pfSense

After upgrading to 2.4 and then again to 2.4.1, I noticed there is what appears to be a new issue as it applies to using Queues within Limiters as was outlined in Comment #44 in the famous Limiters bug that's currently being worked on (https://redmine.pfsense.org/issues/4310).

Essentially, when applying Limiter Queues to In/Out Pipe in a rule's "Advanced Options", The limiters work just fine if it applies to just 1 IP address. However if you're trying to apply the limiter by host to an entire Subnet or Subnets, the throttling seems to not take into account the MASK value when specifying Source/Destination on a per host basis, and instead applies the Value of the Limiter across the entire Subnet. In other words, if I specify my personal IP to be limited and the limiters are set to 5Mb/s up and 5Mb/s down. The limiters work as intended and I get throttled as expected. However if I specify the entire LAN subnet. Speed tests show me getting .01Mb/s throughput and the entire network slows to a crawl.

This happens regardless of pfsync being enabled or not.

To Reproduce:

Create Limiters and associated queues with the following values.

Firewall > Traffic Shaper > Limiters

Limiter: 5MegIn
Bandwidth: 5 Mbit/s
Mask: Destination Addresses
IPV4Mask: 32
IPV6Mask: 128

Queue 5MegIn-LAN
Mask: Destination Addresses
IPV4Mask: 32
IPV6Mask: 128
Weight: 100

Limiter: 5MegOut
Bandwidth: 5 Mbit/s
Mask: Source Addresses
IPV4Mask: 32
IPV6Mask: 128

Queue 5MegOut-LAN
Mask: Source Addresses
IPV4Mask: 32
IPV6Mask: 128
Weight: 100

Once the Limiters and Queues are created. Create a Rule with the following:

RULE
Action: Match
Interface: LAN
Direction: In
Address Family:IPv4
Protocol: Any
Source: LAN Subnet (Change to Single Workstation IP to see the Limiters/Queues work as expected)
Destination: ANY
Advanced Options: In/Out Pipe
First Dropdown: 5MegIn-LAN Second Dropdown 5MegOut-LAN (I've also reversed them as a test. No real difference).

With these settings there's definitely throttling but it chokes it WAY back. Download speeds seem to gradually drop. (dropped packets). and sometimes will only show as literally .01 Mb/s. Again, leaving it in place for a bit brings everything to a screeching halt and browsers get choked up. There's plenty of bandwidth to fulfill this. If I remove the Limiters or Disable the rule. our full bandwidth is shown when doing speedtests.

Our LAN is on a /23 so mileage may vary a bit depending on how large and how many IPs are in your LAN subnet. Again, the only thing I can logically deduce is that it's a mask related issue that's not being applied for Queues. Other than that, I'm stumped. Thanks in advance for taking the time to look into this.