Traffic Shaper: Limiter



  • Firewall: Traffic Shaper: Limiter
    I rebuilt our firewall because the new pfSense broke our traffic shaping rules.
    After export/import ruleset I still can't get traffic shaping to work on firewall WAN rules.
    It seems to work fine on outgoing LAN rules though.

    Any ideas why it stopped working on WAN side?

    This setup used to work before on incoming traffic, now it breaks the rule if I do this.


  • Banned



  • Looks like the same problem.
    Only we don't run Squid (with or without transparent mode.)



  • I could not wait any longer.
    I ended up downloading older version with working bandwidth limiter and installed that.
    So far 16 hours of wasted time.



  • Recent upgrade broke my traffic shaping too  :(
    What older version did you roll back to?



  • I'm still running 2.1.5 on all our FW's.
    Just testing the new 2.2.2 to see if the problem has been fixed in it. So much work over this. It's truly annoying.

    Sam



  • Not fixed yet. https://redmine.pfsense.org/issues/4326

    Updated by Chris Buechler about 1 month ago
    Target version changed from 2.2.1 to 2.2.2



  • Not fixed yet. https://redmine.pfsense.org/issues/4326

    Updated by Chris Buechler about 1 month ago
    Target version changed from 2.2.2 to 2.2.3



  • Not fixed yet.
    Seems like some1 does not want this fixed.
    Target version changed from 2.2.3 to 2.3



  • I too am having an issue with Limiters and LAGG groups. In 2.2.2 it didn't work at all for WAN. In 2.2.3, if you don't set an out limiter, it seems to work.
    I had to change over from Shaper to Limiter as I moved to LAGG. I had to move to LAGG because CARP state sync change from pseudo interface (WAN/LAN) to actual interface name (igp0/igp1).
    How is 2.2.4 looking in regards to LAGG with Limiters? I will take LAGG and ALTq as well. or hang it all and go back to allowing different interface for clustering. (Using WAN/LAN).

    Thanks for the great product. We have loved using it and love to see how it goes from here.



  • This is a great product.  Wished they fixed this issue since these features is mostly used together in production environment.



  • Yes, agreed. Does not look like its fixed in 2.2.4.  :(



  • There is not even a target version posted on Redmine anymore.
    I wonder if we have to stay with 2.1.5 forever?



  • Is only 6 months old bug, whats the rush… it needed > 2 years to fix Schedule States bug and this new one appeared in exchange.  :'(


  • Netgate

    This Limiter thing on 2.2 is a real downer.  It's beginning to feel like they don't know how to fix it.





  • It's currently listed under 2.3

    https://redmine.pfsense.org/issues/4326



  • Wanted to inquire to see if anyone had additional info on this.

    https://redmine.pfsense.org/issues/4326


  • Banned

    No, it's still broken obviously as you can see from the bug status.



  • Yeah - I had that, which is why I asked if anyone had ADDITIONAL info, and not "is it fixed yet?" But thanks for playing.



  • @Derelict:

    This Limiter thing on 2.2 is a real downer.  It's beginning to feel like they don't know how to fix it.

    After almost 12 months, i am starting to get that vibe to brother. Not sure how long i can hold back on security updates for this bug :/



  • @SamTzu:

    Firewall: Traffic Shaper: Limiter
    I rebuilt our firewall because the new pfSense broke our traffic shaping rules.
    After export/import ruleset I still can't get traffic shaping to work on firewall WAN rules.
    It seems to work fine on outgoing LAN rules though.

    Any ideas why it stopped working on WAN side?

    This setup used to work before on incoming traffic, now it breaks the rule if I do this.


  • Netgate

    I think if you have port forwards on an interface it makes limiters appear like they're completely bypassed. In other situations, interfaces with limiters simply stop passing traffic.

    Not sure if that's what you're seeing since "breaks the rule" is not very descriptive.



  • @Derelict:

    I think if you have port forwards on an interface it makes limiters appear like they're completely bypassed. In other situations, interfaces with limiters simply stop passing traffic.

    Not sure if that's what you're seeing since "breaks the rule" is not very descriptive.

    Yeah - not sure about OP, but for me, "stops passing traffic" is a deal breaker.  :(



  • I assigned the IN/OUT limiter to LAN interface instead of WAN. It works which (who ever in my PenaltyBox) it served the speed that I set.

    But, i have one doubt on the limit. what is the minimum speed to allow for web access? i set 1024kbps/512kbps still not able to but i managed to access youtube and facebook website.

    2.2.6-RELEASE (amd64)



  • @interkrome:

    I assigned the IN/OUT limiter to LAN interface instead of WAN. It works which (who ever in my PenaltyBox) it served the speed that I set.

    But, i have one doubt on the limit. what is the minimum speed to allow for web access? i set 1024kbps/512kbps still not able to but i managed to access youtube and facebook website.

    2.2.6-RELEASE (amd64)

    I do not understand precisely what you are asking. Can you rephrase/clarify?



  • @doktornotor:

    https://redmine.pfsense.org/issues/4326

    Nice to see that there is a ticket, but this ticket is nearly 1 year old. Is that a bug aswell? I hope to see a fix as sson as possible. :-[



  • @Nullity:

    I do not understand precisely what you are asking. Can you rephrase/clarify?

    What is the minimum speed to set for website access like espn, BBC, nbc, etc. I found out only when I remove the limiter, it allow these page to load. If I set 1024/512 it doesn't load. The weird thing is it loads YouTube (can play the video) and Facebook (can comment, post pic, etc). Google search also loaded but whenever I click the link, the page failed to load ; with limiter enabled. Tested the speed via speedtest.net it shows as what I set.

    I set IN/OUT limiter on LAN interface. Tried on WAN interface, limiter not working.



  • @interkrome:

    @Nullity:

    I do not understand precisely what you are asking. Can you rephrase/clarify?

    What is the minimum speed to set for website access like espn, BBC, nbc, etc. I found out only when I remove the limiter, it allow these page to load. If I set 1024/512 it doesn't load. The weird thing is it loads YouTube and Facebook. Google search also loaded but whenever I click the link, the page failed to load ; with limiter enabled.

    Rate-limiting should only affect how quickly a page loads, not whether the page will load or not load.

    It seems like you are encountering a limiter's bug or an unrelated bug.



  • @Nullity:

    Rate-limiting should only affect how quickly a page loads, not whether the page will load or not load.

    It seems like you are encountering a limiter's bug or an unrelated bug.

    OK. Let say a page should be fully loaded in 10 seconds with total size of 100 mb of data. So it takes around 10 seconds if i set 10mbps. So if I set it less than that, it will takes more time to load. Let say I set 1mbps, it should take 100 seconds or if I set 512kbps then it should take around 200 seconds to get fully loaded. What makes me wondering why page like Facebook and YouTube can be loaded (play video, read comments, etc) when my limit is 1mbps but not other pages. Not even landed to that address except YouTube and Facebook. Only these so far is accessible with the limiter. Weird.

    Anyway. Thank you for your respond!



  • It breaks at ipv6 address. That explained my situation

    2.2.6-RELEASE (amd64)



  • High priority bug that has broken a key function in pfSense firewall has been unsolved for over a year now.

    No proposals how to fix it. No descriptions on what actually broke, why it broke and what could be the best paths to solving the problem.

    What is going on here? My faith in you is fading. Is this how you usually deal with High priority bugs? Who dares to take responsibility for this?

    Sam

    https://redmine.pfsense.org/issues/4326



  • Theres a workaround for squid with limiter  But it breaks NAT reflection :(



  • @SamTzu:

    High priority bug that has broken a key function in pfSense firewall has been unsolved for over a year now.

    No proposals how to fix it. No descriptions on what actually broke, why it broke and what could be the best paths to solving the problem.

    What is going on here? My faith in you is fading. Is this how you usually deal with High priority bugs? Who dares to take responsibility for this?

    Sam

    https://redmine.pfsense.org/issues/4326

    I hear you. I'm eagerly waiting for this and https://redmine.pfsense.org/issues/4405 to be finally addressed so I can start using the traffic shaper again. Hopefully 2.3.2 is going to be it.



  • Not fixed yet. https://redmine.pfsense.org/issues/4326

    Target version changed from to 2.2.4.
    Done: 0%



  • Is there another way to limit the bandwidth on each computer separately? as similar as to Limiter of <traffic shaper="">.
    PfSense 2.3</traffic>



  • Depends on how many computers/devices. HFSC allow up to 15 or 16 queues.



  • @JDvD:

    Is there another way to limit the bandwidth on each computer separately? as similar as to Limiter of <traffic shaper="">.
    PfSense 2.3</traffic>

    If you created an HFSC queue for each IP and assign each queue the same (anything, it just needs to be the same; "1Kbit" for example) link-share bandwidth, and it would work almost exactly like your previous setup with limiters/ipfw.

    @Harvy66:

    Depends on how many computers/devices. HFSC allow up to 15 or 16 queues.

    lol, actually it's 2048 at the moment. Close though…  ::)
    https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_3_1/sys/contrib/altq/altq/altq_hfsc.h#L53



  • @Nullity:

    @JDvD:

    Is there another way to limit the bandwidth on each computer separately? as similar as to Limiter of <traffic shaper="">.
    PfSense 2.3</traffic>

    If you created an HFSC queue for each IP and assign each queue the same (anything, it just needs to be the same; "1Kbit" for example) link-share bandwidth, and it would work almost exactly like your previous setup with limiters/ipfw.

    @Harvy66:

    Depends on how many computers/devices. HFSC allow up to 15 or 16 queues.

    lol, actually it's 2048 at the moment. Close though…  ::)
    https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_3_1/sys/contrib/altq/altq/altq_hfsc.h#L53

    Whole crap! Nice to know. I read something somewhere that said 16 was used because of computational costs, but maybe that was old or didn't apply to the FreeBSD implementation.



  • @Harvy66:

    @Nullity:

    @JDvD:

    Is there another way to limit the bandwidth on each computer separately? as similar as to Limiter of <traffic shaper="">.
    PfSense 2.3</traffic>

    If you created an HFSC queue for each IP and assign each queue the same (anything, it just needs to be the same; "1Kbit" for example) link-share bandwidth, and it would work almost exactly like your previous setup with limiters/ipfw.

    @Harvy66:

    Depends on how many computers/devices. HFSC allow up to 15 or 16 queues.

    lol, actually it's 2048 at the moment. Close though…  ::)
    https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_3_1/sys/contrib/altq/altq/altq_hfsc.h#L53

    Whole crap! Nice to know. I read something somewhere that said 16 was used because of computational costs, but maybe that was old or didn't apply to the FreeBSD implementation.

    I know! FreeBSD defaults to 64. 2048 though… I like how pfSense plays.  ;D

    I kinda thought it was limited to ~16 because that is the highest priority in ALTQ. Of course, that means nothing in itself.