weixin_39750190
weixin_39750190
2020-11-27 17:25

Traffic Shaper TCP (ACK only) catches all tcp traffic

Issue is referenced in this thread on the forums: https://forum.opnsense.org/index.php?topic=6004.0 Describe the bug The traffic shaper protocol option "TCP (ACK packets only)" captures all tcp traffic instead of only ACK packets. The inverse is also true for "TCP (Non-ACK packets)" To Reproduce Steps to reproduce the behavior: 1. In Traffic Shaper>Settings create an upload pipe less than ISP bandwidth on WAN interface. 2. Create a rule pointed at the pipe with protocol TCP (ACK packets only) selected 3. Apply the rule and reset states 4. Run an upload or speedtest

Expected behavior Only TCP ACK packets are captured and forwarded

Environment

OPNsense 20.1.1 (amd64, OpenSSL). Intel i5 igb and em NIC drivers

该提问来源于开源项目:opnsense/core

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

8条回答

  • weixin_39750190 weixin_39750190 5月前

    Let me clarify a difference from my original post; I forgot to mention I'm using a weighted queue between the pipe and rule. I have the tcp ack only targeting a queue which is then fed to the upload pipe I set for 5Mbps to ensure ack packets always have bandwidth. These are now the only rule and queue for the pipe. Swapping the target for the high priority queue from the 5Mb priority upload pipe to the 40Mb lan upload pipe makes the speedtest show the correct bandwidth. Disabling the ack only rule also shows the correct 40mbps on the speedtest. only when I'm pointing the rule and queue at the 5mb pipe am i seeing the speedtest drop to 5mbps. I admit, I could be mistaken but i don't think the speedtest only uses ack packets. dslreports.com/speedtest image

    image

    image

    image

    点赞 评论 复制链接分享
  • weixin_39954674 weixin_39954674 5月前

    I'm also seeing the exact same issue, I have a weighted setup, one pipe down and one up. 1, 50 & 100 weighted queues for each direction. Rules direct traffic to the appropriate queue as per their priority. ACK packets are directed to the high priority queue. I've got HTTP & HTTPS rules which aren't doing anything, because the TCP(ack only) rule takes all the traffic. Using OPNSense version 20.1.6

    点赞 评论 复制链接分享
  • weixin_39731682 weixin_39731682 5月前

    I'm also seeing this exact issue with OPNsense 20.1.7

    点赞 评论 复制链接分享
  • weixin_39750190 weixin_39750190 5月前

    Quick update, After digging through the forum https://forum.opnsense.org/index.php?topic=17372.0

    to Summarize

    it matches all tcp traffic with ACK set, which is indeed most of the traffic. M0n0wall used the same technology (tcpflags in ipfw), but offered the option to select or deselect any of them.

    It was added a very long time ago (https://github.com/opnsense/core/issues/528), but doesn't look very useful indeed.

    There are a couple of options, open a feature request to add flags as an option, so you can select which ones need to be set, maybe accompanied by a switch to expect exactly these flags (negate the rest). Selecting both which must be set and which may not be set (like m0n0 did) could also be an option, but in our layout can be a bit confusing.

    The other option is to fix the flags on this option to something more logical (tcpflags ack,!psh ?)

    The current code: Code: [Select] tcpflags ack

    Ad suggested: Code: [Select] tcpflags ack,!psh which I think would be an improvement.

    My suggestion would be to try and narrow it down to packets doing nothing but ack by excluding larger payloads. E.g.: Code: [Select] tcpflags ack iplen 52

    点赞 评论 复制链接分享
  • weixin_39750190 weixin_39750190 5月前

    4132 addresses this issue and there are workarounds posted in the comments until/if the change is merged

    点赞 评论 复制链接分享
  • weixin_39706561 weixin_39706561 5月前

    Counters are running on my end (speedtest slows down as well).

    
    # ipfw show | grep tcpflags
    60003 34280 36812136 pipe 10000 tcp from any to any tcpflags ack via le1 // wan: 5 Mbps
    
    
    # ipfw show | grep tcpflags
    60003     98      5660 pipe 10000 tcp from any to any not tcpflags ack via le1 // wan: 5 Mbps
    
    点赞 评论 复制链接分享
  • weixin_39750190 weixin_39750190 5月前

    Forgive my ignorance, Does this mean you've reproduced the issue?

    点赞 评论 复制链接分享
  • weixin_39706561 weixin_39706561 5月前

    No problem, I couldn't reproduce it at my end, matching the traffic seems to be working fine on my machine. You probably have to dig a bit deeper in ipfw to inspect if traffic is matching or it's accidentally being affected by one of the other rules.

    点赞 评论 复制链接分享

相关推荐