Configuring CoDel Limiters for Bufferbloat

The FQ_CODEL limiter scheduler can help alleviate the effects of Bufferbloat. The CoDel algorithm and bufferbloat are discussed in the ALTQ chapter at CoDel Active Queue Management and the same concepts apply to FQ_CODEL with limiters as well.

Before starting, use a Bufferbloat Test Site to determine if changes are necessary. If the firewall already receives a high score the circuit may not be prone to bufferbloat and thus may not require these limiters.

This configuration requires a limiter and queue for both download and upload, plus a floating rule to apply the limiters to outgoing traffic.

Create Download Limiter and Queue

The first task is to create a download limiter and queue:

  • Navigate to Firewall > Traffic Shaper, Limiters tab

  • Click fa-plus New Limiter

    • Configure the limiter with the following settings:

      Enable:

      Checked

      Name:

      WANDown

      Bandwidth:

      Set equal to WAN download bandwidth (confirm via speed test first)

      Mask:

      None

      Description:

      WAN Download

      Queue Management Algorithm:

      Tail Drop

      Scheduler:

      FQ_CODEL

      The page will display FQ_CODEL options and their default values after saving this limiter, but leave them at defaults.

      Queue Length:

      Can vary depending on the speed of the link, but 1000 should be a safe default for most high speed WANs (100Mbit/s). For very high speed WANs (e.g. 1Gbit/s+), consider increasing further to 3000-5000.

      ECN:

      Checked

    • Click Save

  • Click fa-plus Add New Queue under WANDown

    • Configure the queue with the following settings:

      Enable:

      Checked

      Name:

      WANDownQ

      Mask:

      None

      Description:

      WAN Download Queue

      Queue Management Algorithm:

      Tail Drop

    • Leave the other fields at their default values

    • Click Save

Create Upload Limiter and Queue

  • Navigate to Firewall > Traffic Shaper, Limiters tab

  • Click fa-plus New Limiter

    • Configure the limiter with the following settings:

      Enable:

      Checked

      Name:

      WANUp

      Bandwidth:

      Set equal to WAN upload bandwidth (confirm via speed test first)

      Mask:

      None

      Description:

      WAN Upload

      Queue Management Algorithm:

      Tail Drop

      Scheduler:

      FQ_CODEL

      The page will display FQ_CODEL options and their default values after saving this limiter, but leave them at defaults.

      Queue Length:

      Can vary depending on the speed of the link, but 1000 should be a safe default for most high speed WANs (100Mbit/s). For very high speed WANs (e.g. 1Gbit/s+), consider increasing further to 3000-5000.

      ECN:

      Checked

    • Click Save

  • Click fa-plus Add New Queue under WANUp

    • Configure the queue with the following settings:

      Enable:

      Checked

      Name:

      WANUpQ

      Mask:

      None

      Description:

      WAN Upload Queue

      Queue Management Algorithm:

      Tail Drop

    • Leave the other fields at their default values

    • Click Save

  • Click Apply Changes

Create Floating Rule

  • Navigate to Firewall > Rules, Floating tab

  • Click fa-turn-down Add to create a new rule at the bottom of the list

    • Configure the rule as follows:

      Action:

      Pass

      Quick:

      Checked

      Interface:

      WAN

      Direction:

      Out

      Address Family:

      IPv4

      Note

      If the WAN can carry both IPv4 and IPv6, make a separate rule for each address family.

      Protocol:

      Any

      Source:

      WAN Address

      Warning

      It is important not to match too loosely on the source, especially when a firewall has multiple WANs. In certain cases with multiple WANs, if traffic meant to exit an alternate non-default WAN matches this kind of floating rule, the traffic will end up dropped as pf may still process that traffic outbound on the default WAN before redirecting out the correct interface.

      Destination:

      Any

      Description:

      CoDel Limiters

      Gateway:

      Must be set to the gateway for this WAN interface

      In / Out Pipe:

      WANUpQ / WANDownQ

      Note

      On WAN floating rules in the outbound direction, “in” traffic is upload, and “out” traffic is download, from the perspective of LAN clients.

    • Save

  • Apply Changes

  • Reset states to force all traffic to use new limiters

Test Again

Use a Bufferbloat Test Site again and compare score now to the score before the test was run. In most cases, the new score should be an A or higher.

If the score does not improve, or gets worse, there is likely a problem with the configuration. First, go back and compare all of the settings with the suggested values on this document.

If the configuration matches, the settings may need further adjustment. For example, the bandwidth values may be higher than the circuit is capable of delivering, the queue sizes may need increased, or the CoDel parameters may need changed. Post on the Netgate Forum for assistance with diagnosing the problem.

Notes

Certain configurations may require alterations to the suggested procedure above.

Multiple WANs

For multiple WANs make a complete set of queues for each WAN and make a separate floating rule for each WAN. Ensure the rules do not match the source IP address(es) of the other WANs.

For example:

  • Pass quick out WAN1 from WAN1 Address to any, gateway WAN1GW, In/Out Pipe WAN1UpQ/WAN1DownQ

  • Pass quick out WAN2 from WAN2 Address to any, gateway WAN2GW, In/Out Pipe WAN2UpQ/WAN2DownQ

Multiple Addresses/VIPs

If there are multiple IP addresses on a WAN (e.g. VIPs, routed subnets), create an alias with all of the necessary addresses and use it as the source of the floating rule.