Project

General

Profile

Bug #9643

Limiters do not function properly on 2.5 snapshots

Added by Greg M over 1 year ago. Updated 10 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
Limiters
Target version:
Start date:
07/22/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

Hi all!

Discussion here: https://forum.netgate.com/topic/145091/quick-question-about-limiters

I think there is a bug in limiters...

Problem #1:
When I create limiters and set floating firewall rules for WAN interface, all traffic from all LANs stops working. If I create floating rules
with same limiters for LAN interfaces, everything works.
I was following forum discussion samples and tutorials, YouTube videos etc... Limiters were set up properly and floating rules as well.

Problem #2:
With limiter on LAN ifaces all traffic on LAN iface is limited to 80 Mbit/s which is OK.
But when I start to download torrent for example, LAN stays at 80 Mbit/s but WAN goes above 80 and eventually reaches 90 Mbit/s.
There is no other sources of traffic just torrents. One WAN and 2 LAN.
See image: https://forum.netgate.com/assets/uploads/files/1563691216842-capture.png

Because of problem #2, I was trying to limit WAN iface instead of LAN to avoid this issue but when I did that, it blocked all traffic completely.

Pfsense is on Hyper-V.

Using latest snapshot as of today.

We can continue on forums to avoid spamming here, but I think something is not quite right with limiters on 2.5.0 snaps.

Thanks!

History

#1 Updated by Greg M over 1 year ago

Hi again.

I restored config on 2.4.4-p3 and this are working just fine there.

I believe this on is related to https://redmine.pfsense.org/issues/8954#change-41002 .

Thanks!

#2 Updated by Jim Pingle over 1 year ago

  • Category set to Limiters
  • Target version set to 2.5.0

The two cannot be related. ALTQ is not used for limiters.

I have also seen a similar situation on 2.5 where limiters were not functional and had to be removed to pass traffic.

#3 Updated by Greg M over 1 year ago

Hmmm OK, I have Hyper-V, 2.5.0 and pppoe.

But weird is, that on when applied on IN direction on LAN it works ok.

#4 Updated by Jim Pingle about 1 year ago

  • Subject changed from Limiters in 2.5 to Limiters do not function properly on 2.5 snapshots

#5 Updated by Grant Peier about 1 year ago

I experienced the same behavior as Greg M when updating from 2.4.4-p3 to 2.5.0. This was on a bare-metal install.

#6 Updated by Greg M 12 months ago

Hi.

Any update on this one?

Thanks!

#7 Updated by Jim Pingle 12 months ago

Nothing yet, but since we are rebasing on FreeBSD 12.1 soon, it will need to wait until after that happens.

#8 Updated by Ryl Thelandria 8 months ago

Experiencing same behavior as reported by Greg M on my physical install of pfsense 2.5 dev. Traffic just stops.

Followed the instructions from 2.4.4 here (from a pfsense Short Topic vid, first topic): https://www.youtube.com/watch?v=o8nL81DzTlU&t=380 No dice.

Meantime, I disabled the floating rule for now, and I try again every few weeks...no change in behavior since I first tried back at the start of Jan 2020.

Any news? Thanks, in advance. Love your software otherwise! Gorgeous, powerful, versatile!

#9 Updated by Gyula Kelemen 5 months ago

Hi.

Same behavior on Proxmox/KVM - pfSense 2.5.0.a.20200518.1031 with vtnet driver.
Any update on this?

Thanks!

#10 Updated by Manuel Piovan 5 months ago

not working for me either
2.5.0.a.20200522.0732
I need to disable the floating rule to make internet work again

#11 Updated by Tom Fuke 5 months ago

I'm having the same issue, running on a VK-T40E:

2.5.0.a.20200603.1253

If I enable the floating rule, I lose all internet/WAN traffic.

Out of interest, for those running on 2.4.x, can you see the queue in any of the pfSense monitoring/status/log tools?

#12 Updated by Chris Collins 2 months ago

Hi guys, just to confirm it looks like I have the same problem.

pfSense running in a Proxmox VM, I did gui update from 2.4.x to 2.5 devel.

After an hour I was informed server's behind firewall are dead, and noticed dummynet was making all traffic just timeout as if there was a block rule in place, the limiter was configured as in the pfSense video guide.

I am using vtnet driver.

#13 Updated by Chris Collins 2 months ago

I can also confirm it works fine on LAN, and since the setup uses NAT, it means I can use this as a workaround, I put myself forward as a volunteer if any patches get made and need testing, I can test on this server.

#14 Updated by Luiz Souza about 2 months ago

  • Status changed from New to Feedback

Can someone confirm this is still broken with a current snapshot ?

I was able to set up a floating rule and the limits were properly applied.

#15 Updated by Abhinav Tella about 2 months ago

Still broken for me on the latest build, I tested just now.

#16 Updated by Luiz Souza about 2 months ago

Can you give me more details ? show me your rules and results ?

#17 Updated by Abhinav Tella about 2 months ago

Here are the limiters and firewall floating rule I used. When the firewall rule is enabled, no traffic gets through the WAN, the same setup worked fine in 2.4.5-P1. I have no other user generated rulesets other than default from install time. No pfBlockerng or any other packages. I am testing bare metal on an AMD Epyc 3251 SuperMicro build w/Intel X710-T2L ethernet adapter.

UPDATE: The upload limiter seems to work, I went back to the firewall rule and selected none for the "Out Pipe". So basically it's the downlink limiter that's not functional in 2.5.0.

Limiters:

Download Limiter:
Bandwidth: 1000 Mbps (I get 1150-1200 Mbps from ISP) (later tried 900 Mbps)
Queue Management Algorithm: CoDel
Scheduler: FQ_Codel
Queue Length: 1000 also tried leaving blank
ECN: Enabled
—Download Queue:
Queue Management Algorithm: CoDel
ECN: Enabled

Upload Limiter:
Bandwidth: 36 Mbps
Queue Management Algorithm: CoDel
Scheduler: FQ_Codel
Queue Length: 1000 also tried leaving blank
ECN: Enabled
—Upload Queue:
Queue Management Algorithm: CoDel
ECN: Enabled

Firewall Floating Rule:
Action: Pass
Interface: WAN
Direction: Out
Address Family: IPv4
Protocol: Any
Advanced:
Gateway: WAN_DHCP - 192.168.x.x
In/Out Pipe: Upload Queue (In) / Download Queue (Out)

#18 Updated by Renato Botelho about 1 month ago

  • Status changed from Feedback to New
  • Assignee set to Luiz Souza

#19 Updated by Jesse Beauclaire about 1 month ago

Abhinav Tella wrote:

Here are the limiters and firewall floating rule I used. When the firewall rule is enabled, no traffic gets through the WAN, the same setup worked fine in 2.4.5-P1. I have no other user generated rulesets other than default from install time. No pfBlockerng or any other packages. I am testing bare metal on an AMD Epyc 3251 SuperMicro build w/Intel X710-T2L ethernet adapter.

UPDATE: The upload limiter seems to work, I went back to the firewall rule and selected none for the "Out Pipe". So basically it's the downlink limiter that's not functional in 2.5.0.

Limiters:

Download Limiter:
Bandwidth: 1000 Mbps (I get 1150-1200 Mbps from ISP) (later tried 900 Mbps)
Queue Management Algorithm: CoDel
Scheduler: FQ_Codel
Queue Length: 1000 also tried leaving blank
ECN: Enabled
—Download Queue:
Queue Management Algorithm: CoDel
ECN: Enabled

Upload Limiter:
Bandwidth: 36 Mbps
Queue Management Algorithm: CoDel
Scheduler: FQ_Codel
Queue Length: 1000 also tried leaving blank
ECN: Enabled
—Upload Queue:
Queue Management Algorithm: CoDel
ECN: Enabled

Firewall Floating Rule:
Action: Pass
Interface: WAN
Direction: Out
Address Family: IPv4
Protocol: Any
Advanced:
Gateway: WAN_DHCP - 192.168.x.x
In/Out Pipe: Upload Queue (In) / Download Queue (Out)

I am also having the same issue running the identical configuration as Abhinav Tella on 2.5.0-DEVELOPMENT (amd64) (built on Thu Sep 10 01:03:22 EDT 2020). The only difference is that I have it split between two floating rules; one for IPv4 and the other for IPv6.

#20 Updated by Luiz Souza 10 days ago

  • Status changed from New to In Progress

Also available in: Atom PDF