Netgate SG-1000 microFirewall

Author Topic: The confusion of Limiters and associated bugs  (Read 321 times)

0 Members and 1 Guest are viewing this topic.

Offline ProgressCity

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
The confusion of Limiters and associated bugs
« on: October 31, 2017, 05:26:52 pm »
Hi Everyone,

I've been having an issue for what seems like forever.   In conjunction with the famous #4310 bug:

https://redmine.pfsense.org/issues/4310

There seems to be so much confusion concerning limiters, and the like.  That I'm going crosseyed trying to make sense out of it all.   Just when I think I've got it all digested and figured out, I feel like another bug or at least claim comes along to disrupt my understanding.  Perhaps it's just me.    I've spent a lot of time researching the whole Limiter / HA issue.   I had this working in 2.3 at least during some point.

I've recently updated to the latest stable release of 2.4.1.    and have implemented HA with Limiters through queues trying to limit 5Mbdown and 5Mbup per host.    The thing is.  When running bandwidth tests.   the tests show an absolutely terrible download speed.   Basically .01 Mb.  While upload speeds tip near 3.5 to 4.   Leaving it alone for a while.  It gets worse to the point where browsing the web seems non-existent.


My Limiters are configured as follows:

Limiter:  5MegIn
Bandwidth:  5 Mbit/s
Mask:  Destination Addresses
IPV4Mask: 32
IPV6Mask: 128

Queue 5MegIn-LAN
Mask:  Destination Addresses
IPV4Mask: 32
IPV6Mask: 128
Weight: 100


Limiter:  5MegOut
Bandwidth:  5 Mbit/s
Mask:  Source Addresses
IPV4Mask: 32
IPV6Mask: 128

Queue 5MegOut-LAN
Mask:  Source Addresses
IPV4Mask: 32
IPV6Mask: 128
Weight: 100


RULE
Action: Match
Interface: LAN
Direction: In
Address Family:IPv4
Protocol: Any
Source: LAN Subnet
Destination:  ANY

Advanced Options:  In/Out  Pipe
First Dropdown:  5MegOut-LAN   Second Dropdown 5MegIn-LAN   (I've also reversed them as a test.  No real difference).


With these settings there's definitely throttling but it chokes it WAY back.  Download speeds seem to gradually drop. (dropped packets). and sometimes will only show as literally .01 Mb/s.  Again, leaving it in place for a bit brings everything to a screeching halt and browsers get choked up.  There's plenty of bandwidth to fulfill this.  If I remove the Limiters or Disable the rule.  our full bandwidth is shown when doing speedtests.



I came across another issue that was mentioned to be fixed. 

https://redmine.pfsense.org/issues/4326

Then I came across this thread where qubit mentions downloads randomly behind halved

https://forum.pfsense.org/index.php?topic=126637.0


I'm not running squid / squidguard at the moment.   I even purged the entire config for these from the XML file and reuploaded it.



I feel like I'm missing something, but for the life of me I can't figure out what's going on.    I had limiters running just fine for sometime until a 2.3.x upgrade (I dont know which one broke it)  and it continues with 2.4.1


Help or guidance would be appreciated.


EDIT/UPDATE:   For the rule.  Testing it out with JUST my workstation IP as the SOURCE  instead of the entire Subnet  seems to work just fine.  Speedtests show what I would expect.

EDIT2/UPDATE:   I tried it with several other random IPs on the LAN subnet as well as the WIFI Subnet.  As long as individual IPs are put in.  Everything works as planned / expected.  Once I use Subnets.   Everything falls apart and downloads (mainly, but not always) start gradually grinding to a halt.
« Last Edit: October 31, 2017, 05:52:36 pm by ProgressCity »

Offline 1smallsausage

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: The confusion of Limiters and associated bugs
« Reply #1 on: November 01, 2017, 03:39:15 am »
I followed this guide for mine but i only limit certain devices not whole subnets.  https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

Offline ProgressCity

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: The confusion of Limiters and associated bugs
« Reply #2 on: November 01, 2017, 12:15:36 pm »
Thanks, I do appreciate the attempt at helping.   I've been using Limiters for a long time and something broke with 2.2 and HA as mentioned in the bugs above.   So a way around this is using queues.  I have everything setup properly   but now I'm noticing it all works well if I put in a single IP, but not if I I use a subnet of some sort.   Which is a new development as of 2.3.x(don't know which version exactly broke this.)

The fact that it works with just a single IP vs. a subnet  or an alias with multiple networks leads me to believe that the masks aren't being applied properly somewhere or there is a bug of some sort at play.