Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Harvy66

Pages: [1] 2 3 4 5 ... 160
Latency is only affected because of bufferbloat. You could try to limit everyone's bandwidth, but fixing the bufferbloat can get you the 80/20 with little effort, fewer edge cases, and reduced complexity.

The currently simplest way is to enable FairQ as the shaper on LAN and WAN interfaces, configure the default queue on the interfaces to have Codel enabled, and to set the bandwidth to some value less than what real bandwidth you have.

In the near future, scheduled for 2.4.4, fq_Codel should be superior and easier to setup.

This is just an alternative that you may want to try.

Show us the rules, on the LAN interface, instead of saying what you think they're doing. Do you use a Layer 3 switch?

Traffic Shaping / Re: Optimizing for video stream
« on: May 16, 2018, 12:19:32 pm »
If you're still having issue, I recommend using FairQ+Codel or fq_codel(bit more complex right now and should be much easier to setup in 2.4.4)

General Discussion / Re: Error: Listen queue overflow
« on: May 15, 2018, 11:31:43 am »
Probably some service that is not consuming data fast enough(ie overloaded) or is stuck

General Discussion / Re: Remote rowhammer
« on: May 14, 2018, 07:14:32 am »
It currently requires RDMA where you can control the timing and target memory. Not to mention non-ECC memory and memory that is affected by rowhammer.

I don't use ECC, but my DDR3 in unaffected by rowhammer. Validating both by research and using memtest rowhammer mode

Most high end NICs that are not doing RDMA are going to DMA interrupt coalesce and not let you choose where to write to memory. I am not sure how applicable this attack actually is.

Hardware / Re: Chelsio T5 vs. T6 SFP+ Apdapters
« on: May 11, 2018, 07:46:52 pm »
I'm not sure in this case, but in many cases the hardware offloading does not apply well or at all to a router/firewall because it doesn't terminate the connection. For example, TSO and GSO can cause issues with packet pacing and buffer bloat. Great for throughput where you're CPU bound. I'm not sure how the TCP offloading works to know if it matters at all for a stateful firewall.

General Questions / Re: PF sense Intro Squid+HTTPS+Exclude LAN IP's
« on: May 09, 2018, 10:17:51 am »
My eyes! All that's missing is a scrolling marquee.

Unless you have a sight issue, then I apologize, could you try to use a normal sized font? Speaking of fonts, it's like a variation of comic.

General Questions / Re: Samsung Tab A slow internet browsing
« on: May 08, 2018, 08:53:54 pm »
Potential DNS issue or IPv6 comes to mind. May want to do some packet captures.

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: May 06, 2018, 08:16:30 pm »
@matt, why is the interval so large? The interval should be roughly equal to your upper typical RTT. 100,000ms is a pretty big RTT.

Firewalling / Re: Concatenate Rulesets
« on: May 03, 2018, 12:38:43 pm »
Such a large set of rules in a single location seems like a recipe for disaster. Complexity is the enemy of security. There's got to be a better way. I have a feeling there's is a better point of responsibility.

In general, a firewall rule should be a general rule(applies to entire subnets) or an exception rule(one offs). Exceptional rules are exceptions to the general rules. Human error increases relative to the number of rules, even more so to the exceptions. The cost of micromanagement is more mistakes.

Hope someone can help you.

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: May 03, 2018, 12:29:00 pm »
I think might be the exception here - I actually get (seemingly) slightly better performance when I have fq_codel applied to both upload and download on my fiber connection.  That being said, the only way I have tested this to date has been through speed tests, and in particular the DSL Reports speed test to get an idea of bufferbloat.  With fq_codel applied to the download side as well, my download during the test is a bit more stable, comes in slightly higher (bandwidth) and has lower average latency during the test.  In fact, I have found the best performance so far for me has been by using a 940/940 limit on a gigabit FTTH connection, with a little bit more aggressive target of 3ms and interval of 60ms -- the fq_codel defaults are 5ms and 100ms.  This does limit the download and upload speed to about 915-920Mbit on my connection, but I'm willing to take a 3 - 3.5% hit on bandwidth to have average lower average latency and connection stability.   One could argue that a on a gigabit Fiber connection all this really doesn't matter anyway since there are very few cases where the bandwidth is maxed out anyway, and that's probably true.   But nonetheless I do like having these settings to ensure stability.

I see gigabit maxed out all of the time. Youtube, Netflix, and Hulu microburst their ~250KiB chunks at 1Gb/s. Packet sniff these TCP connections and I see back-to-back 1500 byte frames for about 2ms at a time. That's for steady state. I technically only have a 150Mb connection, but it's a 1Gb link that is policed to 150Mb. If I keep jumping around the video timelines, I can keep the video stream in a perma-buffering state, which attempts to send at full 1Gb/s. I can see 1Gb/s for a bout the first 100ms or so before the policer starts ramping up. That could represent a 100ms burst in latency if it was not for my ISP's AQM plus my HFSC shaping.

General Questions / Re: auto log off
« on: May 03, 2018, 12:22:33 pm »
First thought is asymmetric routing. Are the TCP states getting established?

Necro an unrelated thread?

Firewalling / Re: Google QUIC protocol issues
« on: May 03, 2018, 12:17:56 pm »
Define "filter". pfSense itself does not care about above Layer 4. Some of the custom packages might.

Pages: [1] 2 3 4 5 ... 160