pfSense LAN Party QoS 1.3 – Individually Limited TCP Streams

I recently posted the some updated config files for the pfSense QoS box.  For those of you who want to read the old post, here is the permalink.

https://elgwhoppo.com/2012/11/17/using-pfsense-for-qos-at-a-lan-party-nerfing-the-steam-downloads-and-http-traffic/

Here are the updated config files:
TrafficShaperBackup-LANPartyConfig-v1.3.xml
FirewallRulesBackup-LANPartyConfig-v1.3.xml

Last time we had a LAN party, we had a small problem. The problem was that folks who legitimately needed HTTP for things like signing into Steam and the TF2 Item Server, were fighting over an HTTP queue that was way full and dropping thousands of packets per second, mostly because a few people had very large download streams going. So I am going to try to solve contention in the subprime queue with a TCP traffic limiter on each IP address that gets a DHCP address. I made 2 rules on the LAN interface for every IP in the range 10.0.0.50-10.0.0.254. If you don’t like that IP range, well then it should be easy enough for you to do a find and replace on the firewall rule config download.

Rule #1 (Disabled by Default): Sad Panda Penalty Box: Limits all traffic from that particular IP address to 200Kbps/100Kbps

Rule #2 TCP Download Ceiling: Limits all TCP traffic from that particular IP address to 500Kbps/250Kbps

Capture

With these 410 different rules in place, you ensure that anyone who gets a DHCP address is at individually limited to .5Mbps TCP download speed, which can be controlled with the limiter config. Also, you now have a method of identifying who is sucking up all the bandwidth, and putting them in the bandwidth naughty corner. Check out the embedded Vimeo demonstration for a better look at what’s up.

Advertisements
Posted in pfSense, QoS
26 comments on “pfSense LAN Party QoS 1.3 – Individually Limited TCP Streams
  1. orientalsniper says:

    Hello, I think you need to delete the 2 default rules on LAN, check this out:
    http://forum.pfsense.org/index.php/topic,11986.0.html emphasis in the last part.

  2. Alvaro Rivero says:

    “With these 410 different rules in place” wow! i think you went a little bit overdoard… i believe you only needed 1 floating rule for the limiter part… (like http://blog.allanglesit.com/2011/08/traffic-limiting-with-pfsense-2-0-rc3/)

    Thanks you very much … this was really usefull…

    • elgwhoppo says:

      Hey Alvaro, thanks for the comment. I just checked this out, I’m not sure that the dynamic queue creation (the mask config) really helps me out.

      https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Setup_Limiters

      “pfSense currently only allows setting the source address or the destination address as the mask, meaning that you can give each host behind your firewall its own set of pipes so that each node is restricted to using a certain amount of bandwidth. To do this you would give your In pipe a Source Address mask, so that each host sending packets gets it’s own dynamic pipe for uploading. You would give your Out pipe a destination address mask, so that each host receiving packets gets it’s own dynamic pipe for downloading.”

      Also on the mask config in the pfSense GUI it reads:
      If ‘source’ or ‘destination’ is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host.

      My understanding of these documented statements is that the limiter can limit upload for each LAN –> WAN session (source), or download can be limited for each WAN –> LAN session (destination).
      When I tried using the mask source configuration, I saw my steam client download from multiple remote sites which, broke the whole concept of limiting download bandwidth for a single LAN IP, as I need to limit the sum of all download connection sessions. It worked for single streams of traffic to single IP addresses, such as with speedtest, but not for downloads from multiple remote sites. Either that or I configured it wrong. I tested with the new limiter config using the mask for source, made new rules, and one machine still topped out the qHTTPandSteam queue. Let me know if you find testing to be different in your environment.

  3. elgwhoppo says:

    Oh snap, I could have just applied these limiters to my existing floating rules? I was concerned that they would limit all of that traffic type rather than limiting the bandwidth per unique source. I’ll test a 1.4 version of the config that still has the disabled sad panda penalty box rules, but changes the floating rules to use the limits. Thanks for posting!

    • 11th says:

      Hello, do you think you can post the new config?
      I’m also setting things up for a lan party.

    • Matt says:

      Hey mate,

      Thanks for these amazing tutorials and configs, they’re exactly what I’ve been looking for for the past, I don’t know how many months.

      Was also wondering if there’s any news on 1.4? I hope this project is still alive 🙂

      Thanks again,
      Matt

      • elgwhoppo says:

        Hey Matt, the project is still alive, I just ran a LAN party with the 1.4 config and it definitely needs some tuning, apparently based on the way the limiters are throttling. Also on deck is a blog post about my “LAN in a CAN” box, which is a single PC and switch that runs the whole environment. Just finding time is the rough part. It’s not like someone is paying me to blog about it, lol, whereas working for work actually gets money. 😉

  4. Michael says:

    I am currently working on servers for a LAN (200 people) in 4 weeks.
    Are going to update the configs till then? Any Tips for me? It is a LAN for students from students, so I would feel better if I could just use your config instead of my basic one.
    I am gonna send you a TF2 Gift anyway. 😀

    • sideout says:

      I would use a steam caching server for your LAN. That helps a lot. Also make sure you use an IP range off the beaten path , I like to use 172.22.0.x/22 . This makes it easier to identify rogue DHCP servers and stuff. You will need to use another server for this and a DNS / DHCP server so you can spoof the DNS for *.cs.steampowered.com

      Be prepared to troubleshoot when people complain about slow or laggy games. Use the packet capture in PFSense and look at it in wireshark , find the ports , add them to the config and reset the state on the user end.

      Additionally be prepared to tweak your config for the LAN and adjust bandwidth requirements as needed.

      • mhohman2013 says:

        Steam caching has helped a lot for our 150 person lan’s. Even with 100/100 fiber service we were still having slow downs. Our steam cache box can now put out 600mbit/s of steam files. We are only limited by the performance of the raid controller. I am tempted to put in a 120gb ssd for zfs cache and see if that gets us closer to needing a second nic (bonded).

        3.0 Core2Quad
        8GB DDR3
        1Gige Intel Server Nic
        3x 500 GB 1tb western digital black drives
        4 Port acrea raid 5 controller 1gb cache

        Ubuntu 13.04 and nginx.
        We used this guide as it seems to cache the most content:
        http://www.astrolox.com/2013/05/31/valve-steampipe-reverse-proxy/

      • elgwhoppo says:

        mhohman2013, How did you confirm that the caching was functioning? I stood up a caching server for Forge LAN but had no idea how to monitor whether the downloads were actually being cached. I looked at disk space on the cache disk by running df -l on the ubuntu box, but didn’t see it changing at all, pretty sure it was just proxying without caching.

      • mhohman2013 says:

        The biggest thing is making sure your dns is setup properly. If you use the article I posted and not the other common steam caching article the following config in pfsenses dns forwarder is all thats needed.

        Only replace the 107.0.67.49 with your steam cache box’s ip. The other host overrides are needed to allow access to the store/login.

        Advanced:
        address=/.cs.steampowered.com/107.0.67.49
        address=/.steampowered.com/107.0.67.49

        Host Overides:
        content1 steampowered.com 107.0.67.49 steampipe
        content2 steampowered.com 107.0.67.49 steampipe
        content3 steampowered.com 107.0.67.49 steampipe
        content4 steampowered.com 107.0.67.49 steampipe
        content5 steampowered.com 107.0.67.49 steampipe
        content6 steampowered.com 107.0.67.49 steampipe
        content7 steampowered.com 107.0.67.49 steampipe
        content8 steampowered.com 107.0.67.49 steampipe

        gds1 steampowered.com 208.64.200.189 STEAMPIPE
        gds2 steampowered.com 208.64.200.190 STEAMPIPE
        gds3 steampowered.com 208.64.200.191 STEAMPIPE
        gds4 steampowered.com 208.78.164.7 STEAMPIPE

        store steampowered.com 208.64.202.69 STEAMPIPE
        support steampowered.com 63.235.4.133 STEAMPIPE

        I monitor usage on the steam box cache by using this command to display traffic in and out as well as using df -h
        nload -U G – u M -i 102400 -o 102400

        I’d be happy to share my nginx config as well if that helps.

      • mhohman2013 says:

        Going back over the dns forwarder config you could actually omit the content1-8 host overrides as they are caught by the advanced overrides.

      • mhohman2013 says:

        Here is a link to our nginx.conf file:
        https://www.dropbox.com/s/5kxaaaqnyc3c8jh/nginx.conf

      • elgwhoppo says:

        Thanks mhohman2013, posting the .conf is CLUTCH!!! I think that sideout you and myself should write up a blog post on reverse proxy caching!!! Would LOVE to be able to cache Origin and other huge downloader sites. It’s just doing the homework on the content URLs. I can draft it up and mail it to you guys if you’re interested.

      • mhohman2013 says:

        I’ve got a blog post going over at http://churchnerd.net . I’ve gotten the following networks cached now.

        Steam
        Blizzard
        Riot Games
        Hi-Rez Studios

        I’ll update that blog post this morning with the new config file and I’ll take a look into origin this morning.

  5. Querex says:

    Thanks elgwhoppo, this is a verry helpful tutorial!

    Have you ever use the rules in combination with the squid caching pfsense package?
    When I activate squid, the rules aren’t working optimal anymore…
    Someone any idea what the problem / solution could be, to use the firewall rules in combination with the pfsense squid?
    Thanks!

  6. thanks elgwhoppo!!! I can send you cupcake after I test this in my pfsense box. give me a link of your Paypal

  7. Louvy Choi says:

    is it possible to create a new shaper or etc… that’s specifically there to slow down youtube and facebook videos…. I want these to get the lowest priority

  8. KeLcO says:

    Hi elgwhoppo,

    we have a lan in a few days, is there anything special to know if we are yousing 7 WANs and loadbalancing?

  9. […] per IP limits to ensure that all endpoints are limited to 2Mbps or another reasonable number per your total […]

  10. Dave says:

    Hi, elgwhoppo do you have traffic shaping rules limit download for a certain bandwith, less priority streaming audio/video. High priority in Http. Apply to all lan users.

  11. Riga Tron says:

    Kinda gutted that the Config files arnt’ available anymore through your website, really just started experimenting with pfsense and was looking forward to trying those configs out, especially when I have had the exact same sort of issues hosting LAN events, any other links? moved onto something better?

    • elgwhoppo says:

      Hey man, my config is kind of dated. Thinking about posting my latest one with the caching post. Google search sideout’s gold standard on the pfsense forum for the latest great config.

  12. MosquitoCR says:

    Hello,

    Do you have and updated version for the latest PFSENSE ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Papers
People
Map

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 32 other followers

%d bloggers like this: