Project

General

Profile

Actions

Bug #15519

open

Limiter dynamic child queue applied twice when traffic passes out of bound OpenVPN interface with NAT

Added by Ivan Konash 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Traffic Shaper (Limiters)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:
amd64

Description

Setup:

  • Limiter is set up with child queues that have a /32 source mask applied - parent limiter is set to 100mbps
  • An OpenVPN client is set up and assigned as an interface
  • Firewall Rule on a LAN interface specifies the OpenVPN interface as the gateway and specifies the child queue
  • Outbound NAT rule for traffic from the LAN leaving the OpenVPN translates the address to the OpenVPN interface address.

Expected behavior:

Traffic should be limited to 100mbps with a single dynamic child queue

Observed behaviour:

  • Traffic is limited to 50mbps
  • A child queue is created for the IP of the device on the LAN and the IP of the OpenVPN interface
  • The traffic has to pass through each child queue, sharing 100mbps equally which results in 50mbps real throughput

Workaround:

  • Create a 1000mbps limiter (higher than interface's actual capacity)
  • Create a floating rule rule of type 'match' for packets leaving the OpenVPN interface
  • Select the 1000mbps limiter on this rule

I can see the logic of why the above occurs, but this does not happen when using a 'standard' WAN interface without outbound NAT e.g. DHCP/PPPoE internet connection. I assume there's some logic that applies in the background to 'detag' the packets for being passed into the limiter when they pass out of these interfaces that is being missed when an OpenVPN client is being assigned as an interface.

Also described here: https://forum.netgate.com/topic/188302/bug-limiters-apply-twice-when-using-openvpn-c-as-an-interface-with-nat

No data to display

Actions

Also available in: Atom PDF