Custom Bandwidths Are Greater Than 30 Please Lower Them for the Wizard to Continue

I've noticed that more and more users are creating pfSense VMs like me, or are buying dedicated boxes.  After using pfSense for a month I can wholeheartedly recommend running it in a VM as the outlay is very low, £60 in my case for a dual Intel nic, and the improvement in security, performance and network control are immense over an ISP provided modem/router.

I've spent a long time trying to get the traffic shaper working, and once I figured it out it was very easy to do.  I'm sharing this with the community to help others who are new to pfSense and to encourage others to do so.

Background

I recommend reading this guide https://calomel.org/pf_hfsc.html for a very clear explanation of how Hierarchical Fair Service Curve (HFSC) traffic management works.

In summary, without traffic shaping your internet connection your internet traffic or packets are processed on a first in/first out basis, which means it can be easy for one type of service to hog bandwidth and hard for other services to get enough bandwidth e.g. VoIP.  pfSense offers 3 ways of shaping traffic - PRIQ, CBQ and HFSC.

PRIQ is the most basic and assigns a priority of 0-7 with seven being the highest where traffic with priority 7 gets bandwidth first and priority 6 doesn't until 7 has taken all it wants, then priority 5 and so on.  The problem here is that certain services can hog all the bandwidth rather than ensuring everyone gets a 'little' e.g. setting POP3 at priority 3 might mean that it NEVER gets any bandwidth i.e. emails would never get sent if 4-7 are using up all the bandwidth.

The most advanced method HFSC, fixes this problem by creating queues and allowing you to set, on a queue by queue basis, when your LAN or WAN is maxed out:

  • how much bandwidth should be guaranteed to each queue e.g. a min of 1Mbps for VoIP when the line is maxed out
  • the maximum bandwidth a queue should get out of the total available if the line is maxed out (m2)
  • You can even set how much bandwidth a queue gets initially (m1) and for how long (d) before reverting to its final max limit (m2).  An application of this could be if you want to give a lot of bandwidth initially to http traffic so short interactive page loads are fast (m1 high), but if someone is doing a big download then the lower m2 speed kicks in to stop bandwidth being hogged

The pfSense wizard takes care of setting up the majority of HFSC rules necessary and a few tweaks are needed to personalise the rules e.g :

  • I've created a rule that makes sure any traffic from my wife's smartphone or laptop goes into the high priority queue so I don't get any 'why is the internet so slow?' complaints
  • the default rules only created a rule for port 119 NTTP traffic, so I added one for port 563 so my Sabnzbd traffic was shapped

The key to shaping is to make sure you add limits that match your line speeds as pfSense only shapes once the max is hit.  E.g. I'm on a 24/1 connection and get around 19/1 on a good day, so I put 18/0.95 into the shaper wizard to make sure that the pfSense shaper always kicks in.

Running the wizard:

1. Go to Firewall/Traffic and choose Wizards.  I have 1 LAN (AirVPN_LAN in the screenshots) and 1 WAN (AirVPN_WAN) so I choose Dedicated Links:

9212dbc857

2. Then choose HFSC, set your speeds and interfaces.  Remember to at a min reduce your line speed for your WAN to make sure pfSense shapes:

2.thumb.png.08eb9a63db1a68bc162b12e309ca23db.png

3. Choose if you want to prioritise VoIP and how the min traffic you want to guarantee - this has to be less than 30% of the max line speed:

3.thumb.png.71bc7fa8e742849982a1fd8805a2b85e.png

4. Penalty Box:  is where all traffic from a given IP or Alias can be capped - I don't use this

5. Next up, decide if you want to shape P2P traffic and tick which protocols.  I only use BitTorrent so I only ticked that one:

4.thumb.png.4944fabc3aa881c53a4e05c7ee6d822d.png

6. Then Gaming - lots of choices here:

5.thumb.png.5a0fe32e9c5d3b9b5996658fb3196857.png

7. Other protocols can be raised or lowered.  Any that aren't listed can be added through custom floating rules later e.g. SSL NTTP on port 563 isn't included:

6.thumb.png.96da7429bcfbf34fcce661041e502640.png

Then click finish and wait for pfSense to automatically create all the rules.  Once pfSense has finished go to Firewall/Traffic Shaper and you'll see the queues that have been created:

7.thumb.png.b0af638b7a9dfbb2ef42c89ea1b8477d.png

  • What you can see is that AirVPN_WAN and AirVPN_LAN have both been setup as Parent queues, where AirVPN has two Children qLink and qInternet
  • qInternet has further Children which have been created because of the choices I made in the wizard e.g. qP2P to shape P2P traffic, qOthersHigh for the protocols I chose as high and so on.
  • qLink is the default queue, so if pfSense can't match any internet traffic it goes in this queue along with any internal LAN traffic.  Unfortunately,  my P2P traffic went in here so I had to create an additional rule to match this traffic to a queue below qInterent


If you click on any of the queues you can control its behaviour.  AirVPN_LAN is the top-level queue so it has fewer options - just make sure it's showing the right speed for your downstream speed - in my case 18Mbps

Here's qLink with default settings:

8.thumb.png.3f5d3d2a99f6ca69f0bcaaf9f225e510.png

Key:

  • Priority: This only applies if you chose PRIQ i.e. on a scale of 0-7.  It doesn't apply with HFSC
  • Queue Limit: how many packets to queue when the bandwidth has been exceeded on a FIFO basis for dropping.  Do not be tempted to set this too high as you'll suffer from "buffer bloat" - more here https://calomel.org/pf_hfsc.html.  I left alone
  • Scheduler options: I left alone, but there's some caution against using ECN here https://calomel.org/pf_hfsc.html
  • Bandwidth: This says how much this queue should use as a percent of the amount available to its Parent or an absolute amount.If anything is entered in Link Share m2 this number is overridden.I've found that putting numbers in both Link Share m2 and Bandwidth (really just a shortcut for m2) can cause problems, so I'd recommend just using Bandwidth and leaving linkshare m2 blank unless you want to use m1 (see below)
  • Max Bandwidth for Queue / Upper Limit: This sets an Upper Limit for how much bandwidth a queue can have E.g. even if you've set Bandwidth at 100% above, putting 50% here will limit the queue to 50% (daft, I know).  m1 sets the initial max bandwidth, d the duration in milliseconds for the m1 limit and then m2 for the limit after d has expired e.g. you can say set a m1 of 10Mbps for HTTP for 10000 (d) milliseconds and then drop to 1Mbps (m2) so that large transfers don't hog bandwidth, but small ones get through quickly e.g. HTTP pages
  • Min Bandwidth / Real Time: guarantees bandwidth regardless of what other queues are doing - the sum of all child Real Time allocations cannot exceed 80%
  • B/W Share / Link Share: sets how much bandwidth a queue gets when the Parent queue has hit its max capacity e.g. for qP2P the default is a 5% allocation of qInternet's capacity if the line is maxed out:

11.thumb.png.0f510cf3d0704b4f1c066e7159371245.png

pfSense runs through the following questions when it traffic shapes each packet:

  1. For the given queue, does it have a Real Time allocation and is this enough or does it need queuing?
  2. If Real Time allocation isn't enough, does the packet have enough Link Share to be sent or does it need queuing?
  3. If using Link Share, is there an Upper Limit set that needs to be obeyed, potentially overriding the Link Share?

Once I got my head around the three points above and that children queues share the bandwidth allocated to their parent, editing the rules became quite easy.

As you can see, the default wizard also caps qP2P to a max of 5% the total line capacity at all times in the Upper Limit row.

I changed the default rules to get the result I wanted by:

  1. Changing the speed for my LAN to match the speed of my network - 1Gbps
  2. Changing the speed of qInternet to match my internet speed - 18Mbps.  I also set Upper Limit and Link Share to 18Mbps
  3. Using percentages for all my Child rules under LAN qInternet rather than Mbps so they automatically adjust if I change the top number
  4. Not using any Upper Limits.  If I use Link Share m2 entries, they always match the Bandwidth number
  5. Children: these share whatever is available for parents.  For each of these enter in Bandwidth what % of the parent you want to allocate if the line was maxed out via Link Share - e.g. for P2P I set 5% Bandwidth i.e. if the line is maxed out P2P gets only 5% of 18Mb (from qInternet allocation) i.e. it's not starved of traffic, but doesn't get a lot.  Other qInternet Children got different Bandwidths - qOthersHigh (20%), qOthersLow (10%), qGames (20%) - tweak to your personal preferences
  6. Ensuring that all my Real Time allocations added up to under 80% e.g. I currently have qACK 20%, qVOIP 1% (i.e. disabled, but left rule in for the future), qGames 1% (disabled again), qOthersHigh 55%, QOthers Low 3% = grand total 80%.

Hopefully that all made sense.  I now have a happier household as no-one service hogs the internet, with foreground traffic getting priority and background traffic allowed to only grab bandwidth when foreground services don't need it.

I'll do another couple of posts to show how I created a custom queue for Sabnzbd and to explain how qACK works in WAN.

Edited by DZMM

macdonaldshoutered.blogspot.com

Source: https://forums.unraid.net/topic/56426-guide-how-to-traffic-shape-with-pfsense/

0 Response to "Custom Bandwidths Are Greater Than 30 Please Lower Them for the Wizard to Continue"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel