Project

General

Profile

Actions

Bug #8072

open

Limiter / Queue mask issues?

Added by Damien Montanile almost 4 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Ivor Kreso
Category:
Traffic Shaper (Limiters)
Target version:
-
Start date:
11/08/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.1
Affected Architecture:
amd64

Description

After upgrading to 2.4 and then again to 2.4.1, I noticed there is what appears to be a new issue as it applies to using Queues within Limiters as was outlined in Comment #44 in the famous Limiters bug that's currently being worked on (https://redmine.pfsense.org/issues/4310).

Essentially, when applying Limiter Queues to In/Out Pipe in a rule's "Advanced Options", The limiters work just fine if it applies to just 1 IP address. However if you're trying to apply the limiter by host to an entire Subnet or Subnets, the throttling seems to not take into account the MASK value when specifying Source/Destination on a per host basis, and instead applies the Value of the Limiter across the entire Subnet. In other words, if I specify my personal IP to be limited and the limiters are set to 5Mb/s up and 5Mb/s down. The limiters work as intended and I get throttled as expected. However if I specify the entire LAN subnet. Speed tests show me getting .01Mb/s throughput and the entire network slows to a crawl.

This happens regardless of pfsync being enabled or not.

To Reproduce:

Create Limiters and associated queues with the following values.

Firewall > Traffic Shaper > Limiters

Limiter: 5MegIn
Bandwidth: 5 Mbit/s
Mask: Destination Addresses
IPV4Mask: 32
IPV6Mask: 128

Queue 5MegIn-LAN
Mask: Destination Addresses
IPV4Mask: 32
IPV6Mask: 128
Weight: 100

Limiter: 5MegOut
Bandwidth: 5 Mbit/s
Mask: Source Addresses
IPV4Mask: 32
IPV6Mask: 128

Queue 5MegOut-LAN
Mask: Source Addresses
IPV4Mask: 32
IPV6Mask: 128
Weight: 100

Once the Limiters and Queues are created. Create a Rule with the following:

RULE
Action: Match
Interface: LAN
Direction: In
Address Family:IPv4
Protocol: Any
Source: LAN Subnet (Change to Single Workstation IP to see the Limiters/Queues work as expected)
Destination: ANY
Advanced Options: In/Out Pipe
First Dropdown: 5MegIn-LAN Second Dropdown 5MegOut-LAN (I've also reversed them as a test. No real difference).

With these settings there's definitely throttling but it chokes it WAY back. Download speeds seem to gradually drop. (dropped packets). and sometimes will only show as literally .01 Mb/s. Again, leaving it in place for a bit brings everything to a screeching halt and browsers get choked up. There's plenty of bandwidth to fulfill this. If I remove the Limiters or Disable the rule. our full bandwidth is shown when doing speedtests.

Our LAN is on a /23 so mileage may vary a bit depending on how large and how many IPs are in your LAN subnet. Again, the only thing I can logically deduce is that it's a mask related issue that's not being applied for Queues. Other than that, I'm stumped. Thanks in advance for taking the time to look into this.

Actions #1

Updated by Chris Linstruth almost 4 years ago

It looks like you have your in/out directions mixed up.

When you place Limiters on the LAN interface, the IN direction should be masked by the Source Addresses. The OUT direction should be masked by Destination addresses.

The limiters are from the perspective of that interface so input is user "upload" and output is user "download."

Please verify and test again.

Actions #2

Updated by Chris Linstruth almost 4 years ago

And, further, if you want a separate pipe for each IP address you mask on the parent queue and do not set a child queue.

Please move discussion of this issue to forum.pfsense.org in the traffic shaping area until consensus is reached there that it is a bug. This is not a support forum.

Actions #3

Updated by Damien Montanile almost 4 years ago

Chris Linstruth wrote:

It looks like you have your in/out directions mixed up.

When you place Limiters on the LAN interface, the IN direction should be masked by the Source Addresses. The OUT direction should be masked by Destination addresses.

The limiters are from the perspective of that interface so input is user "upload" and output is user "download."

Please verify and test again.

I reversed the Mask Source and Destinations and still get the same behavior. I also removed the Mask from the Child Queues.

With 5Mb/s pipe I'm getting
DOWNLOAD 1.22 Mbps
UPLOAD 0.28 Mbps

Each subsequent attempt gets worse, until I've pretty much choked off all bandwidth and get .01 Up and Down.

There are already discussions for this issue in the forums, AND on Reddit. I was requested to submit this by Netgate // Pfsense staff given the testing I've been doing on this.

Actions #4

Updated by Damien Montanile almost 4 years ago

EDIT: To clarify. The old method of turning off pfsync and using just the limiters works as expected, however HA is of course disabled. It's with the introduction of child queues that things start becoming an issue. With our without pfsync.

Actions

Also available in: Atom PDF