Can't Limit WAN - Googled, searched, tryed everything



  • Hi guys,

    This could be another newb tread, but as with all IT problems it could be that "ONE" catch that gives you gray hair.
    I did my homework before posting:

    https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

    Googled …

    Youtubed...

    Read stickies here ...

    In general I know I need to limit my WAN in order for PFSense to catch traffic before my DSL modem (10/4 Mbit BTW).
    I went Traffic shaper -> Wizard -> lan/multiwan -> .... selected 9.5 Mbit DOWN / 0.3 UP  finished wizard with default values.

    Tryed 6Mbits down, 2Mbits down, no luck... speed test is aways full 10Mbits(speedtest).
    Tryed CBQ, PRIQ nothing.

    Only thing that does some result is "p2pCatchAll: When enabled, all uncategorized traffic is fed to the p2p queue." under Peer to Peer Networking.
    With this enabled my wan comes to a crawl, I'm guessing its because of the "qOthers High or Low queue" is set to 10,5 %" and it categories HTTP
    traffic as such.

    In my head i remember this worked on prior versions when I fiddled with it, have 2.2.1 now.

    Any suggestions from you PRO's? :)

    Tnx



  • I'm not a pro here but have you tried the limiter?



  • Are you aware that you need to use firewall rules to assign traffic to a particular queue?

    That was something that initially confused me…  :-\



  • @Nullity:

    Are you aware that you need to use firewall rules to assign traffic to a particular queue?

    That was something that initially confused me…  :-\

    Forgive me for hijacking this thread but I'm also in search of some answers. I've tried the limiter and its working for me(I assigned a firewall rule), I've also tried to use the wizard to do traffic shaping using PRIQ main aim to prioritize some services, however this doesnt seem to work for me, is there anything else I need to do after completing the wizard? do i need to assign any firewall rules for PRIQ to function?



  • @cmutwiwa:

    @Nullity:

    Are you aware that you need to use firewall rules to assign traffic to a particular queue?

    That was something that initially confused me…  :-\

    Forgive me for hijacking this thread but I'm also in search of some answers. I've tried the limiter and its working for me(I assigned a firewall rule), I've also tried to use the wizard to do traffic shaping using PRIQ main aim to prioritize some services, however this doesnt seem to work for me, is there anything else I need to do after completing the wizard? do i need to assign any firewall rules for PRIQ to function?

    The queue set as the "default" is supposed to take all unassigned traffic, but aside from that, all traffic that you want shaped/limited needs to be manually assigned by a firewall rule into a particular queue or limiter/pipe.

    Personally, I prefer to assign all traffic manually, just to make things more clear.

    I have also had bad luck with floating rules (sometimes they just will not work), so I assign all traffic on the actual interface, whenever possible.

    Did I answer your question?


  • LAYER 8 Netgate

    I have also had bad luck with floating rules (sometimes they just will not work), so I assign all traffic on the actual interface, whenever possible.

    They work fine.  There are just certain cases where the rule does not have the information necessary to match traffic that looks like it should be matched.  This is usually because NAT has already happened.  For instance, you cannot use a floating rule on WAN out to match based on the source IP address if you're natting because at that point in the traffic flow the inside local address has already been mapped to the inside global address.

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order


  • LAYER 8 Netgate

    @dcrnac:

    Tryed 6Mbits down, 2Mbits down, no luck… speed test is aways full 10Mbits(speedtest).
    Tryed CBQ, PRIQ nothing.

    PRIQ has no concept of bandwidth.

    You might want to decide exactly what you want to do then implement it instead of just trying settings at random.

    Exactly what traffic do you want to shape?

    Exactly how do you want to shape it?

    Exactly how can that traffic be matched with firewall rules?



  • @Derelict:

    I have also had bad luck with floating rules (sometimes they just will not work), so I assign all traffic on the actual interface, whenever possible.

    They work fine.  There are just certain cases where the rule does not have the information necessary to match traffic that looks like it should be matched.  This is usually because NAT has already happened.  For instance, you cannot use a floating rule on WAN out to match based on the source IP address if you're natting because at that point in the traffic flow the inside local address has already been mapped to the inside global address.

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    Yeah, I assume it was just my ignorance or some neglected setting causing my "bad luck", even though I was aware of floating rules' peculiarities, like reverse processing order, NAT source IP switcheroo, and non-functioning "quick" on match.

    No problems with interface rules though. :)



  • @Nullity:

    @cmutwiwa:

    @Nullity:

    Are you aware that you need to use firewall rules to assign traffic to a particular queue?

    That was something that initially confused me…  :-\

    Forgive me for hijacking this thread but I'm also in search of some answers. I've tried the limiter and its working for me(I assigned a firewall rule), I've also tried to use the wizard to do traffic shaping using PRIQ main aim to prioritize some services, however this doesnt seem to work for me, is there anything else I need to do after completing the wizard? do i need to assign any firewall rules for PRIQ to function?

    The queue set as the "default" is supposed to take all unassigned traffic, but aside from that, all traffic that you want shaped/limited needs to be manually assigned by a firewall rule into a particular queue or limiter/pipe.

    Personally, I prefer to assign all traffic manually, just to make things more clear.

    I have also had bad luck with floating rules (sometimes they just will not work), so I assign all traffic on the actual interface, whenever possible.

    Did I answer your question?

    This has answered alot, I was leaving things half way, I just assumed that the wizard will do everything for me, I've also read in another post that the wizard willl sometimes not assign the bandwidth you gave it and so it might need to be assigned manually…will check on all these.



  • @Derelict:

    @dcrnac:

    Tryed 6Mbits down, 2Mbits down, no luck… speed test is aways full 10Mbits(speedtest).
    Tryed CBQ, PRIQ nothing.

    PRIQ has no concept of bandwidth.

    You might want to decide exactly what you want to do then implement it instead of just trying settings at random.

    Exactly what traffic do you want to shape?

    Exactly how do you want to shape it?

    Exactly how can that traffic be matched with firewall rules?

    Tnx for the info on PRIQ, didn't know that.

    1 .I tryed random stuff in hope of getting some change or response (the desperate method :) )
    As I wanted to shape P2P and Game traffic, first I need to limit my WAN to cca 95% for shaping to occur
    before my ISP, is this correct ?

    2. I want to shape it by prioritizing for example Game traffic before P2P or HTTP

    3. Customizing Floating rules

    @cmutwiwa:

    @Nullity:

    @cmutwiwa:

    @Nullity:

    Are you aware that you need to use firewall rules to assign traffic to a particular queue?

    That was something that initially confused me…  :-\

    Forgive me for hijacking this thread but I'm also in search of some answers. I've tried the limiter and its working for me(I assigned a firewall rule), I've also tried to use the wizard to do traffic shaping using PRIQ main aim to prioritize some services, however this doesnt seem to work for me, is there anything else I need to do after completing the wizard? do i need to assign any firewall rules for PRIQ to function?

    The queue set as the "default" is supposed to take all unassigned traffic, but aside from that, all traffic that you want shaped/limited needs to be manually assigned by a firewall rule into a particular queue or limiter/pipe.

    Personally, I prefer to assign all traffic manually, just to make things more clear.

    I have also had bad luck with floating rules (sometimes they just will not work), so I assign all traffic on the actual interface, whenever possible.

    Did I answer your question?

    This has answered alot, I was leaving things half way, I just assumed that the wizard will do everything for me, I've also read in another post that the wizard willl sometimes not assign the bandwidth you gave it and so it might need to be assigned manually…will check on all these.

    Just to be clear, this means when I create queues the better way is to assigned them through my LAN firewall rules instead Floating?



  • @dcrnac:

    Just to be clear, this means when I create queues the better way is to assigned them through my LAN firewall rules instead Floating?

    Kinda. If you do it manually (no wizard) my advice is to stay away from floating rules, at least during your newbie stage. As Derelict points out, they work fine, but they are quite a bit more complicated. So, if you do not need the extra capabilities of floating rules, I say avoid them.

    Honestly, I never really got much out of the traffic-shaping wizard. Just do it manually.

    Create 2 queues, one for generic traffic (check-mark the "Default Queue" box), the other for gaming traffic. On the LAN interface, assign your gaming traffic to the proper queue then, below your gaming rule, assign all other traffic into your generic queue. Interface rules are "first matched rule applies", so order rules from precise to broad. Floating rules are "last matched rule applies" (unless the rule has "Quick" checked), so order them from broad to precise.

    You may be able to forego assigning the non-gaming traffic to the generic queue, because it should have all unassigned traffic assigned to itself automatically since it is the "Default Queue".

    Choose whichever queueing algorithm you want. PRIQ may work well if you are not constantly saturating your upload.



  • @Nullity:

    @dcrnac:

    Just to be clear, this means when I create queues the better way is to assigned them through my LAN firewall rules instead Floating?

    Kinda. If you do it manually (no wizard) my advice is to stay away from floating rules, at least during your newbie stage. As Derelict points out, they work fine, but they are quite a bit more complicated. So, if you do not need the extra capabilities of floating rules, I say avoid them.

    Honestly, I never really got much out of the traffic-shaping wizard. Just do it manually.

    Thats very useful info Nullity, I've always believed that the wizard is the best way to go for newbies like me, in my case I just want to give high priority to http(s) & DNS, ACK traffic then lower priority for p2p traffic (I know p2p can be a hard nut to crack so I'm not expecting much & will appreciate the little the shaper will be able to do for me). I will try your approach then post results. Thanks.



  • so I did the shaper, gave qP2P least priority (1), HTTP(s) highest priority followed by DNS, watched the queues and everything seemed to work, I could see drops on the qP2P queue meaning that the shaper is actually working. However, I'm still getting hammered by P2P traffic, even the share bandwidth method using limiter as explained by foxale08 on a different post doesnt seem to work, the computer with bittorrent on is getting all the bandwidth! I tried using L7 but then and got same results, L7 even kills squid proxy?



  • @cmutwiwa:

    so I did the shaper, gave qP2P least priority (1), HTTP(s) highest priority followed by DNS, watched the queues and everything seemed to work, I could see drops on the qP2P queue meaning that the shaper is actually working. However, I'm still getting hammered by P2P traffic, even the share bandwidth method using limiter as explained by foxale08 on a different post doesnt seem to work, the computer with bittorrent on is getting all the bandwidth! I tried using L7 but then and got same results, L7 even kills squid proxy?

    Are you referring to uploads or downloads?

    Upload traffic is the only traffic you have full control over.

    Controlling downloads can be tricky, especially p2p. I have attempted a few methods but none of them worked as well as I wanted, so I have suspended anymore attempts until I have a better understanding.

    FYI, layer-7 firewalling is useless if the application uses encryption.

    My favorite QoS tutorial is http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/



  • That would be downloads…so I guess my shaper is working, will have to forget abt shaping P2P traffic for now.
    I just wish pfsense had the "Share Bandwidth Evenly on LAN" check box like m0n0wall, I find it useful in taking care of P2P traffic.



  • @Nullity:

    My favorite QoS tutorial is http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

    BTW thanks for the tutorial link, something tho'…it says that prioritizing ACK & Small Pct traffic actually also kind of prioritizes P2P traffic? does this only affect Tomato or is it general? do you think its true?

    Here is a quote from the tutorial:

    I used to set all small packets to get priority. That included ACKS - many people would recommend that this box is unchecked. If you do that, my thought was that you will delay traffic unnecesarily. However, there is a problem here which is not mentioned anywhere in Tomato FAQ's or Wikis. The "small packets" in the check boxes use the "Highest" class to prioritize them. So, if you check the ACK box, any ACK packets for e.g. P2P will move out of the P2P class into the "Highest" class. The data stream however will still be identified and correctly classed as P2P, and will still respond to limits. The problem may not be noticed if you have set up QOS for best latency by limiting outgoing P2P severely. But for most people, checking the box will slow down their QOS rules by giving an unfair advantage to P2P byeffectively giving P2P downloads a high priority. This is because most outgoing traffic for P2P is actually ACKS.

    The moral of this is - if you run P2P on your network, and wish to limit it, uncheck the ACK box. If you want the best P2P speeds, check it.



  • @cmutwiwa:

    @Nullity:

    My favorite QoS tutorial is http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

    BTW thanks for the tutorial link, something tho'…it says that prioritizing ACK & Small Pct traffic actually also kind of prioritizes P2P traffic? does this only affect Tomato or is it general? do you think its true?

    Here is a quote from the tutorial:

    I used to set all small packets to get priority. That included ACKS - many people would recommend that this box is unchecked. If you do that, my thought was that you will delay traffic unnecesarily. However, there is a problem here which is not mentioned anywhere in Tomato FAQ's or Wikis. The "small packets" in the check boxes use the "Highest" class to prioritize them. So, if you check the ACK box, any ACK packets for e.g. P2P will move out of the P2P class into the "Highest" class. The data stream however will still be identified and correctly classed as P2P, and will still respond to limits. The problem may not be noticed if you have set up QOS for best latency by limiting outgoing P2P severely. But for most people, checking the box will slow down their QOS rules by giving an unfair advantage to P2P byeffectively giving P2P downloads a high priority. This is because most outgoing traffic for P2P is actually ACKS.

    The moral of this is - if you run P2P on your network, and wish to limit it, uncheck the ACK box. If you want the best P2P speeds, check it.

    He is right.

    If you prioritize all ACK packets, then P2P ACK packets will be included. I believe Tomato has a generic "prioritize all small/ACK packets" check-box.

    Instead of prioritizing all ACK packets, you could prioritize only non-P2P ACKs. You can even rate-limit the P2P-ACKs (egress) to keep the download speed somewhat controlled, but this method lacks precise predictability.



  • @Nullity:

    @cmutwiwa:

    @Nullity:

    My favorite QoS tutorial is http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

    BTW thanks for the tutorial link, something tho'…it says that prioritizing ACK & Small Pct traffic actually also kind of prioritizes P2P traffic? does this only affect Tomato or is it general? do you think its true?

    Here is a quote from the tutorial:

    I used to set all small packets to get priority. That included ACKS - many people would recommend that this box is unchecked. If you do that, my thought was that you will delay traffic unnecesarily. However, there is a problem here which is not mentioned anywhere in Tomato FAQ's or Wikis. The "small packets" in the check boxes use the "Highest" class to prioritize them. So, if you check the ACK box, any ACK packets for e.g. P2P will move out of the P2P class into the "Highest" class. The data stream however will still be identified and correctly classed as P2P, and will still respond to limits. The problem may not be noticed if you have set up QOS for best latency by limiting outgoing P2P severely. But for most people, checking the box will slow down their QOS rules by giving an unfair advantage to P2P byeffectively giving P2P downloads a high priority. This is because most outgoing traffic for P2P is actually ACKS.

    The moral of this is - if you run P2P on your network, and wish to limit it, uncheck the ACK box. If you want the best P2P speeds, check it.

    He is right.

    If you prioritize all ACK packets, then P2P ACK packets will be included. I believe Tomato has a generic "prioritize all small/ACK packets" check-box.

    Instead of prioritizing all ACK packets, you could prioritize only non-P2P ACKs. You can even rate-limit the P2P-ACKs (egress) to keep the download speed somewhat controlled, but this method lacks precise predictability.

    Now this gets tricky & confusing for me…how do I even tell non-P2P ACKs?



  • @cmutwiwa:

    @Nullity:

    @cmutwiwa:

    @Nullity:

    My favorite QoS tutorial is http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

    BTW thanks for the tutorial link, something tho'…it says that prioritizing ACK & Small Pct traffic actually also kind of prioritizes P2P traffic? does this only affect Tomato or is it general? do you think its true?

    Here is a quote from the tutorial:

    I used to set all small packets to get priority. That included ACKS - many people would recommend that this box is unchecked. If you do that, my thought was that you will delay traffic unnecesarily. However, there is a problem here which is not mentioned anywhere in Tomato FAQ's or Wikis. The "small packets" in the check boxes use the "Highest" class to prioritize them. So, if you check the ACK box, any ACK packets for e.g. P2P will move out of the P2P class into the "Highest" class. The data stream however will still be identified and correctly classed as P2P, and will still respond to limits. The problem may not be noticed if you have set up QOS for best latency by limiting outgoing P2P severely. But for most people, checking the box will slow down their QOS rules by giving an unfair advantage to P2P byeffectively giving P2P downloads a high priority. This is because most outgoing traffic for P2P is actually ACKS.

    The moral of this is - if you run P2P on your network, and wish to limit it, uncheck the ACK box. If you want the best P2P speeds, check it.

    He is right.

    If you prioritize all ACK packets, then P2P ACK packets will be included. I believe Tomato has a generic "prioritize all small/ACK packets" check-box.

    Instead of prioritizing all ACK packets, you could prioritize only non-P2P ACKs. You can even rate-limit the P2P-ACKs (egress) to keep the download speed somewhat controlled, but this method lacks precise predictability.

    Now this gets tricky & confusing for me…how do I even tell non-P2P ACKs?

    Depends what your environment is.

    Maybe all ports except 80, 443, 21, etc, will be classified as P2P.
    Or maybe all your P2P clients use the default 6881 port, so you classify only that port as P2P.

    Lots of options.



  • Ok…I get it now.



  • Just posted new question about this same thing here.
    https://forum.pfsense.org/index.php?topic=91299.0

    WAN side traffic shaping died after upgrade.



  • Shaping downloads as worked decently well for me, but not nearly as well as upload. Upload is a 1Gb link going into a 100Mb link, so going over 100Mb is not an issue because the shaper will buffer the data and not affect the other queues. The problem with download is it's a 100Mb link going into a 1Gb link, so I need to make sure my download never goes above 100Mb because it will buffer upstream instead of in my traffic shaper.

    For the most part this just means I can't use a tight 98% of my link speed for download, it needs to be a bit looser, like 95%, which wastes more bandwidth. One issue that I have found out is because PFSense is stateful, when the WAN interface see duplicate TCP packets, it just drops the packet and sends a dup-ack. Since this Dup packet never makes it to the LAN interface, the LAN thinks there is less than 100Mb coming in, so it doesn't cause the other traffic to back-off. This is not an "issue" with PFSense, but an issue with bad-actors.


Log in to reply