Correction #15467
closed
Feedback on pfSense® software Configuration Recipes — Configuring CoDel Limiters for Bufferbloat
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html
Feedback:
hi i would like to suggest two changes
the first one is simple, switching out the floating rule ANY match, instead opting for protocol: TCP/UDP
the logic being, that ICMP traffic is so small, and useful that it does not make much sense that we would throttle it with FQ_CODEL or that any meaningful benefit would be gained in doing so. in fact the inverse is very much true, that you end up thinking that there are issues when there aren't when thrashing upstream / downstream.
the second one, i need some help in crafting / soundboarding but i think it would be useful. I've followed the documentation on setting up unbound, and saw the redirect trick using an inversion rule which I thought was very clever logic.
i'm wondering if we also could apply this here. The rationale being that any upstream DNS queries should NOT be throttled / pushed into the FQ_CODEL dummynet because well DNS queries are so small and because they are very important.
I'm noticing in my debug logs of unbound 'outnettcp got tcp error -1' and I very much suspect that this is due to FQ_CODEL being applied when really it shouldn't be.
My first thought in this regard was to do a Destination ANY, invert match: tick but then i got an error that it wasn't allowed and through some googling realised that if you invert ANY it becomes NONE lol
but I think we can still play around with this, by inverting something that is basically never used, can't we? like take for example PPTP clients, almost nobody is using that. So if we do Destination: PPTP clients, Invert match: tick and create an alias for DNS_PORTS (53 and 853)
then effectively what we are saying is that FQ_CODEL outbound rules will apply to pretty much any traffic which isn't going to a DNS port
and then we also have the redirect rule which redirects all DNS queries by the clients to the DNS server
it would require some better explanation why we do this, but i think overall it would be a net gain
Updated by