Messages

Small BUG report,

- When you expand the Advanced Options menu, you cant anymore shrink it
- In table view mode, the HASH can not be shown (eye icon doesn't work)

And a small Q,

Additional assets (other emails, passwords, hashes, IPs, domains, etc.) can be added here and require administrator approval before they can be used in searches

By admin this is meant by Q-feeds?

Regards,
S.

Thanks.

Using IPv6, I think the client is communicating with the default gateway using its link-local address. The link-local subnet is the same on both GUEST and LAN:

fe80::/64

Could that be the culprit?

The configuration example in the docs is using protocol IP, which should match for both IPv6 and IPv4. As you want to shape divide BW based on VLANs/Networks. You need to properly configure the network (source for OUT and destination for IN) per the WAN rule to be matched to the Queue.

Regards.
S.

OMG, I need "Weigthed Fair Queue" scheduler type in the pipe... then it works. I copied from another pipe with FQ-Codel...

Happens :).... the reason why there is no mention of scheduler in the docs is cause it uses the default which is the WFQ2+

And it works with netmasks as destinations instead of src ports as well.

Or with combination. As mentioned you can do 5-tuple.

FQ_C is not a weighted scheduler, its a Fair Queue, by default it will share the BW equally amongst all flows.


P.S. Pro TIP, if you are testing or playing with Shaper,  check the CLI using commands. This is how I double check If I didnt make a mistake.

Code Select Expand

ipfw show
ipfw pipe show
ipfw sched show

Regards,
S.

I tested the config in the docs and its working, but as mentioned the config example is but clunky to my taste.


ratio 9:1

Code Select Expand

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.06  sec  11.6 MBytes  9.69 Mbits/sec   38            sender
[  5]   0.00-10.00  sec  10.4 MBytes  8.70 Mbits/sec                  receiver


Code Select Expand

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.07  sec  1.61 MBytes  1.34 Mbits/sec    0            sender
[  5]   0.00-10.00  sec  1.12 MBytes   944 Kbits/sec                  receiver

ratio 7:3

Code Select Expand

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.04  sec  9.36 MBytes  7.82 Mbits/sec   58            sender
[  5]   0.00-10.00  sec  8.12 MBytes  6.82 Mbits/sec                  receiver


Code Select Expand

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.05  sec  4.23 MBytes  3.53 Mbits/sec    0            sender
[  5]   0.00-10.00  sec  3.50 MBytes  2.94 Mbits/sec                  receiver

Regards,
S.

From perspective of the rules, you should be able to match based on 5-tuple (source IP/port, destination IP/port, protocol). This as I remember was never a problem to match the packet.

What I meant with "Priority" or "Priority Queue" Is the way how the packets leave the device. A Priority Queue will be emptied first, it has precedence over all other Queues. This is not only about BW but its really about which Queue will be processed first.

The latter is what the documentation describes. But I just tested with two VMs with iperf3 against different ports (9203 and 9207) on paris.bbr.iperf.bytel.fr. I used those as src-ports in two rules to select two pipes to queues with weights of 1 and 9.

Then, I let both tests run at the same time. They showed the same speeds at both VMs.

In the docs the Pipe and Queue configuration looks correct to me but those Rules....

Two very important things:
1. The direction is not set, default direction is BOTH; this means the same Pipe and Queue should be used for UP and DOWN (this is never a good idea). But here is the problem, it will be only used if the packet matches the rule. This needs to match IN and OUT. So in reality only 1 direction is matched.
2. The "interface 2" provides just another selector possibility. But its an addition, if you use it, it needs to match as well the configured 5-tuple of the rule.


The rule here is bit clunky
src-port : https
Direction: both (default)

This is applied for both direction OUT and IN on WAN interface. What is happening here is following

For OUT direction:

From client to server >
This is basically UPLOAD, packet from the FW leaves towards a destination with destination port of 443. This of course will not match the rule as we expect to match the port on source instead.


For IN direction:

From server to client >
This is basically DOWNLOAD, packet enters to the FW towards a destination with source port of 443. This should match and be put into the Queue.



But in ipfw, I didn't find any BOTH option, thus this implies that instead of BOTH statement two separate rules are created one with IN and one with OUT statement using source port 443.

Overall this config should work in the docs but.. Its not the best way configured.

But I just tested with two VMs with iperf3 against different ports (9203 and 9207) on paris.bbr.iperf.bytel.fr. I used those as src-ports in two rules to select two pipes to queues with weights of 1 and 9.

So you created two separate Pipes and each of them has one Queue? Like:
Pipe1 > Queue1 weight 1
Pipe2 > Queue2 weight 9

The way how the weighted scheduler works is, it does not provide a BW CAP, the BW CAP is done on the PIPE. This means if I have a PIPE of 10Mbit with several Queues of different weights like 1 and 9. Where each Queue is used for specific application, only in case the PIPE is utilized by both of those applications at the same time it will split the ratio depending of the Weight. If only one application saturates the PIPE it will get the whole BW.

So to do the the BW allocation properly it needs to follow per direction:
1. One PIPE
2. Queues per application attached to the same PIPE (scheduler)
3. Rules in proper direction and proper 5-tuple matching attached to the Queues

Regards,
S.

want the LAN network to have priority for download traffic.
When the network is not congested, the GUEST network should still have full speed.
However, when both LAN and GUEST are heavily used, LAN should receive significantly higher priority.

Priority in QoS is feature, where a packet of a certain application will leave the router sooner than the packet from any other application.

This by nature is not possible.

IPFW which is the underlying feature used for Shaping, doesn't have a scheduler that allows to set traffic priority or a priority queue. What you can do, is to set weights using a weight based scheduler to allocate a ratio of a BW to a specific application.

 
Regards,
S.

What about you show us your Rule & DHCP config foe those VLANs?

Regards,
S.

Its written on the Event page "Collected events from the firewall log for QFeed aliases"

In regards of the performance for Event page. Community already provided feedback and suggestions to improve it. Thus it will take Q-feeds some time to do the necessary improvements.

Regards,
S.

If I install a VPN on her machine she will probably wind up leaving it on, bypassing Qfeeds

I thought Qfeeds would filter the VPN if you added it to the interface list that currently has WAN?

This is most likely a possibility but only in 2 cases:
1. If that VPN IP is on the IoC
2. Depending how you implemented the rules

Regards,
S.

Can you configure the shaper as described in docs and test again?
Can you show your whole configuration of the shaper (pipe,queue,rules with advanced mode)?
As well via CLI run these commands and show the output.

Code Select Expand

ipfw pipe show
ipfw sched show
ipfw queue show
ipfw show
 
Regards,
S.

hi, as requested (without adding queues):

Code Select Expand

root@OPNsense:~ # ipfw pipe show
10000: 550.000 Mbit/s    0 ms burst 0
q75536  50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
 sched 75536 type FIFO flags 0x0 0 buckets 1 active
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip          0.0.0.0/0            0.0.0.0/0      11    4857  0    0  0
10001:  55.000 Mbit/s    0 ms burst 0
q75537  50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
 sched 75537 type FIFO flags 0x0 0 buckets 1 active
  0 ip          0.0.0.0/0            0.0.0.0/0        4      406  0    0  0
root@OPNsense:~ # ipfw sched show
10000: 550.000 Mbit/s    0 ms burst 0
q75536  50 sl. 0 flows (1 buckets) sched 10000 weight 0 lmax 0 pri 0 droptail
 sched 10000 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 NoECN
10001:  55.000 Mbit/s    0 ms burst 0
q75537  50 sl. 0 flows (1 buckets) sched 10001 weight 0 lmax 0 pri 0 droptail
 sched 10001 type FQ_CODEL flags 0x0 0 buckets 0 active
 FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 NoECN
root@OPNsense:~ # ipfw queue show
root@OPNsense:~ # ipfw show
00100        0          0 allow pfsync from any to any
00110        0          0 allow carp from any to any
00120        0          0 allow layer2 mac-type 0x0806,0x8035
00130        0          0 allow layer2 mac-type 0x888e,0x88c7
00140        0          0 allow layer2 mac-type 0x8863,0x8864
00150        0          0 deny layer2 not mac-type 0x0800,0x86dd
00200    11616    2982200 skipto 60000 ip6 from ::1 to any
00201    4252      468624 skipto 60000 ip4 from 127.0.0.0/8 to any
00202        0          0 skipto 60000 ip6 from any to ::1
00203        0          0 skipto 60000 ip4 from any to 127.0.0.0/8
60000        0          0 return proto ip
60001 53382272 67067358644 pipe 10000 ip from any to any out via igc1 // lan: DownloadPipe
60002 24291311  7102329318 pipe 10001 ip from any to any out via igc0 // wan: UploadPipe
65533 78607935 74368736814 allow ip from any to any
65534        0          0 deny ip from any to any
65535        0          0 allow ip from any to any
root@OPNsense:~ #

Looking at the config, there is a lot of misconfiguration compared to the official docs.

If we exclude the fact you didn't use manual queues, the another main misconfiguration are your rules.

Code Select Expand

60001 53382272 67067358644 pipe 10000 ip from any to any out via igc1 // lan: DownloadPipe
60002 24291311  7102329318 pipe 10001 ip from any to any out via igc0 // wan: UploadPipe

You don't use this shaper on the LAN. It needs to be configured on the WAN for both directions.

Please use the official docs adjust your config step by step to match the docs. Than retest and show the commands again once you have the correct configuration.
https://docs.opnsense.org/manual/how-tos/shaper_bufferbloat.html

Regards,
S.

Patrick & passeri many thanks for the tips. I will look them up.

Currently I run the GS1900-24E, so 24 ports copper based. I could do as well with 16P or 8P on new switch with keeping the old one, but 24P is more suitable in case I would do a drop in replacement for the old switch. This is still something I am considering (oh and I have a small rack ;))

Regards,
S.

Will chime in for a bit,

I use Chinese knockoffs mostly, but I like to punish myself. As well the DYI aspect its kinda a learning curve. Anyway I would choose the official DEC, if I would not feel confident that I can make the knockoff box run.

My advice is as well, go for the DECs. They have trustworthy rated parameters from the vendor and look sexy.

to my Mikrotik switch

Can you tell me which one you have? I am thinking about to upgrade my old Zyxel.

Regards,
S.

Interest would be on place,

Personally I use haveibeenpwned or the native checkup implemented within the Bitwarden client, having as part of the EASM would be great (this would be a good addition to the toolkit as such).

What would be your desired features regarding this?

Honestly if possible as well to show:
1. When it was leaked
2. Who did leak it
3. The reach, where it was spread, possible sites, forums etc. (I think this does go hand with hand with darknet?)
4. What was the reason for the leak, like type of attack
5. If you want to show the partial password, this needs to be taken in a careful non static matter (for example you decide to show first 4 letter, but what if password has only 4 letter? I know its stupid but its something to consider)
6. Possibility to obtain the data that was leaked, for example if its publicly accessible to scrub it and show (could go good with 5.)

In regards of the matter of payed tool, this would be extra as addition to the subscriptions? Because I think it should be within the sub itself. Depending how good it will be plus and premium. Because there is haveibeenpwned which is free, so the price needs to reflect the value ;)

Regards,
S.

By saying that you need 'proper BW sizing' you're implying that you may need more bandwidth because traffic shaping doesn't help when you don't have enough bandwidth.  So we don't disagree other than that I have never actually seen any effects of traffic shaping that would make it worthwhile to use it.

No. I am not implying such thing. You are just cherry picking without understanding the context.

Shaping and QoS as such is here to manage and handle states of congestion. Of course if you are constantly saturated, than increase of BW is needed. Yet Shaping/QoS still helps a lot even in such case to keep the congestion under check. E.g not to have the latency go high-wire and prevent a particular stream/application to eat into others.

I don't doubt that some implementation of traffic shaping does what the implementation is supposed to do.  That can be tested in a lab environment.

What I'm not seeing is a benefit in practise, outside some lab environment, with internet connections you can get from some ISP.  I'm also not saying that there can't be benefits in cases in which there are benefits, only I've never come across such a case.

And as long as I don't see any benefit from traffic shaping I don't see why I should bother to use it.

This is funny, because particular CoDel, FQ_C and CAKE all were not only tested in LAB environment but as well on an asymmetrical Internet circuits. The whole point of these algorithms is to deal with bufferbloat (latency) on such a usecase. Further more LibreQoS, is a deployment for ISPs to handle bufferbloat (latency) in their networks on grand Scale.

If you dont see any benefit when using it, well I guess nice! Most likely your ISP has enough capacity or is properly handling bufferbloat in background. Yet this is your experience and usecase, this doesn't cover everyone else whom has problems with bufferbloat and latency.


If you don't see any benefit you are free not to use it, as already mentioned.

But stating Shaper/QoS is usless is just nonsense.

Regards,
S.

[There always needs to be queue!]

I explained that I intentionally left the Queues tab empty based on advice that FlowQueue-CoDel (in the Pipe) manages itself, and that this setup (empty Queues) actually gave me a better Grade A result in earlier tests (before the 300/30 bug became the main problem).

There always needs to be queue, when you left the queue option under Pipe empty it defaults to 1 per Pipe, so 1 for UP and 1 for DOWN. When you attach rules to Pipe, it automatically attaches them in the background to the Pipe dynamic queues which attach to scheduler. The reason this is not used in the docs is when creating manual Queues you have scalability and more granular control.

There always needs to be queue!

Is the volatile, "bursty" nature of a 5G connection fundamentally incompatible with the ipfw shaper? The shaper relies on a stable baseline, which 5G by nature cannot provide. The shaper's math might be collapsing due to the extreme, millisecond-level speed variations.

Its not about the shaper, its about the algorithms. By default the desired state is to have a stable BW/Throughput, because the BW you set is fixed. Various schedulers behave differently when the BW is variable. For example using FQ_C with variable BW can yield still good latency results as its an AQM.

Anyway based on your description you are always capped at 300/30, which is odd. If you would have a variable BW between 300/30 and 600/60. You should see the Throughput hover between these limits and not be hard capped.

Can you configure the shaper as described in docs and test again?
Can you show your whole configuration of the shaper (pipe,queue,rules with advanced mode)?
As well via CLI run these commands and show the output.

Code Select Expand

ipfw pipe show
ipfw sched show
ipfw queue show
ipfw show
 
Regards,
S.