CP per use bandwidth breaks downloads



  • Hi all, I have a pretty basic 2.0 i386 latest snapshot install consisting of single LAN/WAN, running captive portal, transparent proxy with squid/squidGuard/lightSquid.

    Whenever I turn Per-user bandwidth restriction on in captive portal I get general browsing problems. Downloads will stop half way, youtube videos download 10 seconds worth then will no longer buffer are the most obvious. I have tried 100, 1000 and 20,000 kb/s and while everything works at theoretical bandwidth limit, as soon as any throttling occurs (100 or 1000) I get the same errors.

    Has anyone else had this problem? Are there any suggestions for fixing it?



  • Which snapshot are you on?



  • 2011 07 27 same was occuring 2011 07 26



  • Can you provide the output of
    ipfw show
    ipfw table all list
    ipfw pipe show <- This should be aviable even at Diagnostic->Limiter Info



  • 
    $ ipfw show
    65291    0       0 allow pfsync from any to any
    65292    0       0 allow carp from any to any
    65301  568   24374 allow ip from any to any layer2 mac-type 0x0806
    65302    0       0 allow ip from any to any layer2 mac-type 0x888e
    65303    0       0 allow ip from any to any layer2 mac-type 0x88c7
    65304    0       0 allow ip from any to any layer2 mac-type 0x8863
    65305    0       0 allow ip from any to any layer2 mac-type 0x8864
    65306    0       0 allow ip from any to any layer2 mac-type 0x888e
    65307    0       0 deny ip from any to any layer2 not mac-type 0x0800
    65310  872  117583 allow ip from any to { 255.255.255.255 or 192.168.0.1 } in
    65311 1107  303893 allow ip from { 255.255.255.255 or 192.168.0.1 } to any out
    65312    0       0 allow icmp from { 255.255.255.255 or 192.168.0.1 } to any out icmptypes 0
    65313    0       0 allow icmp from any to { 255.255.255.255 or 192.168.0.1 } in icmptypes 8
    65314    0       0 allow ip from table(3) to any in
    65315    0       0 allow ip from any to table(4) out
    65316    0       0 pipe tablearg ip from table(5) to any in
    65317    0       0 pipe tablearg ip from any to table(6) out
    65318    0       0 allow ip from any to table(7) in
    65319    0       0 allow ip from table(8) to any out
    65320    0       0 pipe tablearg ip from any to table(9) in
    65321    0       0 pipe tablearg ip from table(10) to any out
    65322 1969  256149 pipe tablearg ip from table(1) to any in
    65323 1414 1117851 pipe tablearg ip from any to table(2) out
    65531  180   20706 fwd 127.0.0.1,8000 tcp from any to any in
    65532  164   30372 allow tcp from any to any out
    65533 5493  285966 deny ip from any to any
    65534    0       0 allow ip from any to any layer2
    65535    0       0 allow ip from any to any
    
    
    
    $ ipfw table all list
    ---table(1)---
    192.168.1.4/32 mac f0:de:f1:04:50:77 20002
    ---table(2)---
    192.168.1.4/32 mac f0:de:f1:04:50:77 20003
    
    
    
    $ ipfw pipe show
    20002:  64.000 Kbit/s    0 ms burst 0 
    q151074 100 sl. 0 flows (1 buckets) sched 85538 weight 0 lmax 0 pri 0 droptail
     sched 85538 type FIFO flags 0x0 0 buckets 0 active
    20003: 128.000 Kbit/s    0 ms burst 0 
    q151075 100 sl. 0 flows (1 buckets) sched 85539 weight 0 lmax 0 pri 0 droptail
     sched 85539 type FIFO flags 0x0 0 buckets 0 active
    
    


  • I have also tried the same install and manually created be traffic shaper using Limiter instead of the captive portal version but the same thing occurs.



  • At the speeds you show there surely it will give your issues :)



  • I wouldn't think that speed limiting alone would cause it. These speeds are actually a little faster than an MS Threat Management Gateway install I have at another site and these issues are not happening there.

    It's a real shame as this is for site wide public WiFi so I obviously can't allow unlimited internet speed. I would expect it to be used mostly for general browsing but if someone wanted to wait five minutes to watch a 20 second movie that would be fine.

    I went to the google speed test page (http://www.youtube.com/my_speed#) and it showed that it was downloading as I would expect at 100 kbps, then after around one minute of download time it simply stopped downloading. The same behaviour is exhibited in IE and Firefox using the latest flash player. Vimeo also does the same thing.

    Downloading a large file in IE also fails. It will run at 15 kB/s as expected then falls over at around the 2 minute mark with less than 2MB downloaded. The download manager in Firefox seems to keep the download going.

    Edit: Firefox also fails



  • Can you get a packet dump on this interface to see what is the issue?



  • Ok, here are the captures from the end of the conversation when a youtube video died. (both .pcap files renamed to .txt)

    I am trying to remember network protocols and services 101! Do I need another capture client-LAN in order to get enough info? Does this give anyone any clues?

    WAN.txt
    Client.txt



  • Firewall is between networks so it has allready enough information in usual cases



  • If I do a capture on the WAN interface when NOT using the speed limiter, there are no TCP Zero Window packets, just the occasional ACK error and TCP window update packet. When using the speed limiter there are quite a few Zero Window packets and when the videos fail the connection is in this state, often seemingly waiting on a keep alive packet.

    Once again, my knowledge is not very good with this level of protocol examination, so much of that is just speculation…

    Updated to the latest snaps today.



  • It seems that pcaps are not good.
    Can you do again.

    Btw do you have any kind of proxy installed? Squid?

    Also i need the capture on the LAN side as well.



  • Thank you for looking. I am not sure what happened with the pcaps failing. This time the pcaps are in a .zip file, renamed to txt.

    Yes - I am using squid with squid guard in transparent mode.

    EDIT - That upload seems to have failed as well. I have added to megaupload - http://www.megaupload.com/?d=JIMAZBM0

    captures.txt



  • Update:

    This error is not related to captive portal speed limiting. Today,thinking the rl0 driver may be causing problems, I created a new install on new hardware, this time using AMD64. I tested at every step and found that the limiter works fine until squid is installed, and then the errors occur. If the client IP bypasses squid it will still work, so it is the squid package that is causing the issue.

    Packet captures reveal that when a client is using squid the WAN link starts to get TCP Zero Window problems. I will start a new thread in the Packages forum with these findings.

    New thread: http://forum.pfsense.org/index.php/topic,39554.0.html



  • Having the same problems on pfSense 2.0 RC3 (using the pfSense-2.0-RC3-1g-i386-20110621-1821-nanobsd.img.gz Image).

    Per-user-bandwith restriction set to 200kbit/s.
    Captive portal is loading, I login using username and password, it authenticates me (listed on status page), redirect times out. No site is loading.

    restriction is turned off:
    Redirect works like a charm.

    I'm not using squid, so I don't think it's the problem here.


Locked