Configuring CoDel Limiters for Bufferbloat

The FQ_CODEL limiter scheduler can help alleviate the effects of Bufferbloat. The CoDel algorithm and bufferbloat are discussed in the ALTQ chapter at CoDel Active Queue Management and the same concepts apply to FQ_CODEL with limiters as well.

Before starting, use a Bufferbloat Test Site to determine if changes are necessary. If the firewall already receives a high score the circuit may not be prone to bufferbloat and thus may not require these limiters.

This configuration requires a limiter and queue for both download and upload, plus a floating rule to apply the limiters to outgoing traffic.

Create Download Limiter and Queue

The first task is to create a download limiter and queue:

  • Navigate to Firewall > Traffic Shaper, Limiters tab

  • Click fa-plus New Limiter

    • Configure the limiter with the following settings:

      Enable

      Checked

      Name

      WANDown

      Bandwidth

      Set equal to WAN download bandwidth (confirm via speed test first)

      Mask

      None

      Description

      WAN Download

      Queue Management Algorithm

      Tail Drop

      Scheduler

      FQ_CODEL

      The page will display FQ_CODEL options and their default values after saving this limiter, but leave them at defaults.

      Queue Length

      Can vary depending on the speed of the link, but 1000 should be a safe default for most high speed WANs (100Mbit/s). For very high speed WANs (e.g. 1Gbit/s+), consider increasing further to 3000-5000.

      ECN

      Checked

    • Click Save

  • Click fa-plus Add New Queue under WANDown

    • Configure the queue with the following settings:

      Enable

      Checked

      Name

      WANDownQ

      Mask

      None

      Description

      WAN Download Queue

      Queue Management Algorithm

      Tail Drop

    • Leave the other fields at their default values

    • Click Save

Create Upload Limiter and Queue

  • Navigate to Firewall > Traffic Shaper, Limiters tab

  • Click fa-plus New Limiter

    • Configure the limiter with the following settings:

      Enable

      Checked

      Name

      WANUp

      Bandwidth

      Set equal to WAN upload bandwidth (confirm via speed test first)

      Mask

      None

      Description

      WAN Upload

      Queue Management Algorithm

      Tail Drop

      Scheduler

      FQ_CODEL

      The page will display FQ_CODEL options and their default values after saving this limiter, but leave them at defaults.

      Queue Length

      Can vary depending on the speed of the link, but 1000 should be a safe default for most high speed WANs (100Mbit/s). For very high speed WANs (e.g. 1Gbit/s+), consider increasing further to 3000-5000.

      ECN

      Checked

    • Click Save

  • Click fa-plus Add New Queue under WANUp

    • Configure the queue with the following settings:

      Enable

      Checked

      Name

      WANUpQ

      Mask

      None

      Description

      WAN Upload Queue

      Queue Management Algorithm

      Tail Drop

    • Leave the other fields at their default values

    • Click Save

  • Click Apply Changes

Create Floating Rule

  • Navigate to Firewall > Rules, Floating tab

  • Click fa-turn-down Add to create a new rule at the bottom of the list

    • Configure the rule as follows:

      Action

      Pass

      Quick

      Checked

      Interface

      WAN

      Direction

      Out

      Address Family

      IPv4

      Note

      If the WAN can carry both IPv4 and IPv6, make a separate rule for each address family.

      Protocol

      Any

      Source

      WAN Address

      Warning

      It is important not to match too loosely on the source, especially when a firewall has multiple WANs. In certain cases with multiple WANs, if traffic meant to exit an alternate non-default WAN matches this kind of floating rule, the traffic will end up dropped as pf may still process that traffic outbound on the default WAN before redirecting out the correct interface.

      Destination

      Any

      Description

      CoDel Limiters

      Gateway

      Must be set to the gateway for this WAN interface

      In / Out Pipe

      WANUpQ / WANDownQ

      Note

      On WAN floating rules in the outbound direction, “in” traffic is upload, and “out” traffic is download, from the perspective of LAN clients.

    • Save

  • Apply Changes

  • Reset states to force all traffic to use new limiters

Test Again

Use a Bufferbloat Test Site again and compare score now to the score before the test was run. In most cases, the new score should be an A or higher.

If the score does not improve, or gets worse, there is likely a problem with the configuration. First, go back and compare all of the settings with the suggested values on this document.

If the configuration matches, the settings may need further adjustment. For example, the bandwidth values may be higher than the circuit is capable of delivering, the queue sizes may need increased, or the CoDel parameters may need changed. Post on the Netgate Forum for assistance with diagnosing the problem.

Notes

Certain configurations may require alterations to the suggested procedure above.

Multiple WANs

For multiple WANs make a complete set of queues for each WAN and make a separate floating rule for each WAN. Ensure the rules do not match the source IP address(es) of the other WANs.

For example:

  • Pass quick out WAN1 from WAN1 Address to any, gateway WAN1GW, In/Out Pipe WAN1UpQ/WAN1DownQ

  • Pass quick out WAN2 from WAN2 Address to any, gateway WAN2GW, In/Out Pipe WAN2UpQ/WAN2DownQ

Multiple Addresses/VIPs

If there are multiple IP addresses on a WAN (e.g. VIPs, routed subnets), create an alias with all of the necessary addresses and use it as the source of the floating rule.