next »

[cmonroe]

I've been trying to figure out a good way to shape the backup service I use (CrashPlan) with no luck. Here is my current floating rule set from /tmp/rules.debug:

match  proto tcp  from any to any  queue (q3_Default,q6_ACK)  label "USER_RULE: Default"
match  proto udp  from   $VOIP to any  queue (q7_VoIP)  label "USER_RULE: VoIP Equipment"
match  proto tcp  from any to any port 53   queue (q5_Net,q6_ACK)  label "USER_RULE: DNS (TCP)"
match  proto udp  from any to any port 53   queue (q5_Net)  label "USER_RULE: DNS (UDP)"
match  inet proto icmp  from any to any  queue (q5_Net)  label "USER_RULE: ICMP"
match  proto tcp  from any to any port 80   queue (q4_High,q6_ACK)  label "USER_RULE: HTTP"
match  proto tcp  from any to any port 443   queue (q4_High,q6_ACK)  label "USER_RULE: HTTPS"

CrashPlan traffic is HTTPS, so it's currently getting put in q4_High as I'd expect but I'd like it to be in q2_Low instead. Really the only HTTPS traffic originating from the host running CP in my network is CrashPlan so I figured I'd just add a floating rule with SRC == <host> && DST_PORT == 443 but this has no effect. Rule set after adding this new rule:

match  proto tcp  from any to any  queue (q3_Default,q6_ACK)  label "USER_RULE: Default"
match  proto udp  from   $VOIP to any  queue (q7_VoIP)  label "USER_RULE: VoIP Equipment"
match  proto tcp  from any to any port 53   queue (q5_Net,q6_ACK)  label "USER_RULE: DNS (TCP)"
match  proto udp  from any to any port 53   queue (q5_Net)  label "USER_RULE: DNS (UDP)"
match  inet proto icmp  from any to any  queue (q5_Net)  label "USER_RULE: ICMP"
match  proto tcp  from any to any port 80   queue (q4_High,q6_ACK)  label "USER_RULE: HTTP"
match  proto tcp  from any to any port 443   queue (q4_High,q6_ACK)  label "USER_RULE: HTTPS"
match  proto tcp  from   <LAN IP of Server> to any port 443   queue (q2_Low,q6_ACK)  label "USER_RULE: HTTPS for Server"

I recall reading that the last rule to match is the one that's applied, in this case I believe that should be the rule at the bottom. I tried clearing states, rebooting, etc. and it makes no difference. I know the rule is matching traffic properly because:

* if I remove the HTTPS any/any -> q4 rule, the HTTPS traffic from this host ends up in q3/default based on rule 1
* if I remove the TCP any/any ->q3 rule, the HTTPS traffic from this host ends up in q2 as I'd expect
* if I remove the HTTPS any/any, TCP any/any, and HTTPS from server rule the traffic ends up in the default queue (q3), also as I'd expect

I'm guessing this is an ordering issue, but I've tried putting the HTTPS for server rule at the top, checking the "quick" box, etc. and nothing seems to work. Do I have the rule built correctly to catch traffic going from LAN (ip of server)->WAN with a destination port of 443? Thanks.

[dreamslacker]

You might want to configure traffic shaping using the 'LAN' tab (or whichever interface Crashplan device is running on) rather than floating rules for outbound connections.  The interface specific rules would take precedence over the floating rules in most instances.

i.e.  Your server is located on LAN with IP 10.0.0.200

You would then add a rule in LAN tab and place it at the top as:

pass in quick on $LAN proto (tcp udp) from 10.0.0.200 to any port 443 keep state queue (q2_Low,q6_ACK)  label "USER_RULE: HTTPS for Server"

This should be placed before the Default allow LAN to Any rule.

[itsjr]

I just shape traffic to the Crashplan IP address C block.

So, all traffic to 209.208.241.0/24 gets put in the qOthersLow queue. I found that IP address by seeing what connections were being made from my computer, and looked up the owner of the IP at this address:
http://www.ip-address.org/tracer/ip-whois.php

Your computers might be backing up to a different Crashplan data centre, and the place it backs up to might change. I asked @Crashplan on Twitter and they said I should be OK for a year if I match on a C-block address.

[miles267]

I too was interested in doing this, but for the life of me, I cannot get my Crashplan cloud backup to go to my qLowOthers queue.  I have a Floating, LAN and WAN tab under Firewall > Rules.  When using PRIQ QoS method, if I understand correctly the WAN rules need to go into the Floating tab, correct?  Is this a replacement to the WAN tab?

In other words, hypothetically, if I wanted to access my PC remotely over RDP (port 3389), would I add the firewall rule to the WAN tab or the floating tab in order to open this port on my firewall?  Additionally, on which tab would the ack/queue parameters be defined?

I believe this may be where I'm still off a bit.  Thanks for clarifying.

[knnniggett]

I know this thread is old, but the following info may be helpful.

Turns out you can shape Crashplan traffic based on DSCP criteria.

From the Crashplan gui, select Settings -> Network -> WAN TCP Packet TOS -> DSCP...
Now enter a custom decimal DSCP value of 56.
Restart Crashplan.

From pfSense, create/edit your Crashplan rule:
Advanced features -> Diffserv Code Point -> af13

As long as you don't have anything else on your network marking packets this way, this should be the only matching criteria you need. I just enabled this last night and will update this post as I continue to monitor my queues for any unexpected behaviour.

In case you were wondering, af13 = a decimal DSCP value of 56.  For further reading:
https://crashplan.zendesk.com/entries/139167-outgoing-ports-what-range-need-for-qos-setup

[britcowboy]

Sorry to drag this topic up, but thanks for the last post very helpful.

However, watching the queues, I see packets entering the qCrashplan queue under qInternet, but I don't see packets entering the qCrashplanUp queue on the WAN side (set as the ackqueue). I have also previously just had two crashplan queues on each interface instead, but the outbound queue doesn't seem to fill up.

Am I being stupid?

I'd really appreciate any help! Thanks

[britcowboy]

This is what I mean - I've currently got this setup so that anything to and from 38.0.0.0/8 gets put into the qCrashplan queue (i've now renamed my crashplanout queue to qCrashplan)

I've attached what I see, why is only the incoming Crashplan queue dealing with packets and not the outgoing?

Does anyone have any ideas? Could anyone share what they see in their queues?

Thanks