Netgate SG-1000 microFirewall

Author Topic: playing with fq_codel in 2.4  (Read 14456 times)

0 Members and 2 Guests are viewing this topic.

Offline belt9

  • Full Member
  • ***
  • Posts: 233
  • Karma: +24/-6
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #135 on: October 17, 2017, 07:20:23 am »
Yeah, I just tried adding and deleting firewall rules then checking ipfw and it still has my fq_codel flows.

If there's some other action you're worried might remove fq_codel then just try doing that action then check ipfw after to see if fq_codel is still in place.


Code: [Select]
ipfw sched show

Offline w0w

  • Sr. Member
  • ****
  • Posts: 538
  • Karma: +31/-6
  • kernel panic attack
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #136 on: October 17, 2017, 10:52:30 am »
OK so may be quick start quide?

1. RTFM for FQ_CODEL http://caia.swin.edu.au/freebsd/aqm/patches/README-0.2.1.txt
2. Config limiters (pipes) via GUI.
3. View /tmp/rules.limiter

for example it will be

Code: [Select]

pipe 1 config  bw 280576Kb
queue 1 config pipe 1 mask src-ip6 /128 src-ip 0xffffffff
 

pipe 2 config  bw 280576Kb
queue 2 config pipe 2 mask dst-ip6 /128 dst-ip 0xffffffff

4. USE shellcmd package to recreate pipes with commands like

Code: [Select]
ipfw pipe flush

ipfw pipe 1 config  bw 280576Kb
ipfw sched 1 config pipe 1 type fq_codel target 7ms quantum 2000 flows 2048
ipfw queue 1 config pipe 1 mask src-ip6 /128 src-ip 0xffffffff
 
ipfw pipe 2 config  bw 280576Kb
ipfw sched 2 config pipe 2 type fq_codel target 7ms quantum 2000 flows 2048
ipfw queue 2 config pipe 2 mask dst-ip6 /128 dst-ip 0xffffffff


5. Add your limiters to firewall rules (IN/OUT pipes), this step can be any after step 2 actually.

Is it correct?
Maybe it's better to run script at startup? Just placing it into /usr/local/etc/rc.d? I found that using shellcmd is a little bit uncomfortable with multiple command lines at once, have I missed something?
« Last Edit: October 17, 2017, 10:59:37 am by w0w »

Offline JTravers

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #137 on: October 17, 2017, 11:49:30 am »
Excuse my ignorance on this. I've just learned about and started using pfSense a couple weeks ago.

I have my limiters attached to my "Default allow LAN to any rule" in order to evenly split bandwidth to my LAN clients. And then fq_codel applied to those limiters. Seems to be working great for reducing bufferbloat, ensuring low latency for all clients, etc. Thanks for all the guidance in this thread!

Is there any benefit or harm to doing it that way vs. attaching the limiters to a floating rule as @johnpoz did?

Also, how does all this apply to OpenVPN clients (with pfSense as the server)? Would either setup also work with the OpenVPN clients, or is one setup better than the other?

Thanks for all your help!

« Last Edit: October 17, 2017, 12:12:31 pm by JTravers »

Offline belt9

  • Full Member
  • ***
  • Posts: 233
  • Karma: +24/-6
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #138 on: October 17, 2017, 12:19:46 pm »
Floating rules vs interface rules won't make a difference. It will also work well on VPN clients. VPN traffic will always have higher latency relative to the same traffic not routed through a VPN. fq_codel can't fix that, but it will still work with fairly queuing the traffic and reducing bufferbloat.

Offline gsmornot

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +1/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #139 on: October 17, 2017, 12:33:29 pm »
I came back here to say thanks because it works well. I completed my setup differently than some of what has just been posted.

I setup limiters just as seen in the screenshots. (post 121)(upload, download, wan, lan)
I ran the single command for IPFW pipes. (ipfw sched 1 config pipe 1 type fq_codel && ipfw sched 2 config pipe 2)
I installed shellcmd and added the single IPFW statement.
Modified the two stock LAN firewall rules (IPV4 and IPV6 advanced configuration) so that wan and lan would be used just as seen in the screenshots.
I restarted the firewall.

That is all I have done. Prior my buffer bloat was a D to F. Post I get an A each time. I may/may not be setup correctly but whatever it is works. I originally used the wizard for setup of traffic shaping which used HFSC and which gave @425 upload on my gigabit connection. This new setup gives @750. So, good for me.
« Last Edit: October 17, 2017, 08:33:01 pm by gsmornot »

Offline w0w

  • Sr. Member
  • ****
  • Posts: 538
  • Karma: +31/-6
  • kernel panic attack
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #140 on: October 17, 2017, 01:51:28 pm »
Definitely I am blind what screenshots are you all talking about? :D

Offline gsmornot

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +1/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #141 on: October 17, 2017, 02:04:58 pm »
Definitely I am blind what screenshots are you all talking about? :D
Reply 121 of this thread.

Offline w0w

  • Sr. Member
  • ****
  • Posts: 538
  • Karma: +31/-6
  • kernel panic attack
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #142 on: October 17, 2017, 10:25:20 pm »
Thanks.  :)

Offline JTravers

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #143 on: October 18, 2017, 12:27:37 am »
Floating rules vs interface rules won't make a difference. It will also work well on VPN clients. VPN traffic will always have higher latency relative to the same traffic not routed through a VPN. fq_codel can't fix that, but it will still work with fairly queuing the traffic and reducing bufferbloat.
I tested floating rules vs. lan rules and they both give excellent results. Latency results in bufferbloat tests seemed to be just slightly lower with the lan rules, but that's just splitting hairs.

I had very poor bufferbloat results when testing through my OpenVPN connection as a client connected to the OpenVPN server in pfSense. Is there any way to fix this? Should I be creating limiters to apply to the OpenVPN interface rules in the firewall and then selecting fq_codel on those limiters, as well?
« Last Edit: October 18, 2017, 02:02:38 pm by JTravers »

Offline belt9

  • Full Member
  • ***
  • Posts: 233
  • Karma: +24/-6
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #144 on: October 18, 2017, 12:57:32 am »
Yes you would need to apply limiters to your openvpn interface in order to queue your clients traffic. However, you can only fix your end, if the client is connecting to you via a poor connection then you can't get any better than the worst link.

Offline JTravers

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #145 on: October 18, 2017, 02:04:32 pm »
Yes you would need to apply limiters to your openvpn interface in order to queue your clients traffic. However, you can only fix your end, if the client is connecting to you via a poor connection then you can't get any better than the worst link.
Thanks, that makes sense.
Iíll try it out and see how much it helps.

Offline tman222

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +6/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #146 on: October 20, 2017, 07:47:31 pm »
Finally got around to trying this again, and everything worked great!  John's screenshots in reply 121 are spot on and there is no need to edit any files if one uses shellcmd.

I actually recently changed to a 100/100 Fiber connection - here are results (using the DSL Reports speed test which has a nice Bufferbloat check):

Before (no shaping):


Using ALTQ FAIRQ + Codel Active Queue Management; 100Mbit Limit on Both WAN and LAN:


Using fq_codel and 100Mbit Limit on Both Upload and Download:


What's interesting to me here is that fq_codel appears to perform a bit better than the ALTQ emulation of fq_codel (using FAIRQ + Codel) - I find this very interesting.  Anyone have any thoughts as to why?

I also ran a more intense FLENT test on another system with fq_codel enabled and the results looked great as well (stable ping and stable download/upload over the course of the test).

Given the relatively little effort required to get this to work on pfSense, it's a fantastic way to improve the stability of a connection.



Offline Nullity

  • Hero Member
  • *****
  • Posts: 973
  • Karma: +96/-9
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #147 on: October 21, 2017, 07:13:26 am »
Finally got around to trying this again, and everything worked great!  John's screenshots in reply 121 are spot on and there is no need to edit any files if one uses shellcmd.

I actually recently changed to a 100/100 Fiber connection - here are results (using the DSL Reports speed test which has a nice Bufferbloat check):

Before (no shaping):


Using ALTQ FAIRQ + Codel Active Queue Management; 100Mbit Limit on Both WAN and LAN:


Using fq_codel and 100Mbit Limit on Both Upload and Download:


What's interesting to me here is that fq_codel appears to perform a bit better than the ALTQ emulation of fq_codel (using FAIRQ + Codel) - I find this very interesting.  Anyone have any thoughts as to why?

I also ran a more intense FLENT test on another system with fq_codel enabled and the results looked great as well (stable ping and stable download/upload over the course of the test).

Given the relatively little effort required to get this to work on pfSense, it's a fantastic way to improve the stability of a connection.

As I understand it, the biggest difference between FAIRQ + CoDel and fq_codel is that fq_codel individually applies codel to each per-flow pseudo-queue while FAIRQ + CoDel applies codel to the entire queue. There are also other subtle differences between codel and fq_codel, like the "fq" in fq_codel being a bit smarter than standard "fair queueing".

Either way, the 4ms difference you observed in best-case latency could just be a fluke.


Thanks for sharing the comparisons, btw.
Please correct any obvious misinformation in my posts.
-Not a professional; an arrogant ignoramous.

Offline Animosity022

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +4/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #148 on: October 21, 2017, 07:28:17 am »
I really don't get much difference. I was using OPNSense and fq_codel prior as it seemed to just work better for me.

With the new release, I changed back and just use HFSC queues with codel checked and some very basic rules to make sure my gaming traffic is first and my non important (downloads for media and other odd plex related download stuff) is limited. Works like a champ.



Only thing for me always comes back to making sure my upload and download limits match close to reality what I expect out of my link so I use 940 down and 880 on Verizon's Gigabit FIOS with 1000 queue. No drops and no bufferbloat that I've been able to make happen.

Offline tman222

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +6/-0
    • View Profile
Re: playing with fq_codel in 2.4
« Reply #149 on: October 21, 2017, 02:24:10 pm »
Thanks all for the feedback.  i do have a quick follow up question as I think that I may have misconfigured something:

I actually ended up creating two limiters, one at 100Mbit up/down, the other at 25Mbit up/down to use on a guest network.   Went through the same process and enabled fq_codel on the second set of limiters.  Applied the limiters inside the firewall rules on the guest network, but for some reason when I try to test out the configuration with a machine on the guest network I'm able to go faster than the limited speed of 25Mbit.  However, the interesting thing is that does not seem to be consistent - for instance:

1) When running a speedtest on speedtest.net I'm limited to just 25Mbit (as expected)
2) When running a speedtest on DSLReports I'm able to go well beyond 25Mbit (almost to full speed).

I haven't been able to try an iperf3 test yet unfortunately.  Could it be that something is misconfigured and that the 25Mbit limit is applied per flow vs. the queue as a whole?

Thanks in advance for any insight you might have.

P.S. Some thoughts regarding fq_codel vs. FAIRQ + Codel:  At least in my case, using fq_codel consistently results in a bufferbloat average (for both upload/download) under 10ms.  Using FAIRQ + Codel it often goes beyond that, but never higher than 15-20ms.  Ultimately, I suppose it's not really a big deal, but I found it interesting nonetheless.
« Last Edit: October 21, 2017, 02:29:07 pm by tman222 »