Easy trafic shaping problem?
-
Hello,
Let me begin by saying Iam a beginner with PFsense tweaking, but already I find it to be an excelent product! I used the search extensively but did not find a straight answer for my perhaps too simple problem. Below my test enviroment:
1/1 Mbits WAN ADSL connection <- PFsense box -> (WLAN as transparent bridge) -> LAN with ~20 DHCP clients
I have gone throught the PFsense Trafic Shaper wizard and at the very beginning it asks my WAN/LAN speeds, on both I have inserted 1024 kbit/s as I understand this specificly asks for my WAN lines up/down capacity. I go throught the rest of the wizard and everything works quite fine untill the LAN -> WAN traffic overloads the whole ADSL lines bandwidth and PFsense WebGUI slows to a crawl. Example:
Lets say I have couple LAN machines to download at full speed, this bogs down my HTTP 80 WebGUI connection to the PFsense. The question goes, what is the neatest way to ensure that my WebGUI connection gets the neccessary bandwidth during heavy bandwidth usage times? From reading the forum I got the feeling I should make a new Queue, prioritizing, a additional queue rule or something?
edit:
Or would this need some feature (individual IP address bandwidth?) that is not currently implemented in PFsense 1.2 ? In addition I find it quite weird that the WebGUI slows down under a heavy WAN activy, WebGUI should not use that much bandwidth? Don't suppose a reinstall of PFsense would help here ?
edit2:
Could be that I found the problem, it seems that our companys WLAN is to blaim for the slow downs. I have set up a WLAN box as transparent brigde which allows the LAN clients to connect to Internet. The WLAN box has caused some headaches even before we added a dedicated PFsense computer. I have to observe the situation further.
-
Lets try another traffic shaper question.
If I use traffic shaper, do I need to create basic firewall rules in addition to traffic shapers rules and vice versa? Mainly Iam curious how these two interact. Currently Iam living with the assumption that you create absolute (pass/block) rules with the rules section and with traffic shapper I can adjust the traffic getting through O_o
-
Your assumption is spot on.
The traffic shaper will not allow/deny traffic. The firewall rules do.
Traffic shaper just manages bandwidth allocated to specific traffic. -
Thanks for the confirmation and saving me from shameful monologue ;D
Slowly but surely Iam getting the hang of PFsense. About the original problem, I have tried to create a high priority (6) queue on my traffic shaper and a rule which would give a single IP/host minimum of 32kbits bandwidth to my PFsense LAN address. So far without great success.
I suppose this is impossible as all the rules seem to be LAN->WAN or WAN->LAN in characteristic, and as far as I understand, I happen to need a LAN subnet -> LAN rule. ???
edit:
Or could an shaping rule like this work/be possible. I saw this in somebodys traffic shaping screen caps.
int: source: destination:
LAN-> LAN LAN
WAN -
WAN->LAN and LAN->WAN you refer to is just the INTERFACE the traffic has to pass through to be tagged by this rule.
In your case you only have two interfaces, so this will always be one of these two combinations (depending on traffic direction might be one or the other).
Source and Destination is another thing.
In your WAN->LAN rules you can specify a destination of LAN Subnet (which would be the same as 'any' though).What I understand from your last post is you want something like this:
WAN->LAN * xx.xx.xx.xx LAN net q32kDown/q32kUp
LAN->WAN * LAN net xx.xx.xx.xx q32kUp/q32kDownYour realtime m2 value in the queue definition should be 32Kb.
-
Thanks for the tip, I shall try it out.
Seems to be working, atleast there are packages hitting my new queue and pfsense webgui seems smoother during bandwidth overload. Gotta test bit more, not sure yet :)
edit:
Ok it seems that all the normal traffic just moved to the newly created high priority queue. This due to the face I put rules like (any > LAN net / LAN net > any) , my bad there. so I changed the rule as below:
WAN->LAN * 192.168.1.200 LAN net q32kDown/q32kUp
LAN->WAN * LAN net 192.168.1.200 q32kUp/q32kDown192.168.1.200 being the computer I use to connect PFsense webgui from the LAN net. Now there is absolutely no trafic at all on the new queue. The rule does not seem to apply :(
Just a thought, could this work in reverse somehow. I could can the maximum bandwidth allowed for the outgoing traffic? Then again, how can I distinguish the PFsense webgui connection from the other traffic. Maybe change the default HHTP 80 to something else and create an own traffic shaper rule for it ???
-
I thought your source IP you wanted was an external IP. The reason it does not work is that traffic from 192.168.x.x to LAN subnet never goes through the WAN interface, which means a WAN->LAN rule will not catch it.
I'm not sure what the easiest way to shape this traffic would be, but I'm sure I've seen at least a dozen other posts in this forum about it.
Search is your friend. -
Thanks for the tips again.
Could not find anything with search, guess I did not use the right search words. Looks like I have to do it the good old way, aka manually and painfully :)
-
Why are you trying to shape traffic from LAN to pfSense anyway?
Your LAN should be running on 100mbit CAT5 cable, no? And how often do you need to access the webGUI from LAN anyways? -
This is the problem, somehow my PFsense webgui access gets really slow when the 1/1 mbit WAN bandwidth gets overloaded. I dunno why this is, started happening after I enabled traffic shaping. And like you said, it is not reasonable as I got 54mbit WLAN (transparent bridge) connection to the pfsense LAN interface.
Iam a noobie, all I do is mess around with webgui all day long. Atleast untill I get the hang of it ;D
edit:
I have searched around the forum extensively and Iam pretty sure this Lan subnet > LAN traffic shaping cannot be done, as the the traffic does not go through both WAN and LAN interfaces. Pretty clueless overall why the webgui slows down when WAN get overloaded. Bug in pfsense or some hardware error ???
-
If your connection is 1mbit/1mbit, try lowering the queue bandwidth for qwanRoot and qlanRoot to 800kbit and see if that fixes it. If it does you can slowly go back up towards 1mbit and find the perfect balance.
What hardware are you running pf on? Maybe it gets overloaded when there's too much shaping to do, though I wouldn't think pfctl would cause such a spike in CPU usage… -
Thanks for the tip, I shall try limiting the bandwidth abit.
We had some issues with the WLAN box even before pfsense, so Iam pretty sure it is the one to blame for my problems. The WLAN box is Linksys WRT54GR v.1.1 with latest firmware available.
The PFsense machine should be up for the task, I have not observed any alarming resource spikes. The System Overview page has all the resources usages below 10%.
edit:
Found very similiar post as my question here: http://forum.pfsense.org/index.php/topic,8034.msg46031.html#msg46031
Hobas message pretty much explains why my webgui slows down, it is shaped just the same as other http traffic, as Iam using webgui from LAN section.
edit2:
Ok it seems this problem was partly solved by enabling the "Disable webGUI anti-lockout rule" setting in the System: Advanced functions menu. After I enabled this setting my traffic shaping rules affect the Webgui traffic somewhat from LAN aswell. I have the following rules on my traffic shaper:
LAN->WAN
TCP 192.168.1.200 LAN address qHpriority_UP/qHpriority_DWWAN->LAN
TCP LAN address 192.168.1.200 qHpriority_DW/qHpriority_UP^ The problem is that only the downloading rule seems to work as I can see traffic in qHpriority_DW queue when using webgui, but nothing in the qHpriority_UP queue. Iam monitoring the traffic from pfsense shell pftop application.
One more stupid question, what does "Default queue" setting actually mean on a queue? .. Is it like p2p queue, all unknown traffic is transferred to default queue ?
-
Yes all untagged traffic will be sent to the default queue. This is its purpose.
-
After long time I decided to test Pfsense some more.
It seems that all the traffic from LAN -> Pfsense box go automaticly to the Default queue. This includes Shell and Webgui traffic. Why my webgui has been slowing down is that I had put the Default queue rule on a low priority queue. Have not managed to find out any way to shape this traffic and apparently it is not even possible.