Shaper dont work on 1.2final



  • Please guys, I need some help here:

    In a 1.2 fresh install, configured correctly the wan and lan, I've used trafic shaper wizard to define shaper rules; I enabled the qPenalty queue with one IP address; but this is not working; even flushing the states table, it doesnt make difference, that ip (workstation) keeps using more bandwith that it has defined to Penalty queue.

    Shaper was set with my 1536Kb up/down link; a simple configuration that has worked on older pfsense versions, but now with this fresh 1.2 it doesnt work.

    Anyone has any idea? is there any known bug related to shaper on 1.2final??

    thanks a lot



  • any logs?
    did u upgrade and restore some configuration files?



  • I have not seen log files; I'll see it later.

    No, I have not restored any file, configured everything manually.

    Thanks



  • I was looking at logs and saw this entry, related to the day when I first configured Shaper and qPenalty; since then, even if I re-run shaper wizard, qPenalty doesnt shape traffic to it's related IP. Does someone knows what that means?

    In this cases, what to do? reinstall pfsense? why this happens?

    Mar 14 10:16:54 nat php: : There were error(s) loading the rules: /tmp/rules.debug:16: queue qPenaltyUp has no parent /tmp/rules.debug:16: errors in queue definition /tmp/rules.debug:17: queue qPenaltyDown has no parent /tmp/rules.debug:17:
    errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [16]: queue qPenaltyUp bandwidth 1% priority 2hfsc (  red ecn upperlimit 10Kb )

    This is today's message, when I re-run shaper wizard: (qPenalty still dont shapes traffic bandwidth)
    Mar 17 08:23:15 nat check_reload_status: reloading filter
    Mar 17 08:29:23 nat last message repeated 3 times
    Mar 17 08:33:26 nat php: /wizard.php: Create RRD database /var/db/rrd/wan-queues
    .rrd
    Mar 17 08:33:26 nat php: /wizard.php: Creating rrd update script
    Mar 17 08:33:29 nat check_reload_status: reloading filter
    Mar 17 08:41:56 nat check_reload_status: reloading filter
    Mar 17 08:42:07 nat check_reload_status: reloading filter

    thanks



  • Remove the shaper config and rerun the wizard.



  • Ok, lets go: the desktop wich IP is in penalty rule queue is turned off, so, no states;

    I turned off trafic shaper, saved; then I re-run the wizard, placing that desktop ip again in penalty rule queue;

    Finished shaper wizard; turned on the desktop; begin to download a knoppix.iso from internet and the the download speed is almost my full wan (1536kbits/s) when it should be the one configured in penalty queue (10kb).

    Still the same :(

    Mar 18 09:36:11 nat check_reload_status: reloading filter
    Mar 18 09:38:17 nat check_reload_status: reloading filter
    Mar 18 09:38:17 nat php: /wizard.php: Create RRD database /var/db/rrd/wan-queues
    .rrd
    Mar 18 09:38:17 nat php: /wizard.php: Creating rrd update script

    Another question: do you know when (with month) can we have pfsense 1.3 final or any RC?



  • Maybe this is a rule ordering issue? Do you have set http to high and it is above the penalty rules?

    It's far too early to say anything about 1.3 final or releasecandidates atm.



  • First, thank you Hoba for your attention.

    This is my pfsense queues list and order; this is the default one, I have not changed it when ended wizard.

    Flags  Priority  Default  Bandwidth  Name 
      0  No 1536 Kb  qwanRoot 
        0  No 1536 Kb  qlanRoot 
        1  Yes 1 %        qwandef 
        1  Yes 1 %    qlandef 
    ACK        7      No      25 %  qwanacks 
    ACK        7      No 25 %  qlanacks 
        7  No 25 %    qVOIPUp 
        7  No 25 %    qVOIPDown 
    RED ECN    2      No     1 %  qPenaltyUp 
    RED ECN    2      No     1 %  qPenaltyDown 
    RED ECN    1      No     1 %  qP2PUp 
    RED ECN    1      No     1 %  qP2PDown 
    RED ECN    4      No     25 %  qOthersUpH 
    RED ECN    4      No     25 %  qOthersDownH 
    RED ECN    2      No     1 %  qOthersUpL 
    RED ECN    2      No     1 %  qOthersDownL

    Again, thanks for your time!



  • Hy Srs,

    i had same problem, but first my configuration was  "transparent firewall", and traffic shape doesn't work :'(; second i think that is important the order of the rules  (like rules firewall), because if you download from internet using http protocol, and your http rule is on top ``first match wins''.
    Try to move up the penality rules.

    I hope this help you.



  • hey dav1d, thanks a lot for your help; I will test the rules order; but one more question: what you mean with 'transparent firewall'? I use transparent proxy, but in older pfsense versions, it always worked, shaper with transparent proxy… can you help with this? thanks one more time!



  • I am not sure, but transparent firewall is a packet filtering and normally you put it between your GW and LAN. In your case, transparent proxy intercept a particular service like HTTP and redirect it to squid for  simple content filtering, cache, etc.

    My configuration was this: http://pfsense.trendchiller.com/transparent_firewall.pdf.



  • hey dav1d, thanks again for your time and help!

    I think the setup that is described in that document is for a bridge setup; The most strange about the queues order is that they are in default position, I have not changed them after running trafic shaper wizard… In other situations, with another pfsense versions, it worked; before installing 1.2 final I used 1.2rc3, or 4, I dont remember, but the last versions; and it was all working; I had created other queues, and they were all working nicely; this is the reason I simply dont understand why this shaper is not working now; I have setup pfsense manually, did not restore no one backup file, and the shaper is running from the default wizard setup, the only thing I've done is the choose the IP for penalty and the bandwidth for penalty (10k) and for the entire shaper (1536kbits/s up and down), the same values that I have used in other times and have worked.

    Have you tried 1.3 already?

    thanks a lot for your help!



  • hey folks, I think I've found the problem:

    When I turn off transparent proxy in squid, the shaper seems to work fine; but when transparent proxy is enabled, the shaper doesnt work; the strange is that I always used squid, as transparent proxy, and shaper, in previous pfsense versions, and I know it worked…

    Well, what can be done to use these two must-have features??

    thanks



  • Contribute to the traffic shaping bounty and ask Ermal if he can fix.



  • can you tell me wether this was always this way or this is a 1.2family issue? I just want to confirm that I have used shaper plus squid in pfsense before.

    thanks



  • I think it has always been that way. When enabling squid in transparent mode it creates invisible redirects to the squid deamon that match before other rules do. Also it has been a know limitation for quite some time that traffic from services (like squid) running at the pfSense directly can't be shaped properly due to the way the trafficshaper is working in releases up to 1.2.



  • well, this is really strange, because I always used squid and I'm sure at 6 to 8 months ago I used the shaper successfully to shape bandwithd of computers laboratories and penalty some ips… and it always worked and I'm sure, I always used squid with some blacklists/whitelists, always in transparent mode beucase I never nedded to configure anything in desktops...

    But so this is ok, I must vote for what is the most important to me: shaper or access control lists (squidguard).

    Please, can you tell me if this is planned to work (together) on upcoming 1.3?

    thanks a lot for all your patience and always congrats for your really nice work!



  • This has always been an issue.  if you want to guarantee it will be in 1.3 then contribute to the bounty.  Otherwise no promises.



  • ok sullrich, thanks a lot! as I'm in Brazil, I dont know how can I contribute, but I'll check this, ok! I always used pfsense since 0.9x and pretend keep using it!!!

    Thanks a lot!


Locked