Shaper increases ping



  • Hi guys,
    I need help.

    I'm struggling with my shaper. I'm using 1.2.2 on soekris board. It seems that my shaper (HFSC) is causing a lag.
    As soon as I switch it on then ping between my modem and pfsense (sitting directly after the modem) is skyrocketing (attachment). Whenever there is no traffic or very low one then ping is staying on acceptable level. And yes I have ICMP packets assigned high priority.
    If I switch my shaper off it's below 1ms stable, however I'm not utilizing more then 1Mb/s of my download speed (0.5 Mb/s up 6 Mb/s down connection).

    I was reading a lot about HFSC and I really doubt to make mistakes with configuration but I put screen of my conf in case.

    So summarizing I have 2 basic choices with my box. Sacrificing delay for full utilization of my bandwidth or going with low pings but awful bandwidth.
    ![modem (ping).jpg](/public/imported_attachments/1/modem (ping).jpg)
    ![modem (ping).jpg_thumb](/public/imported_attachments/1/modem (ping).jpg_thumb)
    ![shaper configuration.jpg](/public/imported_attachments/1/shaper configuration.jpg)
    ![shaper configuration.jpg_thumb](/public/imported_attachments/1/shaper configuration.jpg_thumb)



  • The default queues get only 1% bandwidth. Everything there would look horrible.



  • Yes because usually when people are using torrents with nonstandard ports their traffic would be classified as default. So I configured default queues similarly to p2p queues to filter them anyway. Other important traffic has his place in qothersH, qVOIP, qGames. These are the types of traffic mostly important for me to prioritize. ICMP belongs to qOthersH which has its fair share of bandwidth so I don't understand why delay with modem happens when I do a ping test.

    Additionally my voip programs seem to work fine since I set them up in a shaper. No chopped voice (very clear) and delay seem to be fine. I didn't test it much but team speak or skype seem to work just fine. I set the rules for the games as well but they have a horrendous delay once I have some other traffics running (usually torrents) while voip seems to be unaffected.

    So assigned bandwidth for prioritized traffic seem to work fine but priority of packets is not really working correctly. I just need more testing with voip to be sure if delay is not affected there when torrents are working.

    Thx for any replies!



  • I don't know what exactly causes the lag but I have some notes that I think may be relevant.

    – Don't rely on priority. Priority is used only when the HFSC schedulling algorithm cannot otherwise decide between two (or more) packets, i.e. when they both have the same timing parameters such as virtual time, deadline etc. Such otherwise-undecidable cases are very rare.

    -- Check that every major bandwidth-consuming traffic (HTTP, for example) is assigned a different queue than that of ICMP. If this is not the case, try to assign ICMP to some other queue with decend link share, for example, qVoIPup.

    -- Check that the target you're concerning of, i.e. 192.168.1.1, is covered by the relevant shaping rule, i.e. ICMP outbound LAN->WAN rule.

    --Double check that the specific ICMP packets you're concerning of (i.e. ping to 192.168.1.1) get to the right queue. The pftop label view (view 6) is the right diag tool. The diag_resetstates.php page is the right fix tool. I don't know how it is with 1.2.3 but in 2.0, ICMP usually gets to the wrong queue on every system reboot or link state change untill the state table is completely reset.



  • – Don't rely on priority. Priority is used only when the HFSC schedulling algorithm cannot otherwise decide between two (or more) packets, i.e. when they both have the same timing parameters such as virtual time, deadline etc. Such otherwise-undecidable cases are very rare.

    -- Check that every major bandwidth-consuming traffic (HTTP, for example) is assigned a different queue than that of ICMP. If this is not the case, try to assign ICMP to some other queue with decend link share, for example, qVoIPup.

    This is done.
    Assigning ICMP to voip queue did not affect pings. No visible change…

    – Check that the target you're concerning of, i.e. 192.168.1.1, is covered by the relevant shaping rule, i.e. ICMP outbound LAN->WAN rule.

    Is it the kinda rule like in the first attachment that you mean?

    –Double check that the specific ICMP packets you're concerning of (i.e. ping to 192.168.1.1) get to the right queue. The pftop label view (view 6) is the right diag tool. The diag_resetstates.php page is the right fix tool. I don't know how it is with 1.2.3 but in 2.0, ICMP usually gets to the wrong queue on every system reboot or link state change untill the state table is completely reset.

    I kinda know what you mean but don't know where to find "pftop label view (view 6)". I'm really beginner with pfsense mostly concerned with traffic shaping.  :-[

    I also attached the screen of my ICMP outbound rule.

    About the traffic not going to the right queue I'm experiencing this problem partially. For instance using utorrent on ports set up in the shaper as p2p traffic it ends up in default queue anyway. However traffic from HTTP set as otherH always goes to the right one. I guess "pftop label view (view 6)" would give more insides about how my traffic is really distributed.

    ![LAN -WAN rule.jpg](/public/imported_attachments/1/LAN -WAN rule.jpg)
    ![LAN -WAN rule.jpg_thumb](/public/imported_attachments/1/LAN -WAN rule.jpg_thumb)
    ![ICMP outbound rule.jpg](/public/imported_attachments/1/ICMP outbound rule.jpg)
    ![ICMP outbound rule.jpg_thumb](/public/imported_attachments/1/ICMP outbound rule.jpg_thumb)



  • @pirron:

    …....

    I kinda know what you mean but don't know where to find "pftop label view (view 6)". I'm really beginner with pfsense mostly concerned with traffic shaping.  :-[

    I also attached the screen of my ICMP outbound rule.

    About the traffic not going to the right queue I'm experiencing this problem partially. For instance using utorrent on ports set up in the shaper as p2p traffic it ends up in default queue anyway. However traffic from HTTP set as otherH always goes to the right one. I guess "pftop label view (view 6)" would give more insides about how my traffic is really distributed.
    [/quote]

    You're using pfsense 1.2 which matches the first rule that it comes across.
    In your configuration, the qVoip is above many rules - those rules below qVoip will not be seen because your qVoip rule is a catchall rule.
    You need to change the qVoip rule so that it isn't a catchall rule.



  • You're using pfsense 1.2 which matches the first rule that it comes across.
    In your configuration, the qVoip is above many rules - those rules below qVoip will not be seen because your qVoip rule is a catchall rule.
    You need to change the qVoip rule so that it isn't a catchall rule.

    It sounds logical. I have also the same type of catch all rule for games which is really on top of any other rules. Even though some of my traffic is going to proper queues.

    For example: i have configured a game to a specific port in a rule. When I'm launching it it appears in games queue. I did the same with team speak and skype but they are not shown in voip queue. The interesting thing is that voice programs seem to work fine. I don't know how to check the delay but when I'm using them it all works fine. Games however even being in proper queue have at lest 150 ms or more pings. Maybe it's because there are algorithms for VoiP programs which in real time adjust to the delay so I can't really feel it unlike in the online games.

    Games have highest priority in my configuration but even if the catch all rule for games is on top my HTTP traffic goes to qotherH queue.

    At the end I think that it all boils down to a delay which appears once I turn my shaper on between my pfsense box and a modem.
    The thing is I don't really know what to do with it cause I'm sharing the link with lots of people and the bandwidth distribution from the shaper seems to do its work well so I can't give up my HFSC. But this lag problem is not acceptable :(
    I just simply don't know what can be causing it and how to trouble shoot it. Every other device in my network works perfectly: delays of 1-2ms at most. The only 2 are the modem and pfsense. Pings of 200 ms+ between them are simply a cause of my pfsense box malfunction caused by my shaper (shaper off = <1 ms pings).

    I would like to try any possible solution but just run out of ideas.

    I removed catch all rules but nothing changed.

    Thx for suggestions, it's really appreciated!



  • @pirron:

    – Don't rely on priority. Priority is used only when the HFSC schedulling algorithm cannot otherwise decide between two (or more) packets, i.e. when they both have the same timing parameters such as virtual time, deadline etc. Such otherwise-undecidable cases are very rare.

    -- Check that every major bandwidth-consuming traffic (HTTP, for example) is assigned a different queue than that of ICMP. If this is not the case, try to assign ICMP to some other queue with decend link share, for example, qVoIPup.

    This is done.

    I don't think it is done, according to your Reply #4, at least HTTP, HTTPS and PPTP are still sharing the same queue as ICMP.

    @pirron:

    – Check that the target you're concerning of, i.e. 192.168.1.1, is covered by the relevant shaping rule, i.e. ICMP outbound LAN->WAN rule.

    Is it the kinda rule like in the first attachment that you mean?

    It is the rule like the image attached in your Reply #4. The rule seems OK.

    @pirron:

    –Double check that the specific ICMP packets you're concerning of (i.e. ping to 192.168.1.1) get to the right queue. The pftop label view (view 6) is the right diag tool. The diag_resetstates.php page is the right fix tool. I don't know how it is with 1.2.3 but in 2.0, ICMP usually gets to the wrong queue on every system reboot or link state change untill the state table is completely reset.

    I kinda know what you mean but don't know where to find "pftop label view (view 6)". I'm really beginner with pfsense mostly concerned with traffic shaping.  :-[

    I also attached the screen of my ICMP outbound rule.

    About the traffic not going to the right queue I'm experiencing this problem partially. For instance using utorrent on ports set up in the shaper as p2p traffic it ends up in default queue anyway. However traffic from HTTP set as otherH always goes to the right one. I guess "pftop label view (view 6)" would give more insides about how my traffic is really distributed. [/quote]

    1. Access the 'pfsense console setup' menu locally or remotely.

    2. Select PFtop.

    3. Press the s key to set update time to 1 second.

    4. Press the 1, 2, 3,…., 8 key to browse the eight Views.

    5. Select the Label View. (It is View 6, I think.)

    6. Press Page Down / Page Up key to find the rule labelled "m_Other ICMP outbound". Note the rule #. Lets say it is numbered #59.

    7. Look at PKTS (number of packets), BYTES (number of bytes) and STATES (number of states). Momentarily there are no ICMP outbound traffics, so STATES should be 0 and PKTS and BYTES do not change.

    8. From a non-pfsense PC, ping 192.168.1.1. Now STATES should be 1 and PKTS and BYTES should increment, indicating that the rule (#59) really applies on this ping.

    9. In the Web UI, access the status.php page. Check that the rule (#59) is assigned to the correct queue (qOthersHigh) .



  • @pirron:

    You're using pfsense 1.2 which matches the first rule that it comes across.
    In your configuration, the qVoip is above many rules - those rules below qVoip will not be seen because your qVoip rule is a catchall rule.
    You need to change the qVoip rule so that it isn't a catchall rule.

    It sounds logical. I have also the same type of catch all rule for games which is really on top of any other rules. Even though some of my traffic is going to proper queues.

    For example: i have configured a game to a specific port in a rule. When I'm launching it it appears in games queue. I did the same with team speak and skype but they are not shown in voip queue. The interesting thing is that voice programs seem to work fine. I don't know how to check the delay but when I'm using them it all works fine. Games however even being in proper queue have at lest 150 ms or more pings. Maybe it's because there are algorithms for VoiP programs which in real time adjust to the delay so I can't really feel it unlike in the online games.

    Games have highest priority in my configuration but even if the catch all rule for games is on top my HTTP traffic goes to qotherH queue.

    Thx for suggestions, it's really appreciated!

    I realised that the voip rule may not be a catchall.  I forgot all about catching DSCP values which won't show up on the main page.

    I'm not sure what catchall you have for your games though.  A catchall rule is basically a rule that has 'ANY' for source & destinations IPs AND ports.  Basically, it catches everything, hence, the name catchall.

    TBH, I doubt you need any catchalls for most paid games.  In pf 1.2.X, I generally place catchall rules right at the bottom.  The most restrictive rules should be right at the top.  I do the same in 2.0 because I use quick-match on every rule.

    For example, with certain free-to-play online games that use random UDP ports, I need to use a UDP catch-all to capture them.  However, I don't want to give highest priority to certain Valve based games since they have lag compensation and interpolation (not so latency sensitive).
    Hence, I placed the rules like so:

    • Other rules on top

    • Valve rule - Match UDP 27000-27050 to qOthersHigh

    • Online Games rule - Match ANY UDP to qGames

    • Default Catchall rule - Match ANY ANY ANY ANY ANY to qDefault

    In this instance, although the Halflife engine based games will match the Online Games rule, the Valve rule catches it first and it won't go into qGames which is what I need.

    An example of what I mean, albeit in pfsense 2.0 at my CyberCafe can be found in the attachment.




  • 1. Access the 'pfsense console setup' menu locally or remotely.

    2. Select PFtop.

    3. Press the s key to set update time to 1 second.

    4. Press the 1, 2, 3,…., 8 key to browse the eight Views.

    5. Select the Label View. (It is View 6, I think.)

    6. Press Page Down / Page Up key to find the rule labelled "m_Other ICMP outbound". Note the rule #. Lets say it is numbered #59.

    7. Look at PKTS (number of packets), BYTES (number of bytes) and STATES (number of states). Momentarily there are no ICMP outbound traffics, so STATES should be 0 and PKTS and BYTES do not change.

    8. From a non-pfsense PC, ping 192.168.1.1. Now STATES should be 1 and PKTS and BYTES should increment, indicating that the rule (#59) really applies on this ping.

    9. In the Web UI, access the status.php page. Check that the rule (#59) is assigned to the correct queue (qOthersHigh) .

    It's hard with my pftop since I think I have an older version which does not show rules and I don't know how to install a newer one.

    – Don't rely on priority. Priority is used only when the HFSC schedulling algorithm cannot otherwise decide between two (or more) packets, i.e. when they both have the same timing parameters such as virtual time, deadline etc. Such otherwise-undecidable cases are very rare.

    -- Check that every major bandwidth-consuming traffic (HTTP, for example) is assigned a different queue than that of ICMP. If this is not the case, try to assign ICMP to some other queue with decend link share, for example, qVoIPup.

    This is done.

    I don't think it is done, according to your Reply #4, at least HTTP, HTTPS and PPTP are still sharing the same queue as ICMP.

    It's true - my mistake.

    I did however something else. Started shaper wizard again and manually set up the same configuration. Since it's manual I missed some rules I created before but the core configuration was mirrored (Queues tab). Pings got back to normal and I kept link distribution functionality.
    I'm needing to set newest version of pftop on my box so it will take a bit of time. If my little "trick" wouldn't work I would jump right into it.

    Apparently there was a mistake in Rules tab which I couldn't catch.

    Thx a lot for the replies! I will explore pftop for future troubleshooting.



  • @pirron:

    It's hard with my pftop since I think I have an older version which does not show rules and I don't know how to install a newer one.

    pftop is available in every version of pfsense. If your console menu does not have a item for it, select the root shell and at the # prompt, type the command

    pftop



  • pftop is available in every version of pfsense. If your console menu does not have a item for it, select the root shell and at the # prompt, type the command

    pftop

    I launched pftop from UI (Diagnostics/Command). I just didn't see the rule names displayed which I red can happen with older versions of pftop which I guess is more likely with older versions of pfsense which I have (1.2.2).



  • pftop is an interactive program. Don't use the Web UI. Use the console instead.



  • Yes because usually when people are using torrents with nonstandard ports their traffic would be classified as default. So I configured default queues similarly to p2p queues to filter them anyway. Other important traffic has his place in qothersH, qVOIP, qGames. These are the types of traffic mostly important for me to prioritize. ICMP belongs to qOthersH which has its fair share of bandwidth so I don't understand why delay with modem happens when I do a ping test.

    Additionally my voip programs seem to work fine since I set them up in a shaper. No chopped voice (very clear) and delay seem to be fine. I didn't test it much but team speak or skype seem to work just fine. I set the rules for the games as well but they have a horrendous delay once I have some other traffics running (usually torrents) while voip seems to be unaffected http://thuocdongduoc.vn/

    So assigned bandwidth for prioritized traffic seem to work fine but priority of packets is not really working correctly. I just need more testing with voip to be sure if delay is not affected there when torrents are working.

    Thx for any replies!


Log in to reply