Project

General

Profile

Bug #7050

Limiter with PFsense 2.4 transparent proxy

Added by Nelson Augusto Junior 11 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Limiters
Target version:
Start date:
12/29/2016
Due date:
% Done:

100%

Affected Version:
2.4
Affected Architecture:

Description

Good morning Luiz, is as follows, transparent proxy use with the limiter by ip, what happens is that when setada the bandwidth control for a given ip of the network, navigation to, which I did test, formatted from scratch With the last beta of pfsense 2.4, just installed squid, I activated it as transparent, create it in the limiter tab a download rule and another upload, so with their configured speeds, I went in rules and created a rule setting a certain ip so that The control is made in / out, leaving the download first and the uplod second. If the limiter is deactivated, it returns to normal navigation, if it applies again to, thanks

BKP_2.1.5_FuncionandoPerfeitamente.xml Magnifier (45.5 KB) Nelson Augusto Junior, 12/30/2016 10:59 AM

BKP_2.4_Beta.xml Magnifier (31.1 KB) Nelson Augusto Junior, 12/30/2016 10:59 AM

01 - Configuração do limiter.jpg - Configuração do limiter (108 KB) Nelson Augusto Junior, 01/09/2017 10:24 AM

03 - Teste de download de arquivo.jpg - Teste de download de arquivo (52.9 KB) Nelson Augusto Junior, 01/09/2017 10:24 AM

02 - Aplicação na Rule.jpg - Aplicação na Rule (145 KB) Nelson Augusto Junior, 01/09/2017 10:24 AM

04 - Teste no velocimetro.jpg - Teste no velocimetro (58.1 KB) Nelson Augusto Junior, 01/09/2017 10:24 AM

History

#1 Updated by Kill Bill 11 months ago

Not sure what's special about 2.4 here; this has never worked since the hidden rules created by the package when set to transparent just do not apply any limiters. IOW, read this to get this working: https://forum.pfsense.org/index.php?topic=84725.msg464691#msg464691

(Hopefully should work on 2.4, on 2.3.x it'd just kill the traffic due to a well known bug with limiters and NAT.)

Is there something wrong with using Traffic Mgmt - Overall/Per-Host Throttling natively via Squid?

If someone wants to shuffle this under Packages - Squid category as a feature request, someone eventually might get to it. Certainly has nothing to do with "Developer tools", and it's not 2.4 specific either.

#2 Updated by Luiz Souza 11 months ago

Nelson, can you submit (even privately if you prefer) a copy of your working settings for the 2.1.x version and also a copy of the 2.4 settings ?

#3 Updated by Nelson Augusto Junior 11 months ago

Luiz good afternoon, I have two files as you requested, one working perfectly, which is called BKP_2.1.5_FunctionandoPerfectly, this is on the network 192.168.0.0/24, with an alias picking up the ips that I want them to do called ControlPandaPorIP, the other Is the beta 2.4 called BKP_2.4_Beta that is in a network 172.16.0.0/16, this with problems that apply to the rule for ip 172.16.0.2 it for a navigation, this is an alias only apply direct not Rules in / Out, but I already tested in all forms, with aliases etc ....

#4 Updated by Luiz Souza 11 months ago

  • Category changed from Developer tools to Limiters

#5 Updated by Luiz Souza 11 months ago

  • Subject changed from Limiter Per IP Problem, with PFsense 2.4 transparent proxy to Limiter with PFsense 2.4 transparent proxy
  • Status changed from New to Confirmed

The issue here is limiter (dummynet) and pf redir on the same interface.

The transparent proxy adds a rdr rule to redirect the HTTP traffic to squid and that cause issues with dummynet on same interface.

It works with squid only or limiters only, but both will cause intermittent failures.

#6 Updated by Kill Bill 11 months ago

Luiz Otavio O Souza wrote:

The issue here is limiter (dummynet) and pf redir on the same interface.
The transparent proxy adds a rdr rule to redirect the HTTP traffic to squid and that cause issues with dummynet on same interface.
It works with squid only or limiters only, but both will cause intermittent failures.

Dunno, but this still sounds exactly the same as Bug #4326.

#7 Updated by Luiz Souza 11 months ago

yeah, sort of. this is a fallout of 4326 not being properly tested under all conditions (nat, binat and rdr) - they have subtle implementation differences.

#10 Updated by Renato Botelho 10 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF