Newbie banging against the wall High Latency HFSC
-
The qLink is for the interface. Basically should stop things being classified under your 'net download rate when it should be the interface rate (in the case of Squid proxy, LAN<->OPT traffic, etc.)
You have to make your own rules for the qLink queue though.
-
Does anyone tried to recreate dreamslacker shaper for multiple WAN ?
-
Sorry to post in an older thread but it's hard to find helpful info on traffic shaping in 2.0 with an asymmetric Internet connection. The wizard apparently isn't much help yet.
What changes (if any) would you suggest to the below quoted suggestion from earlier in this thread if the WAN connection is 10megs down and 2 megs up (allows short bursting, PowerBoost for Cox)? Between 100 and 200 users on the LAN at a location that houses international students. Running transparent Squid proxy with class 2 delay pool (delay_parameters 1 1310720/1310720 393216/393216). Want to keep upload from being saturated. Prioritize ACKs. Prioritize HTTP (goes through Squid), HTTPS. Maybe prioritize Skype. Lower priority Netflix. Already using Snort to try to block LAN addresses that run P2P but for the ones I can't block I want to go to a catchall that will throttle them when the pipe is almost full.
Also, already using Captive Portal with a per user bandwidth limit set of 3000 down and 550 up.
OK, for lab purposes we have a cable modem with 4M Down / 1M up, one laptop and the pfsense box with 2 nics. But on wizards I've been working with 1024k DW/512k UP. What I'm trying to prioritize for lab purposes is HTTP and VoIP (firefox and skype) with the percentages posted before giving the highest priority possible. What I'm trying to penalize is torrents (bittorrent and Ares). I know L7 can't stop encrypted torrents but most of our users are unaware how to convert torrents into encrypted (by default torrents are unencrypted) so I think is good to try.
Ok. Forget the Wizard then. With single WAN, single LAN, I find it better to manually create queues.
For starters, under WAN root (HFSC 512Kbps), create the following queues:
qVoip (Priority 7; BW 64Kb; Realtime M1 32Kb D 30 M2 64Kb)
qAck (Priority 6; BW 10%; Realtime M2 1%)
qDefault (Priority 3; BW 2%; Upperlimit M2 4%; ECN RED Default)
qOtherHigh (Priority 4; BW 10%; Realtime M2 5%)Under LAN root (HSFC), create the following queues:
qInternet (Upperlimit 1024Kb; Priority 1; Bandwidth 1024Kb)
qLink (Upperlimit = Interface bandwidth; Priority 2; Bandwidth = Interface B/w - 1024Kb)And under qInternet:
qVoip (Priority 7; BW 64Kb; Realtime M1 32Kb D 30 M2 64Kb)
qAck (Priority 6; BW 2%; Realtime M2 1%)
qDefault (Priority 3; BW 2%; Upperlimit M2 4%; ECN RED Default)
qOtherHigh (Priority 4; BW 10%; Realtime M2 5%)Note that these rules need to be duplicated on both LAN tab and floating. It is better to do a Quickmatch for floating rules and make sure the order of the rules is correct.
i.e. Rules with specific ports at the top, catchall with L7 after then catchall for default is at the bottom.Use Catchall rule with L7 container for FTP to have rules redirect to qAck/ qOtherHigh.
Use catchall rule with L7 container for Skype to have rules redirect to qVoip.
Use Firewall rules to match ICMP traffic to qAck.
Use Firewall rules to match HTTP, HTTPS, POP3, SMTP etc. to qAck/ qOtherHigh.Use a catchall rule to pipe to qDefault. This will catch all traffic that isn't explicitly prioritized including encrypted traffic. Technically, it's not required but it can be used if you need to add more rules in future.
-
The qLink is for the interface. Basically should stop things being classified under your 'net download rate when it should be the interface rate (in the case of Squid proxy, LAN<->OPT traffic, etc.)
You have to make your own rules for the qLink queue though.
What would cause download traffic from the internet to the LAN to be routed to the qLink queue when qLink is NOT the default LAN (interface) queue nor are there any floating rules written for the qLink queue?
-
The qLink is for the interface. Basically should stop things being classified under your 'net download rate when it should be the interface rate (in the case of Squid proxy, LAN<->OPT traffic, etc.)
You have to make your own rules for the qLink queue though.
What would cause download traffic from the internet to the LAN to be routed to the qLink queue when qLink is NOT the default LAN (interface) queue nor are there any floating rules written for the qLink queue?
Nothing. If there are no rules referencing qLink, then no traffic is sent through qLink queue if it is not a default queue.
The idea of qLink queue is to use it for traffic that passes through interfaces on the pfSense box or originates from the pfSense box itself.
For example, a VPN connection is terminated as a virtual interface on the pfSense box.
Since the VPN tunnel is already shaped by the WAN connection traffic shaping, you do not want to limit the rate at which traffic between LAN and this VPN connection to your internet speed.
Hence, the artificially high bandwidth queue (qLink) serves to provide an effectively unrestricted queue for passing traffic between the LAN and VPN connection. The traffic is ultimately still shaped by the floating rules on WAN for the VPN tunnel.Alternatively, if we consider services like Squid - the http traffic from the perspective of the pfSense box actually originates from the pfSense box itself. It is also likely to be cached in memory or from the harddrive. Both of which are likely to be capable of much higher speeds than the WAN connection.
If it is allowed to be caught by the default queue, then it will saturate the default queue on WAN even if there is no wan traffic. By piping it to the qLink queue, it does not affect the qinternet queue which is used to limit and shape actual download traffic on your internet connection. -
Hi group
Here my thoughts
We have configured pfsense for traffic shaping looking for P2P restrictions. The good thing is PFsense achieves controlling P2P, but we are not aware for a real increase of bandwidth for HTTP, HTTPS, DNS, ICMP and Telnet which is our final goal.On Images, you can see queues created by wizard. The following are percentages for each queue on LAN and WAN
QAck: Priority 6, Bandwidth 12%, LinkShare 12%.
Qp2p: Priority 1, Default queue, Bandwidth 5%, Upperlimit: 5%, LinkShare 5%.
qOthersHigh: Priority 5, Bandwidth 82 % , LinkShare 82%.
qOthersLow: Priority 3, Bandwidth 1%, LinkShare 1%.
Wizard creates all rules Floating as you can see on image.
Traffic goes for each queue with 100mbps as total BW.
For P2P queue, traffic goes until 5M which is the 5% of the 100M available–---------------------------------------------------------------------------------
In search for knowledge, we made the traffic shapping in other way, in manual way, without the wizard as you can see on image.
With this approach, we create only 3 queues with respective percentages.Qhhtp Priority 6, Bandwidth 92%, Link share: 92%
Qack Priority 7, Bandwidth 3%, Link share: 3%
QDefault Priority 1, Default queue, Bandwidth 3%, Upperlimit: 3%, Link share: 3%.
Then we applied those rules only on LAN interface. This is for testing purposes pluging a cable modem with 4M as total BW.
Making some tests with a pc connected to LAN, the box does aplies restriction over P2P apps like BTT and ares, decreasing BW for them, due to this kind of traffic goes to the queue named QDefault which has an Upperlimit of 3% over the 4M available.
We have several questions for this:
- If I have 100Mb as total BW and I’m able to lower P2P apps wich has only 5% of total BW, and I don’t see a real HTTP (web surfing) improvement, then what can I do? What others tests can I do? How can I assign real improvement over HTTP?
- On which interfaces do I have to apply the rules? LAN, WAN or Floating? I think I not entirely understood where to apply them properly.
- Rules order does matter?
Thanks in advance
![Firewall -Traffic Shaper- Wizards.png](/public/imported_attachments/1/Firewall -Traffic Shaper- Wizards.png)
![Firewall -Traffic Shaper- Wizards.png_thumb](/public/imported_attachments/1/Firewall -Traffic Shaper- Wizards.png_thumb)
![Traffic Shaper Manual.png](/public/imported_attachments/1/Traffic Shaper Manual.png)
![Traffic Shaper Manual.png_thumb](/public/imported_attachments/1/Traffic Shaper Manual.png_thumb)
![Reglas en la Lan.png](/public/imported_attachments/1/Reglas en la Lan.png)
![Reglas en la Lan.png_thumb](/public/imported_attachments/1/Reglas en la Lan.png_thumb)
-
Hi group
I'll post some graphs to understand my network how is configured. Also send you some issues with ping I'm having since Pfsense is in bridge mode.
Thanks in advance
-
Pfsense's traffic shaping subsystem is in dire need of better documentation and tutorials.
Oddly, there seemed to be much more substantive conversation about the subject several years ago…
-
Btw I noticed your MBUF Usage 25558/25600 i.e. at the upper limit, you should look into this…
-
Hi group
Thanks dhatz for your reply. Is very sad to read this. I supposed it because every how-to or manual for TS is in detail for version prior to 2.0. I'm making many tests to post to the group wich contains speed test with differents queue approach. This is to make a little contribution to people in this group.
Also want to ask you something about the MBUF. You're right didn't realize about the increase in values. Is that a possible reason for the continueos pings being dropped?
Thanks in advance.
-
When there’s no any free mbuf clusters available FreeBSD enters the zonelimit state and stops to answer to any network requests. You can see it as the
zoneli
state in the output of thetop
command.The state of used mbuf clusters can be checked with 'netstat -m'
You can increase quantity of the mbufs clusters through the kern.ipc.nmbclusters parameter:
sysctl kern.ipc.nmbclusters=65536