exact procedure to get there, but somehow, while creating additional queues and assigning them to additional floating rules, it lost all floating rules.
2. The order of rules application on traffic seems to be interface rules and then floating rules: in a case such as mine, one has lots of rules created for each interface, considering floating rules didn't exists for pfsense in the past and it was the only way to regulate traffic, therefore those rules will all use the qDefault queue and will override all those nice floating rules created by the wizard, making them useless, unless you assign to each and every interface rule the corresponding queue. Can the rules application order be reversed?
3. i assigned 4130Kb to the WAN interface, 1Mb to the VOIP queue, and the results of the wizard queue creation are:
qAck: 19.846% band, ls m1 0b, ls d 500, ls m2 19.846%
qDefault: 9.923% band
qVoIP: 32Kb, rt m1 0b, rt d 10, rt m2 1Mb
qOthersHigh: 9.923% band, ls m1 0b, ls d 200, ls m2 9.923%
qOthersLow: 4.9615% band, ls 4.9615%, ls d 200, ls m2 4.9615%same thing for all siblings on other interfaces. Question is: the total amount of bandwidth from these rules doesn't match the one assigned to the WAN interface, why?
On the side note, i'd like to point out that the queue definition interface works well, but limits for values should be checked at entry or submission time, not at changes application, or you will get strange errors which are not always easy to debug. (i.e. bandwidth overallocation for subqueues).
Hope i explained myself well enough..
Thanks
albe
-
Correction at point 1: the f*#@ing pfsync was configured and the conf was overwritten from the first machine. sorry for that.
Correction at point 3: i did assign 1 Mb to VOIP in the wizard.
Finally: i'm struggling to make the catch all queue from LAN to DMZ and viceversa woro, to no avail. communications are always crawling… like 200bps... what's wrong? I double checked everything, i'm monitoring via pftop that the traffic is falling in the right queues, but nothing... even with 80Mb set in the queue and 100Mbit in the interface, the traffic is always crawling. Specifically i'm trying to copy a file from DMZ to LAN: all rules interestd in this have been assigned the right queues. I even created a dedicated ACK queue for such traffic, but it didn't change anything...
any clue?
thanks.
-
Can you please send me your rules.debug to ermal at pfsense.org just to check the order of the evaluation or it might be that the rules produced by the wizard are without the quick keyword and you can edit the floating rules to be terminating but that will mostly break the policy.
I am sorry there is no easy fix to such a thing since there is no easy way to update the existing policy to conform to the new shaper :(.For the DMZ - LAN problem i would suggest trying living the queue policy in effect only for the internet connections ie on the Traffic shaper config delete the queue policy for LAN and DMZ and see if it suits you with shaping only on outbound. Usually it would suffice since the other part is throtled by the ISP and packets will be driven by the outgoing policy.
If you need a more specific answer please give me some more detailed specification even in private if you wish.
-
Guys,
How can i have access to the image with the multi nic shapper?
Thank You!
Duarte Santos
-
If you donate xxx$ to it you'll get access.
Please read every reply in this topic before asking any additional questions.
-
multi lan in 1 WAN is very interesting.i hope you can develop per ip bandwidth limiting.thats what everybodys newbie waiting i think.
-
Well expect surprises fro 1.3 or give it a thought/contribution for 1.2 :P.
-
Good Day to all!
Our small company needs a firewall with the following features. Does pfSense support the following requirements? We are willing to donate if it can fulfill the needs stated below.
1. Support Dual WAN
2. Traffic Shaper for Dual WAN ( distribute bandwidth equally for every workstation that uses the internet ) <–- i think this is the bounty?
3. Web Proxy
4. SambaHope somebody can give me some info. Thanks and more power!
Chris
-
The current implementation that is ported to 1.2 that the bounty covered offers this through CBQ and with intimate knowledge with HFSC.
Actually 1.3 would be the release which will really be my recommendation for this.
AFAIK you can sponsor it somemore to get the 1.3 improvements to 1.2.
Ermal
-
I just sent $100 to paypal@chrisbuechler.com. I just started using pfsense last week and 1.3 would be a great help!
My paypal address used was billing@alumnipropertygroup.com
Thanks!
Tom -
Just upgraded and WOW, this new shaper is AWESOME!! Just what I needed!!
-
-
Hello I have donated $25 to paypal@chrisbuechler.com. Hope this little donation can bring more innovations! :) How can test this features? Thanks in advance and more power!
Chris
-
For all of you that are running the new shaper with multiple interfaces there is a bug that will prevent it from working correctly.
Please see http://cvstrac.pfsense.org/chngview?cn=23485 and make the change manually for now until a new update is released to you.@ccfiel
read your private messages. -
I have tried the new filter.inc. but there is an error when loading pfsense. Fatal error: Call to undefined function: get_configured_interface_with_descr() in /etc/inc/filter.inc on line 431. any ideas? :)
Chris
-
Just change the lines i have sent in the link above.
What you have done is taking the filter.inc from RELENG_1(aka 1.3), DO NOT DO THAT.
RELENG_1 is way changed from RELENG_1_2.Ermal
-
hello ermal , oh i see. I just want to make sure if what i did is correct. this is what i have in line 2170. so i have to delete this 4 lines?
let out anything from the firewall host itself and decrypted IPsec traffic
pass out on $lan proto icmp keep state label "let out anything from firewall host itself"
pass out on $wan proto icmp keep state label "let out anything from firewall host itself"
pass out on $wanif all keep state label "let out anything from firewall host itself"and add this 3 lines ?
let out anything from the firewall host itself and decrypted IPsec traffic
pass out on {$oc['if']} proto icmp keep state label "let out anything from firewall host itself"
pass out on {$oc['if']} all keep state label "let out anything from firewall host itself"is this correct?
Chris