What am I doing wrong?

  • I have a pfsense 2.2.4 set up behind my firewall that I use as a vpn connection to a client's site. This set up is fairly irrelevant to my problem except to point out that I have two points where I can throttle and measure bandwidth.

    I have a symetrical 5M connection which somehow sees speeds over 10m, and sometimes as high as 15. Whenever someone starts downloading (most obvious during windows updates) that one computer grabs all the bandwidth and everything else is slow as hell.

    I have been trying to do some traffic shaping and not having much luck. I think I'm missing something in my understanding. I first tried on the main firewall (also pfsense 2.2.4) using the wizard and selecting things to raise and lower priority on, VOIP of course was highest on the list so my boss could have nice clear calls. Here's where I get confused. I saw floating rules created for hi and low priority queues, but nothing for VOIP, nor for all the rest of the traffic. I didn't mess around much with that set up, just assumed I didn't know what I was looking at.

    On my VPN server, I have a small subnet behind it that ends up being part of my client's network so I can join domains and do installs and such. As such, all of the traffic for that subnet passes through both pfsense installs giving me the chance to observe bandwidth usage in two places.

    I again used the wizard to set up shaping, this time, I just kept things simple, told the wizard I had a 2m sym connection and used HFSC queues to keep things below 80% usage (or so I thought). There were no floating rules created at all. I created my own catch all rules, match everything on wan interface and put it through the appropriate queues. (for good measure I also made a rule for lan interface that matched)

    I then started windows updates from behind that pfsense. The bandwidth soared to over 10M and completely ignored the shaping I had in place.

    So, I know I'm doing something wrong, I just don't know what. I would have hoped that using the wizard would have gotten me to a working config and I could have learned how to adjust it from there, but I have yet to have a working config at all.

    I'm happy to provide config info or logs, just let me know what you'd like to see.

    Thanks everyone


  • Can you show us some screenshots of your two interfaces?

  • Sure. I'm attaching screenshots

  • If you're running a 5Mb line, why did you set your queue's bandwidth to 2Mb?  You're supposed to set it to 90-95% of the lowest measured bandwidth for the link.  If you indicated your need VoIP priority in the wizard, then it should have created qVOIP.  I would suggest that you blow it away and try it again.  Perhaps you should look into PRIQ instead of HFSC as it's easier to understand and get working.

  • This is a secondary shaper, there is no voip to worry about and I want to limit all traffic to no more than 2mb as that is less than half of the total available.

    it looks like this:

    [test pc] –-- [PFsense2]–---[Lan] –----[PFsense1]–----[Internet]

    The shaper that I posted screenshots for is on PFsense2. The shaper on PFsense1 is the one with the voip rules and all that

  • AH sorry.

    A point about HFSC.  It doesn't "limit" you, it tries to give you as much as it can based on service guarantees you define.  So, even if you say your main queues are 2 Mb, if you don't have any other contention on the line then you're going to get full bandwidth.  If you want to limit the amount of bandwidth used up to a maximum, you need a limiter, not a shaper.

  • Whenever someone starts downloading (most obvious during windows updates) that one computer grabs all the bandwidth and everything else is slow as hell.

    you're  upload looks correct, but your LAN isn't and your download is the issue, so you need to fix your LAN. Rate limit your LAN interface as well. Of course you may want to communicate with PFSense without consume your Internet bandwidth, so create a default queue, place it under qInternet, and create a rule that drops all LAN traffic into qLink. Make sure you have an upper limit set on qInternet.

    You do not want qLink to be your default, error on the side of caution. Not to mention it's crazy simple to identify LAN traffic, but a bit more difficult to identify Internet traffic.

  • I hear what you're saying Harvy66, but at this point, I could use some pointers on just exactly how to do what you're suggesting.

  • The simplest way is just to rate limit your LAN interface. Otherwise, like I said, just set the Upper limit on qInternet, there is a field called "upperlimit", set that, and create a default queue under qInternet

    Of course the picture is just for reference, it's not 100% correct.

  • It was already set that way

  • But your default queue is qLink, which is not being shaped to anything meaningful.

  • The most helpful tutorial on QoS/traffic-shaping can be found at http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/

    The author explains how to control both egress in ingress. He also has real-world experience and "practices what he preaches."

    Please read his post multiple times. I have, and I honestly think it is the best tutorial available, assuming you mostly understand the many factors involved.

  • What I do, which may not be what you do, and remains (to my testing) incompatible with transparent squid on the same box…

    Avoid wizard. Backup configuration before starting. Traffic shaper screw-ups can be epic and being able to back out and do over is a good plan. I've personally never had a good outcome from the wizard, YMMV.

    Traffic shaper, first tab "by interface" Wan (codelq, set nothing, it's codelq, nothing should need to be set) Lan (same.) Enable.

    Third tab, Limiter, create LanIn (this is what you think of as "out" to the world) and LanOut (this is what you think of as "in" from the world) set values for the traffic limits you want on the directions. You may tune these later on. These should be (or possibly become at the next step) yellow folder icons.

    Leave "mask" set to none here.

    With those created and enabled, select LanIn and add queue, which should be a white page icon. Under the the lanin queue I named it LanInQ) , select source addresses. Same with LanOut, create LanOutQ, Destination addresses.

    Change firewall rules, LAN, "advanced" "In/Out" to run traffic in LanInQ/LanOutQ.

    Lanin (traffic into LAN, out to world is pretty closely controlled (you actually have direct control here) LanOut is a bit less under your direct control, but the setting does have an influence.

    This specific setup is to divide the bandwidth among hosts "evenly" (only even if they all want more than they can have)  - you can also use other variations to provide pipes of a specific limited BW; I came down on the side of BW is wasted if not used, so if one hog gets it all when nobody else is using it, fine, but I needed to make sure that if 9 or 90 other folks showed up they would get a "fair" share as near as possible, and this mostly does that (far better than just capping everyone's BW, which means the hogs are on there longer hogging and nobody's speed is EVER good.)

    The limiter numbers do need to be less than the actual BW, but not by quite as much as you are proposing (90-95% is generally fine) - I look at what my "quality" figures (ping times) are running to adjust my tuning - if the limiter size is too large, the ping times go to heck in a handbasket.

    I played around with HFSC for quite a while before arriving here, and here does what I want much better, IME.

Log in to reply