4. Pfsense 2.1 HFSC shaping - Advice AND are LAN interface settings necessary?

Pfsense 2.1 HFSC shaping - Advice AND are LAN interface settings necessary?

  • M

    I've been effectively using HFSC traffic shaping on my home network (50 mbit down/5 mbit up) to prioritize voip, ack and DNS traffic over usenet, cloud backup, etc.  I've started w/ the default rules created by the wizard and tweak from there.  I was curious whether LAN settings are needed?  Also, any suggestions for tweaks would be much appreciated.

    My goal is to prioritize from top down:

    Ack
    DNS
    Voip
    Default
    SSH (is an FTP over SSH)
    Backup
    NNTP
    P2P

    For example, I have my rules as:

    WAN
    Bandwidth, 5 Mbit/s
    qAck
    Priority 6, Bw: 20%

    • Real: 20%
      qDefault
      Priority 4, Bw: 25%
    • Real: 35%
      qP2P
      Priority 1, Bw: 1%
    • Upper limit: 95%
      qBackup
      Priority 1, Bw: 7%
    • Upper limit: 80%
      qDNS
      Priority 5, Bw: 10%
    • Real: 5%
    • Link: 20%
      qNNTP
      Priority 2, Bw: 1%
      qSSH
      Priority 1, Bw: 5%
      qVoip
      Priority 7, Bw: 21%
      Real: 20%

    LAN
    Bandwidth, 1 Gbits/s
    qInternet
    bandwidth 50 Mbit/s

    • Upper limit: 50 Mb
    • Link share: 50 Mb
      qAck
      Priority 6, Bw: 5%
      qP2P
      Priority 1, Bw: 1%
    • Upper limit: 95%
      qDefault
      Priority 4, Bw: 70%
      qBackup
      Priority 1, Bw: 2%
      qDNS
      Priority 5, Bw: 5%
      qNNTP
      Priority 2, Bw: 2%
      Upper limit: 95%
      qSSH
      Priority 1, Bw: 5%
      qVoip
      Priority 7, Bw: 5%
    • Link share: 5%
    0
  • S

    are LAN interface settings necessary?
    Sure. Just make sure that you make the bandwidth of the LAN queue smaller than your actual downstream bandwidth, so that you are queueing the traffic and not your ISP. Now, when your downstream (=LAN out, =LAN queue) is saturated you can control which traffic gets priority/dropped.

    0
  • M

    @senser:

    are LAN interface settings necessary?
    Sure. Just make sure that you make the bandwidth of the LAN queue smaller than your actual downstream bandwidth, so that you are queueing the traffic and not your ISP. Now, when your downstream (=LAN out, =LAN queue) is saturated you can control which traffic gets priority/dropped.

    I followed the recommendation here to set qLink = 1 Gbps/s LAN speed - ISP downstream.
    http://forum.pfsense.org/index.php?topic=67347.0

    My LAN-qInternet bandwidth is currently set to 50 Mbit/s which is the max download limit of my ISP.
    My WAN is set to bandwidth of 5 Mbit/s which is the max upload limit of my ISP.

    0
  • S

    Tip to check if you are queuing and not your ISP:

    ssh into pfSense
    Launch pftop and go to the "Queue tab" (press 8)
    Set update interval to 1s (press s, 1, enter)
    Go to http://www.speedtest.net/ and launch a test
    Watch your downstream queues and make sure packets are being queued on your side (QLEN>0)

    If QLEN stays at zero the bandwidth of your downstream queue is too big and your ISP does the queuing, lower the bandwidth of your downstream queue.

    0
  • G

    Bear in mind that the "Priority" does not really play any role in HFSC. It is the defined service curves what will give you the shaping.

    As you were told before, it is really important that you cap the bandwidth at around 95% of the real bandwidth. Otherwise, shaping is pointless

    0
  • M

    @georgeman:

    As you were told before, it is really important that you cap the bandwidth at around 95% of the real bandwidth. Otherwise, shaping is pointless

    OK.  In that case, should I set both my ISP up/down speeds to 95% of their limits (from 50/5 to 47.5/4.75 Mbit)?  Or do I also need to do the same for my 1 Gbps LAN and qLink?  Thanks for your help.

    0
  • G

    Just the ISP queues is fine. The qLink queue will catch traffic between your local interfaces (as configured by the wizard), so I wouldn't even bother to put a cap on them

    0
  • M

    @senser:

    Tip to check if you are queuing and not your ISP:

    ssh into pfSense
    Launch pftop and go to the "Queue tab" (press 8)
    Set update interval to 1s (press s, 1, enter)
    Go to http://www.speedtest.net/ and launch a test
    Watch your downstream queues and make sure packets are being queued on your side (QLEN>0)

    If QLEN stays at zero the bandwidth of your downstream queue is too big and your ISP does the queuing, lower the bandwidth of your downstream queue.

    Could I most politely ask if what you mean is actually the qACK below root_pppoe0 that needs to have a QLEN > 0? Because that is the only one that has a value higher than 0 (12, 14, 9, in that range); all the others (qDefault, qOthersHigh, qOthersLow) will stay at zero, even if I reduce the bandwitch of WAN to as little as 10Mb/sec.

    Thank you  ;D

    0
  • S

    Could I most politely ask if what you mean is actually the qACK below root_pppoe0 that needs to have a QLEN > 0?

    Yes, I can hear you. The answer is no.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy