1
Tutorials and FAQs / Re: Newbie: Multiple LANs on multiport NIC (or multiple NICs)
« on: October 31, 2022, 06:36:15 pm »
Anyone willing to critique?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
General Discussion / Re: Traffic Shaper weighted queues, should I use "mask"?
« on: October 31, 2022, 06:29:52 pm »
I think my understanding mirrors your own. I wish to make the following clarifications:
- Both pipes and queues can have masks
- If the pipe or queue has Mask=[None], it creates a single pipe or queue
- If the pipe or queue has any other Mask, it creates multiple pipes or queues, where each Mask value creates its own pipe or queue
- Generally a pipe is used to limit a specific resource, such as a maximum amount of bandwidth.
- For example, if you have a pipe limited to 1MB, and it has Mask=None, then only a single 1MB pipe is created by that definition.
- However, if you have a pipe limited to 1MB, and it has any other Mask value, multiple 1MB pipes, one for each Mask value, can be created.
- Generally, queues must be assigned to a specific pipe.
- Generally, if you wish to give a flow a specific weight, you use queues. These weights are used to indicate how the pipe is to be shared across its queues
Good questions...I have no idea what the answers are. Apparently along with the incredible flexibility of the shaper makes it equally complex. If you haven't already, you might check this link for some additional information.
https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=&n=1
Scroll down to the section "PIPE, QUEUE AND SCHEDULER CONFIGURATION", about half-way...just do a page search. At least you'll have some definitions, not sure if it will ultimately be helpful or not.
Hopefully someone that has experience provides some insight into your questions. Cheers.
Thanks for the link, I read this and also read pfsense docs about dummynet. I could only get answer to my first questin
* Using mask causes dynamic copies of the parent queue with the "same" weight. So lets say I create a queue with ip mask and weight 1 and second queue with ip mask weight 100. Then first queue has 2000 flows and second queue has 10 flows. As I understand, then the PIPEs bandwidht will be shared as 2000x1=2000 for first queue and 10x100=1000 for second queue. As you see I want to to have 100x more priority for second queue but instead it will have half priority of the first queue in the end.
* Without using mask, all traffic from different IPs will end up in the same flow so they are not guarantined to get even bandwith. It is up to the scheduler.
* I could not learned about WFQ+ with codel enabled on the pipe or queue will respect to queue weights or not.
* as I do not use mask, bucket size is not important for me. But I could not learned about bucket size etiher.
3
Tutorials and FAQs / Newbie: Multiple LANs on multiport NIC (or multiple NICs)
« on: October 20, 2022, 06:44:17 pm »
[My goal here is to explain my thinking, welcoming critique and commentary. I have not made these configurations yet.]
I have a NIC with four Ethernet ports (based on i340), but I think this discussion is equally valid if you have your (more than 2) ports spread across multiple NICs.
I have assigned one of those four ports as LAN, a second as WAN, and everything is working properly. However, what to do about those other free ports?
Let's start with utilizing one additional port, which I will call OPT2.
Choice 1: SAME or SEPERATE subnets?
For most newbies setting up a home or SOHO, the choice here will likely be SAME, meaning we want everything on the LAN side of the firewall to be able to talk with each other. (And each can reach the Internet via a common NAT/firewall.) The easiest way to do this is to have a single subnet, e.g. 192.168.34.X. The standard way to do this is to have a single switch, or a combination of connected switches, which makes a single Ethernet connection to the LAN port of our opnsense router. But if you really want to use that OPT2 port, and have just one SAME subnet, you can create a LAN bridge, following this guide: https://docs.opnsense.org/manual/how-tos/lan_bridge.html
The other option is SEPERATE. You choose this if you can, or should, segregate your LAN devices into different subnets. While it is possible to allow devices from one subnet to talk to devices of the other subnet, for the newbie, it is easier to simply place devices that need to interact (e.g. a computer and printer, or a computer and large display screen) on the same subnet. Devices on the second, seperate subnet can talk to others on its subnet. Alternatively, a second subnet can serve devices that each need access to the Internet, but not each other. For example, a VOIP device simply needing a connection to a VOIP service provider, or guest computers, or wireless APs for guests. If this is the situation, you can configure OPT2 to be a gateway for the second subnet. It can be configured with an IP address in distinct subnet, e.g. 192.168.50.1, and provides IPs to its distinct subnet, e.g. 192.168.50.X. If you have only one device on the second subnet, you can directly connect it to OPT2. If you have multiple devices, you can connect a switch between each of these devices and OPT2. If you want to stricly prevent devices on the second subnet from interacting, this requires additional configuration. [Any suggested documentation for this to add here?]
Also, make sure to enable rules in the firewall for this new interface and subnet.
Choice 2: EQUAL or NONEQUAL treatment of the subnets
Assuming you have chosen SEPERATE subnets, the next question is whether traffic from the seperate subnets are treated equally or nonequally. A case for NONEQUAL treatement might be a VOIP device on the second subnet, if you wish the VOIP traffic to be given higher priority than any traffic going to/from the first subnet. If instead you want both subnets to get EQUAL treatment, then you need to make no additional configurations. In this EQUAL case, traffic from e.g. device 192.168.34.119 and device 192.168.50.88 both are equally treated by the NAT/firewall.
In such a case, traffic from 192.168.34.119 gets roughly the same treatment if the competition is with device 192.168.50.88 or with a device on its own subnet, e.g. 192.168.34.67. (However, 192.168.34.119 can communicate with 192.168.34.67, but not with 192.168.50.88, unless specifically set up, see above.)
If instead, you want NONEQUAL treatment of the subnets, you now need to configure those priorities. The documentation on "Traffic Shaping" is a good place to start: https://docs.opnsense.org/manual/shaping.html
Now, having configured OPT2, perhaps you still have open another NIC interface, e.g. OPT3. Choices for OPT3 are the same as they were for OPT2. You can either bridge OPT3 with another interface(s), or use it to create a third distinct subnet. Other interfaces, e.g. OPT4, OPT5, etc., are treated in a similar way.
I have a NIC with four Ethernet ports (based on i340), but I think this discussion is equally valid if you have your (more than 2) ports spread across multiple NICs.
I have assigned one of those four ports as LAN, a second as WAN, and everything is working properly. However, what to do about those other free ports?
Let's start with utilizing one additional port, which I will call OPT2.
Choice 1: SAME or SEPERATE subnets?
For most newbies setting up a home or SOHO, the choice here will likely be SAME, meaning we want everything on the LAN side of the firewall to be able to talk with each other. (And each can reach the Internet via a common NAT/firewall.) The easiest way to do this is to have a single subnet, e.g. 192.168.34.X. The standard way to do this is to have a single switch, or a combination of connected switches, which makes a single Ethernet connection to the LAN port of our opnsense router. But if you really want to use that OPT2 port, and have just one SAME subnet, you can create a LAN bridge, following this guide: https://docs.opnsense.org/manual/how-tos/lan_bridge.html
The other option is SEPERATE. You choose this if you can, or should, segregate your LAN devices into different subnets. While it is possible to allow devices from one subnet to talk to devices of the other subnet, for the newbie, it is easier to simply place devices that need to interact (e.g. a computer and printer, or a computer and large display screen) on the same subnet. Devices on the second, seperate subnet can talk to others on its subnet. Alternatively, a second subnet can serve devices that each need access to the Internet, but not each other. For example, a VOIP device simply needing a connection to a VOIP service provider, or guest computers, or wireless APs for guests. If this is the situation, you can configure OPT2 to be a gateway for the second subnet. It can be configured with an IP address in distinct subnet, e.g. 192.168.50.1, and provides IPs to its distinct subnet, e.g. 192.168.50.X. If you have only one device on the second subnet, you can directly connect it to OPT2. If you have multiple devices, you can connect a switch between each of these devices and OPT2. If you want to stricly prevent devices on the second subnet from interacting, this requires additional configuration. [Any suggested documentation for this to add here?]
Also, make sure to enable rules in the firewall for this new interface and subnet.
Choice 2: EQUAL or NONEQUAL treatment of the subnets
Assuming you have chosen SEPERATE subnets, the next question is whether traffic from the seperate subnets are treated equally or nonequally. A case for NONEQUAL treatement might be a VOIP device on the second subnet, if you wish the VOIP traffic to be given higher priority than any traffic going to/from the first subnet. If instead you want both subnets to get EQUAL treatment, then you need to make no additional configurations. In this EQUAL case, traffic from e.g. device 192.168.34.119 and device 192.168.50.88 both are equally treated by the NAT/firewall.
In such a case, traffic from 192.168.34.119 gets roughly the same treatment if the competition is with device 192.168.50.88 or with a device on its own subnet, e.g. 192.168.34.67. (However, 192.168.34.119 can communicate with 192.168.34.67, but not with 192.168.50.88, unless specifically set up, see above.)
If instead, you want NONEQUAL treatment of the subnets, you now need to configure those priorities. The documentation on "Traffic Shaping" is a good place to start: https://docs.opnsense.org/manual/shaping.html
Now, having configured OPT2, perhaps you still have open another NIC interface, e.g. OPT3. Choices for OPT3 are the same as they were for OPT2. You can either bridge OPT3 with another interface(s), or use it to create a third distinct subnet. Other interfaces, e.g. OPT4, OPT5, etc., are treated in a similar way.
Pages: [1]