Traffic shaping is jacked up
-
Ok. Got a pfSense box running the lastest version that I downloaded like 3 hours ago. Setup the box and ran the traffic shaper wizard. As soon as it is enabled, the ping times to the LAN interface go sporadic (see below). Just want to make sure this is VERY CLEAR, I am on the same switch and VLAN as the pfSense LAN interface, I have tried 3 different NICs in 3 different slots, this is ABSOLUTELY a problem with the traffic shaper. When the shaper is disabled, all returns to normal and I get <1ms ping times.
I have 5 other installations with almost identical hardware that have the traffic shaper enabled, but do not have this problem, so it is something very new.
I am running 1.0.1-SNAPSHOT-02-27-2007
built on Thu Mar 8 10:47:22 EST 2007I first saw this problem with the 02-27 SNAPSHOT from last Wednesday or so.
Example:
Reply from 10.10.10.3: bytes=32 time<1ms TTL=64
Reply from 10.10.10.3: bytes=32 time<1ms TTL=64
Reply from 10.10.10.3: bytes=32 time=215ms TTL=64
Reply from 10.10.10.3: bytes=32 time=137ms TTL=64
Reply from 10.10.10.3: bytes=32 time=40ms TTL=64
Reply from 10.10.10.3: bytes=32 time<1ms TTL=64
Reply from 10.10.10.3: bytes=32 time<1ms TTL=64
Reply from 10.10.10.3: bytes=32 time=58ms TTL=64
Reply from 10.10.10.3: bytes=32 time<1ms TTL=64
Reply from 10.10.10.3: bytes=32 time=135ms TTL=64
Reply from 10.10.10.3: bytes=32 time=167ms TTL=64 -
If you are pinging from the pfSense box this is normal and is the only way we can shape traffic, coming in or out of the interfaces.
Ping from another host besides the firewall.
-
Also (as mentioned in another post) ICMP is low priority by default, if you want pings to be low, route it out a high priority queue. Ping isn't the best measure of performance
-
I am pinging from a Windows box off the LAN interface of this pfSense box. Pinging from a machine off the WAN interface gives <1ms ping times. This is some kind of strange glitch that is happening only on the LAN interface when shaping is on.
I don't see why traffic directly to the LAN interface would even enter the traffic shaper. If it did, I have ICMP set to highest priority, but regardless the shaper should not be involved for traffic hitting the LAN interface.
What can I do to diagnose this?
-
LAN -> LAN communication should not even flow through the gateway?!
-
Scott,
Ok. I will spell this out a little clearer! I am trying to diagnose why enabling the traffic shaper in pfSense causes traffic flow and even pings to the LAN interface to not act as expected. If the shaper is enabled, I get very high yet sporadic latency on all kinds of traffic. I was just using the ICMPs to the LAN interface since that would obviously set off an alarm if by simply enabling the shaper, the ping times to the LAN interface jumped! I didn't think I had to spell out that this would adversly affect all traffic through the box! Which it does.
Roy
-
#1. LAN -> LAN communication should not flow through pfSense
#2. As I said prior it shaspes ALL traffic flowing through the interface so this would be normal if it is not LAN -> LAN communication. -
I am trying to diagnose why enabling the traffic shaper in pfSense causes traffic flow and even pings to the LAN interface to not act as expected. If the shaper is enabled, I get very high yet sporadic latency on all kinds of traffic. I was just using the ICMPs to the LAN interface since that would obviously set off an alarm if by simply enabling the shaper, the ping times to the LAN interface jumped! I didn't think I had to spell out that this would adversly affect all traffic through the box! Which it does.
As others have stated, ICMP is low priority. The shaper treats your pings to your LAN IP the same way it treats pings to the Internet, it's a limitation of how it works. So if your connection is being heavily used, the shaper will delay ICMP to your LAN IP the same way it will delay it to the Internet.
How do you measure "very high yet sporadic latency on all kinds of traffic"? If it's by your ping times, that's a terrible way to measure network performance, especially when it's being set to low priority. That's not at all indicative of performance for other protocols that aren't given low priority.
-
I am trying to remain calm here!!!!! Your making that very difficult….
I am not routing LAN traffic through the pfsense box, I never said that, I don't why you would think that I was. The problem I trying to bring to your attention is that by even turning on the traffic shaper hoses the box, even when pinging the LAN interface from the LAN segment. Which applies to traffic transiting pfsense as well.
Roy
-
Where do you think the ping reply is send from? From the LAN interface of the pfSense back to your client? This one WILL get shaped.
-
When I normally set up traffic shaping, I exclude traffic to/from the LAN, so that it does not slow down traffic to the box itself, only traffic transiting the box.
I will just drop this issue, it appears no one else is seeing this problem.
-
How do you exclude it? If it's not assigned it goes into the default queue and the parent queue at LAN is usually configured as your WAN downstream.
-
I much more experience with Linux networking, but there you can do all the shaping on the WAN interface with an Ingress and Egress queue for inbound and outbound traffic. This prevents the LAN interface and traffic to other interfaces from getting shaped when traffic is not going out the WAN interface. This also gives you the ability to allow multiple shaper setups for each "WAN" interface.
-
Unfortunately ALTQ does not work this way.
-
This is the last post I will make on this issue…
I am perfectly clear on the issue of the LAN interface has a shaper config applied to it, I am still saying there is something wrong with the shaper config in the current version. I DO HAVE ICMP set to high, and I see HUGE spikes in ping times to external hosts and directly to the pfSense LAN interface.
I am going to get a box that I know works with an older version and load the latest snapshot on it. I suppose it is remotely possible that some obscure hardware issue is causing this problem to happen only when I turn on the shaper.
-
Yes, I've seen this as well.
This affects a number of operations. I do know about it, and there is a workaround.
But it's not cute. It would prevent traffic shaping to all local networks on the box.
I think this might also be triggered for static routes though. But don't add those for the local interface. that will not work. But traffic bounced off the box with a static route may or may not have a queue assigned.
I'll see if I can make a filter.inc for you to test. I have a local shaper here so I can test it.
-
What kind of NICS are you using. This is starting to sound like a driver issue.
-
I would also like to see your rules saying that ICMP has high priority, I have ..several boxes running the traffic shaper, no problems. The ping times are high unless the IP sending the ping is given high priority for ICMP.
-
What kind of NICS are you using. This is starting to sound like a driver issue.
I really think it is a driver problem. I got a new 10Mb/s cable connection at home moving up from 3Mb/s. I didn't have a problem before I upgraded but now my ping times are as high as 3000ms when my traffic rate hits around 4Mb/s. Browsing degrades to a crawl so obviously http was also affected when I'm using just little under half my assigned speed … and I do setup my queues to give http higher priority over all traffic. At first I though it was an ISP configuration problem, didn't want to blame my Pfsense box, so I called and reported the problem. They told me the obvious thing to do ... "plug the Ethernet cable from the modem directly into the pc" .. Boom problem vanished even when the connection speed is near maxed, my pings times were constant and very good.
Im running Pfsense on a PII 366Mhz with 380 Mb of memory.. even when near maxed at 9Mb/s the cpu is still 80% - 85% idle, so it wasn't a performance issue problem...........
Well skipping out my long story of testing and probing I did eventually got rid of the problem when the traffic shaper was disabled. The problem returns if the statement altq on $wan for example ever showed up in the pf rules file. I'm using two nic that uses the dc driver but can't recall the manufacturer or brand at the moment. I have been reduced to using my old Linksys router for my network because the internet goes bad whenever the traffic goes to 4 megs. I want to try to get Intel nics to see if it would fix my problem but I can't get any to buy here locally. Oh well.