Hi,
First time posting so bear with me. I apologize ahead of time as I may go on a ramble. I'll try and keep it as clean as I can.
A bit of background.
I work for a company in the finance industry and we have 2 Checkpoint clusters facing each other at work. For testing purposes and to basically get a more hands on with the product I decided to build a setup at home as well.
This process has, at time of writing, been completed. I have a management server and a gateway running happily in my household premises. But, it is not version R81.10 which is the latest. Instead it is version R81. And the reason for it, is that the QoS implementation simply didn't launch on R81.10 on my equipment at home. I don't know exactly why. All I can do, is provide a couple of pictures to show you the error messages.
It would be awesome if I could get a few questions answered.
I'll also provide some background on what I did to try and get the QoS blade operating on my equipment on version R81.10.
Equipment that serves as the Security Gateway at home has the following components:
Motherboard: MSI z77a-g45
CPU: i5-3570k (stock settings)
RAM: Corsair CMZ8GX3M2A1600C9 x2 running at 1600Mhz, total capacity 8GB, Slots 2 and 4 populated.
Storage: Samsung SSD 850 EVO 250GB
PSU: Seasonic PX-450
NICs: Intel Gigabit CT Desktop Adapters x2 running the e1000e driver
[Expert@gw1:0]# ethtool -i eth0
driver: e1000e
version: 3.2.6-k
firmware-version: 1.8-0
The Security Management server runs as a VM in ESXi-7.0U3-18644231-standard and follows the best practices as per this article: sk104848
QoS blade problems on R81.10. Specifically, off the top of my head, all that I tried to make it work:
- After enabling the QoS blade. Regular installs of the policy with nothing other than the active inbound and active outbound limits set for the class "BestEffort" worked and operated successfully. Limiting the outbound rate to whatever I desired, including 250kbps, worked, effectively nulling my internet experience. This wasn't the first thing I tested though. First, I actually added a rule to the QoS rulebase, that rule included a Service Group that I named "WWW", in it 2 services. The default http & https, Matched by: 80 & 443. The result of installing this QoS Rulebase Policy was the following error: Service out of range.
- So, this prompted a bit of research. Naturally, the next thing was to google the error message. Lo and behold there is an actual ongoing Jumbo that specifies a fix for this exact problem. sk175467. I downloaded this, installed it on the gateway first but forgot to update the Security Management server. Between updating the Management Server and the Gateway I took some extra troubleshooting steps that I've already forgotten at this point, including reinstalling the gateway from scratch. None of those worked. Neither did updating the management when I finally got to it. The result was more or less the same. In other words, the ongoing Take 14 was not a fix for me sk175186.
- I had initially installed the gateway using VLAN interfaces for better manageability. When attempting to change the rule in the QoS rulebase to use, instead of a group, only 1 single service, the error message changed to something related to ioctl. So, I reconfigured the gateway and the switch interfaces to use untagged frames and the result was the same. Nothing changed. Here's a picture of what the rulebase looked like when getting that error message.
- Here, I ran out of ideas to try other than some small things. I tried creating a new Policy entirely just for QoS, installed that and the result was the same. The error message seemed to depend on the contents of the QoS rulebase in Smart Dashboard, either it had a group in it under the service field or a single service. The error was, "Out of range". Or "ioctl".
- Reinstalled the gateway and the management both from scratch + Take 14. Same result.
- Enabled the motherboard included Realtek network adapter and configured eth0 on it. To try and rule out a potential interface/driver problem. Same result.
So on ...
To note, it seemed that only the Service column causes the issue. If I recall correctly, building a QoS rulebase with only source and destination columns in use installed the Policy successfully. But I tried to verify that they we're working and I couldn't produce an easy way so I left it at that and tried a downgrade. On R81, no issues, worked as expected from the get-go.
This is an Open Server implementation.
Is R81.10 QoS broken for other people as well on Open hardware? Even with the latest Take 14?
Questions related to QoS:
Reading the QoS administration guide it doesn't seem to mention best practice for LLQ classes in as if we shouldn't use multiple rules under a LLQ class. It explicitly says not to utilize sub-rules. But is doing multiple top-level rules under a LLQ class okay?
To me the guide left the weight calculation a bit ambiguous when it comes to using more than 1 class in a QoS rulebase. Is the weight of a rule in the rulebase calculated over the entire rulebase's rules even when there are more than 1 QoS classes in use? Or is the relative bandwidth percentage calculation done over the rules in its class instead of the entire rulebase?
Trying to find anything related to bufferbloat, all I could locate was that CoDel is assumedly used by Checkpoint. This is according to this post: https://community.checkpoint.com/t5/General-Topics/Firewall-priority-queues-setting/m-p/21699/highli.... Is this true? Is any AQM implementation present at the lower layers?
Thanks for reading,
Any answers are appreciated.
SO
0xCD7D601B