Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Simple limiter blocks traffic selectively (some sites blocked, others load)

    Traffic Shaping
    4
    11
    2759
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gessel last edited by

      This should not be hard.

      I set up a standard limiter at 25% of our bandwidth: 512k, one for in ,one for out.

      Enable limiter and its children: check!
      Bandwidth 512 Kbit/s, schdule: none
      Mask: None

      Just the same for out.

      Firewall rules on the LAN interface:
      pass/LAN/any/source (alias called 'slow') advanced: in512/out512

      I also have CODELQ enabled on the WAN and LAN.  About the easiest traffic limiter configuration evar.  Yay.

      Except…  users in the "slow" group can get to most HTTPS sites (not all), and so far as I've tested, no port 80/HTTP sites.  There is a selective availability within the  HTTPS group - for example Amazon doesn't work, but google does.    Very, very odd.  I can see no reason why this should be so, but if I disable the rule, all access works.

      Enable the rule... jammed.

      Anyone else see anything like this or have any hints?  Running 2.2.1 i386.

      1 Reply Last reply Reply Quote 0
      • G
        gessel last edited by

        Updates to my issue.  Pictures always help sell a problem:

        this shows the overall traffic shaper that applies to everyone

        shows the limiters created: one for DHCP address handouts and one for the random collection of windows servers that would otherwise crush the network with their incessant patching of critical security flaws that are discovered at a rate of about 10 an hour on windows servers.

        All four of the limiters are identical except direction.  They create four shared 512kbps (out of 2mbps total LAN), one in and one out for the server group and for dynamic DHCP pool supplicants.

        shows the whole of the LAN rules (WAN rules are only default).  The Lan rules are only to apply the limiters to each of the two groups.

        shows the very simple rule: basically just applying the limiter to an alias, which is either one C-class (Dynamic DHCP lessees) or a couple of C-classes (windows servers on the network).

        shows the limiter info - everything appears to dump into a single bucket - even if they are different IP blocks.  That's OK, but perhaps there can only be one catch-all limiter?  (If so, perhaps the interface should check)?

        But I still don't understand why limited traffic has weirdly, selectively limited web access.  It isn't zero - as noted in the OP, most SSL sites work.  Most non-SSL sites don't, but it isn't universal.  Putting a machine on a static address, which means these rules don't apply instantly fixes the problems.  Disabling the rule that puts them in the limiter pool instantly fixes the problem.

        But the limiter is really a good thing and it will be bad here if it doesn't work…

        Thanks for any insights or help.  In the mean time, I'll try to create a single limiter with C-class size pools.












        1 Reply Last reply Reply Quote 0
        • G
          gessel last edited by

          Just re-verified with another person's computer.  This is very easy to replicate:

          They were in an IP block that was sent to the "slow" limiter and could reach, for example, google.com and gmail.com and download email to the client on their iPad, but could not get the DHL (dhl.com) site to load.

          Disabling the rule that applied the limiter to the alias for the Dynamic DHCP group restored access to dhl.com.

          Creating a static mapping into a non-limited IP block restored access to dhl.com.

          The limiter blocked dhl.com, but not google.com.

          That is certainly not a documented feature.

          1 Reply Last reply Reply Quote 0
          • G
            gessel last edited by

            A little more testing.  I updated the limiter rules to no avail.  Any computer in the subjected to the limiter cannot get to port 80 sites.  443 seems to work fine.  Email (587 etc.) works fine.  80, not so much.  Pinging the remote servers works fine from the limited client.

            There are NO other rules, not LAN, not WAN, not floating.  It is just a traffic limiter, that's all I'm trying to do and there seems to be a bug in it that is blocking 80.

            Updated limiter configuration.  Now just one for your limiting convenience.


            The limiter.  Very simple but now with /24 pipes to achieve almost the same intent as two limiters, but with just one.


            This is the only non-as-shipped rule.  Seriously - no floating or WAN rules at all.


            Details of the only rule.  Such basic!


            And the diagnostic output.  It is doing the right thing.  No indication of problems.

            despite setting logging for the one limiter rule, I haven't found anything relevant in the logs.










            1 Reply Last reply Reply Quote 0
            • E
              epimeteo last edited by

              Simple question. Do You have transparent proxy w/ Squid3 enable?

              PfSense 2.2 64bit - AtomD2550 4GB w/ 4 NIC IntelPRO1000

              1 Reply Last reply Reply Quote 0
              • G
                gessel last edited by

                Yes, transparent proxy with squid-2.7.9_4-i386 (not 3) was enabled.

                And while I thought I had tested and ruled it out earlier, I tried again today and found out I hadn't, thank you for the suggestion:

                | Limiter | Squid 2 | Limited | Normal |
                | YES | YES | NO 80 | NORMAL |
                | YES | NO | NORMAL | NORMAL |
                | NO | YES | NORMAL | NORMAL |
                | NO | NO | NORMAL | NORMAL |

                Note that even in the first case, with squid on, traffic that isn't subject to the limiter rule has no trouble reaching port 80, even going through squid.  Squid appeared to be working properly for traffic not subject to the limiter rule.

                1 Reply Last reply Reply Quote 0
                • KOM
                  KOM last edited by

                  I think I remember reading that there is an issue with limiters in conjunction with Squid.

                  1 Reply Last reply Reply Quote 0
                  • E
                    epimeteo last edited by

                    @KOM:

                    I think I remember reading that there is an issue with limiters in conjunction with Squid.

                    Sarcastic? There are many posts about squid3+limiters problem…
                    Squid3 with limiters actually doesn't work... seems a compatibility issue

                    PfSense 2.2 64bit - AtomD2550 4GB w/ 4 NIC IntelPRO1000

                    1 Reply Last reply Reply Quote 0
                    • E
                      epimeteo last edited by

                      @gessel:

                      Yes, transparent proxy with squid-2.7.9_4-i386 (not 3) was enabled.

                      I thought for months that I really need squid. But after I changed my mind my life become really better.

                      PfSense 2.2 64bit - AtomD2550 4GB w/ 4 NIC IntelPRO1000

                      1 Reply Last reply Reply Quote 0
                      • KOM
                        KOM last edited by

                        Sarcastic? There are many posts about squid3+limiters problem…

                        And I don't pay them much attention since a) I don't use limiters, and b) I don't use transparent proxy is a terrible idea.  I don't try to be sarcastic when I'm genuinely trying to help people for free on my personal time.

                        1 Reply Last reply Reply Quote 0
                        • SamTzu
                          SamTzu last edited by

                          It's basically the same problem as in here…
                          https://forum.pfsense.org/index.php?topic=91299.0

                          Sam

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post