Having trouble getting Traffic Shaping to work

leecallen

Hi. I am new to pfSense and dummynet.  I have spent the past two days trying to get a limiter working and I am at a point where I need to ask for help.

I am trying to simulate a "bad" WAN, to diagnose problems with a socket application.

I am running pfSense 2.0.1 in a vanilla router/firewall configuration.  Basic routing is working fine.  The LAN side is 192.168.2/24, the WAN side is 192.168.0/24.

I created a pair of limiters like this:
    Name: WANin (and WANout, otherwise identical)
    Enabled
    Delay: 2ms
    Packet loss rate: .1 (just for testing)
    Queue size: I have tried blank and 10

I then created a single Rule  for the WAN interface:
    Action: Pass
    Interface: WAN
    Protocol: any (I have also tried TCP/UDP)
    Source, Destination: defaults - "not", type any, no address
    In/Out: in=WANin, out=WANout

The rule is enabled, and not floating.

I have not created any queues or schedules (do I need to?).

From a PC on the LAN side, I ping a system on the WAN side -
all responses < 1ms
my delay of 2ms and my 10% packet loss are not having any effect.

Again from a PC on the LAN side, I scp a 1MB file to a system on the WAN side:
ifconfig after the transfer shows no dropped packets

Obviously I am doing something wrong.  Can any one tell me what?

Following is the output of "ipfw" commands.

ipfw pipe show

00001: unlimited        0 ms burst 0
q131073  50 sl.plr 0.100000 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 1 active
  0 ip          0.0.0.0/0            0.0.0.0/0        1      68  0    0  0
00002: unlimited        0 ms burst 0
q131074  50 sl.plr 0.100000 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 active

ipfw queue show

(empty)

ipfw sched show

00001: unlimited        0 ms burst 0
sched 1 type WF2Q+ flags 0x0 0 buckets 0 active
00002: unlimited        0 ms burst 0
sched 2 type WF2Q+ flags 0x0 0 buckets 0 active

I have tried to force the ipfw rules to reflect what I want:

ipfw pipe 1 config delay 20 plr 0.1
ipfw pipe 2 config delay 20 plr 0.1
ipfw pipe show:

00001: unlimited        2 ms burst 0
q131073  50 sl.plr 0.100000 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
  0 ip          0.0.0.0/0            0.0.0.0/0        1      68  0    0  0
00002: unlimited        2 ms burst 0
q131074  50 sl.plr 0.100000 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 active

But the test results are the same: no delay, no dropped packets.

I am thoroughly stuck, I would be very grateful for any help.

leecallen

I don't know whether my post was too long, or the problem was too difficult… or too easy.  But so far no responses.

Guys, girls, I am VERY stuck and I could really use some help.

I have tried a completely different approach but I am still equally stuck.  Here is what I did.

I re-installed pfsense so this is a clean installation.  Then I created my firewall rules from the command line:

kldload dummynet
kldload ipfw
ipfw add pipe 1 ip from any to any
ipfw pipe 1 config bw 1k plr 0.10
ipfw add pipe 2 icmp from any to any
ipfw pipe 2 config bw 1k plr 0.10

ipfw pipe show
00001:  1.000 Kbit/s    0 ms burst 0
q131073  50 sl.plr 0.100000 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002:  1.000 Kbit/s    0 ms burst 0
q131074  50 sl.plr 0.100000 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 active

If I understand things correctly (and I have read the ipfw man page several times), all of traffic through the pfsense router  should be limited to 1K and it should drop 10% of the packets (probably on the way in AND on the way out).

I pinged 100 times through the router, from LAN to WAN.  NO ERRORS.
I scp'd an 800K through the router, LAN to WAN.
Then:

ipfw show
00100 0 0 pipe 1 ip from any to any
00200 0 0 pipe 2 icmp from any to any
65535 0 0 allow ip from any to any

Don't those counters indicate the traffic is not hitting my rules?
How can that be?
What simple thing am I missing?

stephenminta

Hi Lee

I too have had similar issues with getting the traffic shaping to behave the way I would expect and have not been able to get anywhere using the available TIDs. Did you make any progress with this?

Thanks

Steve

dreamslacker

@leecallen:

I then created a single Rule  for the WAN interface:
    Action: Pass
    Interface: WAN
    Protocol: any (I have also tried TCP/UDP)
    Source, Destination: defaults - "not", type any, no address
    In/Out: in=WANin, out=WANout

"Not" "Any" means the rule does not match any traffic.  It will not direct traffic through the queues defined.

What you need is a rule that catches everything, meaning you uncheck "Not".

Secondly, check the direction of the rule.  It matches traffic based on whether it is leaving the WAN or entering the WAN port.