Limiters not working correctly at higher speeds



  • Hi!

    I've setup limiters for up and down for a client.

    Down being 30mb and up being 15mb.

    I've added a firewall rule for the LAN interface for this client so that their specific ip address gets the advanced settings of in/out (up/down).

    This works well for 2mb/1mb and other speeds, however, when I increase the limits in size, I can't hit the speeds specified.

    I do a speed test without the limiter on the client, I get 55 down and 26 up. I turn on the 30mb down/15mb up limiter, and I hit 21mb down and 10mb up.

    I've played with the speed settings and can overcompensate for whatever it be (overhead, cpu, memory) by adjusting the speeds to grossly overcompensate for it (30mb down being setup as 114mb down to hit 30mb down).

    I also read I can increase the queue size to help with higher speeds (I set it to 40000) and that seemed to help the 30mb up and 15mb down, however, when pfsense went through it's nightly reboot, it came back up and no one could load anything until I disabled the rules for limiters. I later found someone had posted you can set this to anything you want, but a value higher than 100 would cause it to error out silently and not work.

    My problem as I see it is that the limiters aren't working correctly, and I'm not sure if it's a misconfiguration issue, or it's a problem with pfsense itself. I'm on 2.2.4, running on a proxmox host. If I turn the rule off, the client sees the full extent of their possible bandwidth using their connection method, but once I put the limiters in place, that's when everything rolls south.

    Any help you could offer would be appreciated.



  • Are you resetting the firewall states for each test?



  • Maybe try another version of pfsense.

    With our Pfsense version 2.0 I capped our 200/200 fiber to 50/50 and I can reach 49/49 (with limiter on) with a speedtest. We are running Pfsense on a VM.

    And I didn't change queue size.



  • Maybe it's a scheduling issue? What hardware are you using? Older hardware has horrible time resolution for scheduling.



  • pfSense is running on an i7.

    It's kinda odd, but once we hit 38mb or higher, the traffic shaping no longer works.

    I'm kinda wondering now if it couldn't be because of the virtualization, or the nic drivers. You guys seem to not have any problems.

    Anything else anyone can think of?

    Jeff



  • If you're using limiters, maybe you used the wrong mask and you're limited to 40Mb per connection or similar.



  • Limiters don't really seem to work on pfSense versions above 2.15.
    https://redmine.pfsense.org/issues/4326



  • @a_null:

    Limiters don't really seem to work on pfSense versions above 2.15.

    Only where NAT applies on the interface where the rules reside. The circumstances being discussed here work fine.

    Generally where they don't work at higher speeds it's because the queue length isn't long enough (though the default is fine to >100 Mb generally). Though in VM environments, timing or scheduling issues with the VM in general can be problematic, that's usually not an issue.


Log in to reply