Problem with queueing web server traffic
-
Hello. I'm hoping someone might be able to lend a hand regarding my traffic shaping set up.
The pfsense box has 3 interfaces - LAN, WAN and DMZ. Attached to the DMZ port is a web server, which the HTTP service is port-forwarded to. The rest is a fairly standard set up, with NAT in place between the LAN/DMZ and WAN ports.
I have used the 2 LAN, single WAN traffic shaping wizard to do the initial set up for QoS. This part seems to work OK - the floating rules in place catch the traffic correctly and I can see the queues in action using either pftop or Status > Queues.
The next part I wanted to add was a rule to give outgoing HTTP traffic from the web server it's own queue. I have created a new queue on the WAN interface (as it's outgoing traffic) and assigned bandwidths as appropriate. The queue I created is called qWWW. The queues on the WAN interface and their respective linkshare bandwidth's are shown below:
WAN 980 Kbit
qACK 100 Kbit
qDefault 50 Kbit
qWWW 500 Kbit
qP2P 10 Kbit
qGames 70 Kbit
qOthersHigh 200 Kbit
qOthersLow 50 KbitI then created a new floating rule to assign the outgoing traffic to the queue. The rule has the following properties:
Action: Match
Interface: WAN
Direction: Out
TCP/IP Version: IPv4
Protocol: TCP
Source: any
Source port range: http:http
Destination: any
Destination port range: any:any
Description: HTTP out qWWW
Ack/Queue: qACK/qWWWAfter applying all this, it doesn't direct outgoing HTTP into the new queue. I've tried flushing the state table, and even rebooting the firewall, however no traffic enters qWWW.
From what I've read, it would appear I've carried out all the required steps for this to happen, so I imagine there is some problem with my floating rule? My reason for choosing WAN as the interface is because that is the interface the traffic will be outbound from, and since traffic shaping takes place in outbound direction only, this seemed logical. The way I have identified outgoing HTTP is by matching the source port as port 80 (HTTP). Would there be some reason this wouldn't work?
Any help or advice is greatly appreciated, thanks for your time.
-
I'm new to shaping, but spotted the following.
1. Make sure you got the same queues on all interfaces, this makes sure traffic always finds the right queue
2. You can shape outgoing Traffic only, so you want to look at the DMS Firewall rule + Queue -
FWIW, It looks like you're doing things correctly to me. I'm also having a hard time getting things to go into the right queues (see my other post about it in this forum) though I'm trying to shape in the other direction (traffic entering from the WAN and exiting through the LAN).
-
The queues aren't my issue (I GUESS!) its about the queues are ignoring the shaping (kinda). At least that's how it feels to me.
I give it a whirl on the weekend and report back :)