I recently posted the some updated config files for the pfSense QoS box. For those of you who want to read the old post, here is the permalink.
Here are the updated config files:
Last time we had a LAN party, we had a small problem. The problem was that folks who legitimately needed HTTP for things like signing into Steam and the TF2 Item Server, were fighting over an HTTP queue that was way full and dropping thousands of packets per second, mostly because a few people had very large download streams going. So I am going to try to solve contention in the subprime queue with a TCP traffic limiter on each IP address that gets a DHCP address. I made 2 rules on the LAN interface for every IP in the range 10.0.0.50-10.0.0.254. If you don’t like that IP range, well then it should be easy enough for you to do a find and replace on the firewall rule config download.
Rule #1 (Disabled by Default): Sad Panda Penalty Box: Limits all traffic from that particular IP address to 200Kbps/100Kbps
Rule #2 TCP Download Ceiling: Limits all TCP traffic from that particular IP address to 500Kbps/250Kbps
With these 410 different rules in place, you ensure that anyone who gets a DHCP address is at individually limited to .5Mbps TCP download speed, which can be controlled with the limiter config. Also, you now have a method of identifying who is sucking up all the bandwidth, and putting them in the bandwidth naughty corner. Check out the embedded Vimeo demonstration for a better look at what’s up.
26 thoughts on “pfSense LAN Party QoS 1.3 – Individually Limited TCP Streams”
Hello, I think you need to delete the 2 default rules on LAN, check this out:
http://forum.pfsense.org/index.php/topic,11986.0.html emphasis in the last part.
“With these 410 different rules in place” wow! i think you went a little bit overdoard… i believe you only needed 1 floating rule for the limiter part… (like http://blog.allanglesit.com/2011/08/traffic-limiting-with-pfsense-2-0-rc3/)
Thanks you very much … this was really usefull…
Hey Alvaro, thanks for the comment. I just checked this out, I’m not sure that the dynamic queue creation (the mask config) really helps me out.
“pfSense currently only allows setting the source address or the destination address as the mask, meaning that you can give each host behind your firewall its own set of pipes so that each node is restricted to using a certain amount of bandwidth. To do this you would give your In pipe a Source Address mask, so that each host sending packets gets it’s own dynamic pipe for uploading. You would give your Out pipe a destination address mask, so that each host receiving packets gets it’s own dynamic pipe for downloading.”
Also on the mask config in the pfSense GUI it reads:
If ‘source’ or ‘destination’ is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host.
My understanding of these documented statements is that the limiter can limit upload for each LAN –> WAN session (source), or download can be limited for each WAN –> LAN session (destination).
When I tried using the mask source configuration, I saw my steam client download from multiple remote sites which, broke the whole concept of limiting download bandwidth for a single LAN IP, as I need to limit the sum of all download connection sessions. It worked for single streams of traffic to single IP addresses, such as with speedtest, but not for downloads from multiple remote sites. Either that or I configured it wrong. I tested with the new limiter config using the mask for source, made new rules, and one machine still topped out the qHTTPandSteam queue. Let me know if you find testing to be different in your environment.
Oh snap, I could have just applied these limiters to my existing floating rules? I was concerned that they would limit all of that traffic type rather than limiting the bandwidth per unique source. I’ll test a 1.4 version of the config that still has the disabled sad panda penalty box rules, but changes the floating rules to use the limits. Thanks for posting!
Hello, do you think you can post the new config?
I’m also setting things up for a lan party.
Thanks for these amazing tutorials and configs, they’re exactly what I’ve been looking for for the past, I don’t know how many months.
Was also wondering if there’s any news on 1.4? I hope this project is still alive 🙂
Hey Matt, the project is still alive, I just ran a LAN party with the 1.4 config and it definitely needs some tuning, apparently based on the way the limiters are throttling. Also on deck is a blog post about my “LAN in a CAN” box, which is a single PC and switch that runs the whole environment. Just finding time is the rough part. It’s not like someone is paying me to blog about it, lol, whereas working for work actually gets money. 😉
I am currently working on servers for a LAN (200 people) in 4 weeks.
Are going to update the configs till then? Any Tips for me? It is a LAN for students from students, so I would feel better if I could just use your config instead of my basic one.
I am gonna send you a TF2 Gift anyway. 😀
I would use a steam caching server for your LAN. That helps a lot. Also make sure you use an IP range off the beaten path , I like to use 172.22.0.x/22 . This makes it easier to identify rogue DHCP servers and stuff. You will need to use another server for this and a DNS / DHCP server so you can spoof the DNS for *.cs.steampowered.com
Be prepared to troubleshoot when people complain about slow or laggy games. Use the packet capture in PFSense and look at it in wireshark , find the ports , add them to the config and reset the state on the user end.
Additionally be prepared to tweak your config for the LAN and adjust bandwidth requirements as needed.
Steam caching has helped a lot for our 150 person lan’s. Even with 100/100 fiber service we were still having slow downs. Our steam cache box can now put out 600mbit/s of steam files. We are only limited by the performance of the raid controller. I am tempted to put in a 120gb ssd for zfs cache and see if that gets us closer to needing a second nic (bonded).
1Gige Intel Server Nic
3x 500 GB 1tb western digital black drives
4 Port acrea raid 5 controller 1gb cache
Ubuntu 13.04 and nginx.
We used this guide as it seems to cache the most content:
mhohman2013, How did you confirm that the caching was functioning? I stood up a caching server for Forge LAN but had no idea how to monitor whether the downloads were actually being cached. I looked at disk space on the cache disk by running df -l on the ubuntu box, but didn’t see it changing at all, pretty sure it was just proxying without caching.
The biggest thing is making sure your dns is setup properly. If you use the article I posted and not the other common steam caching article the following config in pfsenses dns forwarder is all thats needed.
Only replace the 184.108.40.206 with your steam cache box’s ip. The other host overrides are needed to allow access to the store/login.
content1 steampowered.com 220.127.116.11 steampipe
content2 steampowered.com 18.104.22.168 steampipe
content3 steampowered.com 22.214.171.124 steampipe
content4 steampowered.com 126.96.36.199 steampipe
content5 steampowered.com 188.8.131.52 steampipe
content6 steampowered.com 184.108.40.206 steampipe
content7 steampowered.com 220.127.116.11 steampipe
content8 steampowered.com 18.104.22.168 steampipe
gds1 steampowered.com 22.214.171.124 STEAMPIPE
gds2 steampowered.com 126.96.36.199 STEAMPIPE
gds3 steampowered.com 188.8.131.52 STEAMPIPE
gds4 steampowered.com 184.108.40.206 STEAMPIPE
store steampowered.com 220.127.116.11 STEAMPIPE
support steampowered.com 18.104.22.168 STEAMPIPE
I monitor usage on the steam box cache by using this command to display traffic in and out as well as using df -h
nload -U G – u M -i 102400 -o 102400
I’d be happy to share my nginx config as well if that helps.
Going back over the dns forwarder config you could actually omit the content1-8 host overrides as they are caught by the advanced overrides.
Here is a link to our nginx.conf file:
Thanks mhohman2013, posting the .conf is CLUTCH!!! I think that sideout you and myself should write up a blog post on reverse proxy caching!!! Would LOVE to be able to cache Origin and other huge downloader sites. It’s just doing the homework on the content URLs. I can draft it up and mail it to you guys if you’re interested.
I’ve got a blog post going over at http://churchnerd.net . I’ve gotten the following networks cached now.
I’ll update that blog post this morning with the new config file and I’ll take a look into origin this morning.
Thanks elgwhoppo, this is a verry helpful tutorial!
Have you ever use the rules in combination with the squid caching pfsense package?
When I activate squid, the rules aren’t working optimal anymore…
Someone any idea what the problem / solution could be, to use the firewall rules in combination with the pfsense squid?
thanks elgwhoppo!!! I can send you cupcake after I test this in my pfsense box. give me a link of your Paypal
is it possible to create a new shaper or etc… that’s specifically there to slow down youtube and facebook videos…. I want these to get the lowest priority
we have a lan in a few days, is there anything special to know if we are yousing 7 WANs and loadbalancing?
Hi, elgwhoppo do you have traffic shaping rules limit download for a certain bandwith, less priority streaming audio/video. High priority in Http. Apply to all lan users.
Kinda gutted that the Config files arnt’ available anymore through your website, really just started experimenting with pfsense and was looking forward to trying those configs out, especially when I have had the exact same sort of issues hosting LAN events, any other links? moved onto something better?
Hey man, my config is kind of dated. Thinking about posting my latest one with the caching post. Google search sideout’s gold standard on the pfsense forum for the latest great config.
Do you have and updated version for the latest PFSENSE ?