Problem: when i active limiter on lan, I have high latency on gateway!!



  • I explain myself:
    Wan with 4mb hdsl synchronous. Lan with gateway ip 192.168.11.1.
    From client i ping my gateway (of course, pfsense lan with ip 192.168.11.1) with ping 192.168.11.1 -t and this is the result:

    Reply from 192.168.11.1 bytes=32 time<1ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time<1ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time<1ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time<1ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time<1ms  TTL=64
    

    but when i apply a simple limiti bandwich (800kbit for exanple), when i launch ping to my gateway from my client with ping 192.168.11.1 -t and this is the result:

    Reply from 192.168.11.1 bytes=32 time=160ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time=203ms TTL=64
    Reply from 192.168.11.1 bytes=32 time=100ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time=43ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time=153ms  TTL=64
    Reply from 192.168.11.1 bytes=32 time=182ms  TTL=64
    

    This make me crazy!! i don't found solution


  • Rebel Alliance Developer Netgate

    It's being limited, just like you told it to do.

    If you don't want the pings to be limited, pass them in a rule that does not use the limiter.



  • sorry jimp, but i think that this is not correct.
    If i ping my gateway, i'm in the same network, right? so, why ping duration is increased?
    Maybe i have found a little logical solution, but i'm trying it.
    My situatition:
    one pfsense with wan and lan ahead all, behind anothers pfsense with many lan.
    I try to schematize you this

    wan - pfsense ahead - lan –----- nat 1:1 public ip01 -----  wan - pfsense guest01 - lan1
                                              ------- nat 1:1 public ip02 -----    wan - pfsense guest02 - lan2
                                              -------  nat 1:1 public ip03 -----    wan - pfsense guest03 - lan3 ---- vlan1
                                                                                                                                                -----vlan2
                                                                                                                                                -----vlan3

    i have applied the limiter on lan pfsense ahead with this sintax:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
            IPv4 * ip wan pfsense behind    * * * * none

    in this rule is applied the limiter.

    How about it?


  • Rebel Alliance Developer Netgate

    Any traffic that matches the limiter is limited, same network or not.

    If pfSense is 11.1 and the LAN rule is set to limit traffic from LAN net to any, then it's using that rule to pass.

    You need rules like this:

    pass from LAN net to local networks – no limiters
    pass all from LAN net to any -- with limiters



  • tnx jimp, i will try it!

    One question: why if i select (in trafic shaper) "destination" for "in" trafic and "source" for "out" trafic, i have not the same problem?

    so, the correct rule is as:

    pass from LAN net to local networks (192.168.11.0/24) – no limiters
    pass all from LAN net to any -- with limiters

    in my case, for second rule, i use a ip source, because behind my pfsense lan i have another router (customer's router) so i apply on it the nat 1:1
    I try to schematize this case:
    wan - pfsense ahead - lan 192.168.11.1 ------- nat 1:1 public ip01 on 192.168.11.2 -----  wan (192.168.11.2) - router guest guest01 - lan1

    regards



  • little update: i have rebooted my pfsense and now all is ok.

    Ok ping, ok limiter.
    But i have another problem, i hope that is a little problem.

    in my case i have:

    wan - pfsense guest03 - lan1
                                      - lan2
                                      - lan3

    If i try to ping from lan1 to lan2, it run. But this is not right, because each lan is for one customer.

    I try with this step:

    1. i created aliases with: Type: network(s) and 192.168.0.0 CIDR 16, in this mode i have all local lan in an alias.
    2. i created 3 rule for each lan, in this mode:
                      a) pass from LAN net to LAN net – no limiters
                      b) block from alias to alias -- no limiters
                      c) pass from LAN net to any --- with limiters

    Now, i have a good ping, i have my limiters and i cannot ping other lans from my lan.

    But i want ask: can i do this with Interface Groups?
    I thins that this is more simple and fast. One rule for all interfaces!

    Tnx for your reply