Why not a simpler Traffic Shaper?



  • Hi everyone,

    I think this request comes up a lot. I want to be able to traffic shape two LAN interfaces on my pfSense 2.0 (one for VoIP and other for DATA). This is not easily possible right now. In fact even when set through traffic shaper there are problems.

    For example, I have had a router that fills up on the Queues and the user couldn't browse the internet any-more unless the router was restarted. Or the shaper was way too complex to set-up. Also, the WAN port can be dynamic in speed so the setting those upload and download values are really not useful.

    So, how about having a simple DEDICATED Kilobytes field made for LAN interface? If there was a sub field that said, "Dedicated upload/download for this interface?" then one could easily put 300kbps and the traffic shaper would do it's magic based on that and ignore everything else.

    Currently, enabling the VoIP option through Traffic Shaper wizard creates more issues as well. It doesn't take a whole interface but thinks there is only one device for VoIP. What about in case of a PBX and 10s of phone sets? Firewall aliases don't work properly and then custom bandwidth gives errors.

    I think Traffic Shapping is the weakest (or maybe the most complex) of pfSense right now and there is definitely room for improvement. I am wondering if there are any plans for it.



  • If all you want to do is throttle some users to a certain speed:

    Firewall > Traffic Shaper > Limiter

    Create a new Limiter with your desired bandwidth. Assign the traffic you want to be limited to this limiter from under Firewall > Rules. Now all the traffic from these firewall rules will be limited to the specified speeds. If you need to do limiting by upload and download then you need to create 2 limiters – one for each.

    Keep in mind the "In/Out" is the opposite of what you expect it to be.



  • @joako:

    Keep in mind the "In/Out" is the opposite of what you expect it to be.

    so it means IN=Upload and OUT= download ??
    thanks
    kalu



  • If I have 20 phone sets and 20 PCs, that won't a bit hard work in terms of administration. Maybe not even manageable  the method you mentioned. Now, I will be trying this tonight so I am not sure exactly what you mean and how the method is but just to be clear there is NO WAY to limit upload/download PER NIC PORT or PER SUBNET?

    Thanks



  • i also have had that issue but i just used the Firewall > Traffic Shaper > Limiter and everything is working fine should work for u as well. never really like the traffic shaper the limiter is more like Quality of Service (QoS) on most off the shelf routers it was easy to understand and setup.



  • @torontob:

    If I have 20 phone sets and 20 PCs, that won't a bit hard work in terms of administration. Maybe not even manageable  the method you mentioned. Now, I will be trying this tonight so I am not sure exactly what you mean and how the method is but just to be clear there is NO WAY to limit upload/download PER NIC PORT or PER SUBNET?

    Thanks

    There is.  The limiters don't magically work on their own, you need a firewall rule to pass the traffic to the limiters.  i.e. you need 1 firewall rule for downloads to send traffic to the downstream limiter and 1 firewall rule for uploads to send to the upstream limiter

    The firewall rules are what you use to specify the destination subnet (for downloads) or source subnet (for uploads).

    If for example, you have a upload limiter called 'Uplimiter' and a download limiter called 'Downlimiter' and the LAN (Data) subnet is 192.168.1.0/24, then:
    You'll need to create a catchall firewall rule on the LAN (Data) tab with Protocol 'Any', Source subnet '192.168.1.0/24' and destination any.  Scroll down to the bottom and set 'Uplimiter' as the In Limiter.

    For downloads, you need to head to the Floating rules and add a new rule.  Set to 'Queue', In Interface as 'WAN', Direction as 'In', Protocol as 'Any', Source 'Any' and Destination subnet as '192.168.1.0'; again, set the in limiter but as 'Downlimiter' this time.

    Note that the limiter must be set for any other additional rules (in both tabs) you may set for specific clients within the subnet whether it is a 'Pass' rule or just a rule for traffic shaping.



  • Could you not just do 2 floating rules? One for in and the other for out.



  • @podilarius:

    Could you not just do 2 floating rules? One for in and the other for out.

    You could do so but there should be an allow rule in the OPT1 tab anyway.
    No point creating a duplicate rule in the floating tab for upstream and it's easier to see the rule within the interface tab rather than trawling through the floating rules if there are many such rules.

    Furthermore, the direction of the limiter is subject to change based on the direction of the floating rule and the floating rule may be overwritten by another rule (when the floating rule is a subset) depending on it's position in the list and whether quickmatch is chosen or not.

    All of this is really up to the individual anyway.  I personally prefer doing all the upstream shaping and limiting from the appropriate interface tab and then using floating rules (Quickmatch) purely to catch traffic that can't be shaped properly from interface tabs.
    e.g.  You can't catch inbound traffic to LAN from a rule in the WAN tab unless it's a NAT rule.  So a floating queue rule to catch traffic coming in on WAN and bound for the LAN subnet is the only way to do the shaping where applicable.

    Alternatively, the floating rule may be used to send traffic to the correct queue when it is sent out from the router itself.  e.g. I have a floating rule that marks traffic exiting the LAN interface and bound for the LAN subnet and send it to the qLink queue so that webGUI access doesn't go into qDef or fight for bandwidth from the qInternet queue.



  • Thanks again for the input. I will try that. But what you explained is LIMITING the bandwidth. Why limit the bandwidth? I never know what the bandwidth is exactly as it changes during the day and night. What I am looking for is DEDICATED 512kbps on one NIC PORT regardless of what all my other ports get (dynamic speed at different times of the day). Is that possible? The way you explained it I suppose I should define each port to get certain limit (I assume I can't use percentage but rather hard numbers).

    I have posted a bounty here that might clear something: http://forum.pfsense.org/index.php/topic,44046.0.html

    I may still be confused so I would like to say thank you again for keeping up with my ignorance.



  • @torontob:

    Thanks again for the input. I will try that. But what you explained is LIMITING the bandwidth. Why limit the bandwidth? I never know what the bandwidth is exactly as it changes during the day and night. What I am looking for is DEDICATED 512kbps on one NIC PORT regardless of what all my other ports get (dynamic speed at different times of the day). Is that possible? The way you explained it I suppose I should define each port to get certain limit (I assume I can't use percentage but rather hard numbers).

    Yes, it can be done.

    It's called Realtime.  Realtime reserves the bandwidth for the queue and the other queues share whatever is left.


Log in to reply