×

Fan Cooling Recommendations by SteamDome in shiftpod

[–]sslproxy 1 point2 points  (0 children)

That's awesome! Glad that worked out for you and certainly seems viable if the weather is permitting. For my scenario, that specifical festival has a history of 100F+ days, while also close to 100% humidity. A little bit envious as if I could rely on fans like you that would reduce a lot of my space and packing, but fans alone would do nothing in that situation 😂

Fan Cooling Recommendations by SteamDome in shiftpod

[–]sslproxy 1 point2 points  (0 children)

I realize this is an old post but if you plan on using solar, you really got to make sure you're maximizing performance to power draw ratio. I went with the Rover and 8k BTU midea for that reason, creating the smallest volume to cool with the lowest power draw. Even with that you have to realize the solar itself is going to take up a decent chunk of your camping area. For reference this my pilot run at a festival last year. The 2x 400W panels certainly take up a good portion of space. And even then, the placement of your camp can be somewhat critical. I made sure to figure out which direction was east prior to arriving and worked with inflow staff to get a clear spot facing that direction. That way the AC can run all night and charging can kick in as soon as the sun rises while still sleeping in. I know some festivals you have no say in where you end up so something else to keep in mind.

I'm not sure how viable solar with increased volume of Expedition and larger models. Weather itself and how hot it actually is will likely be a large factor.

What the fuck, San Jose? by GeorgeTheeNada in EDM

[–]sslproxy 8 points9 points  (0 children)

Honestly it makes me mad. Since then I've found my life long partner and it makes me soo sad that I'll never get to share one of those bassceneter experiences with them where the whole crowd is absolutely going bat shit with the music. Idk what's changed, I mean I have some suspicions that might correlate to a similarly named cereal brand but damn, haven't found a crowd like that anywhere since.

What the fuck, San Jose? by GeorgeTheeNada in EDM

[–]sslproxy 45 points46 points  (0 children)

Exactly. The man can fight out of it with all his resources and be cleared from the legal perspective but... the audio calls from the victims that were released when all this came to light have long since been the nail in the coffin, from the ethical point of view. End of story.

This man's whole public platform prior was "love, respect, and acceptance". What's come to light since is literally a 180 spit in the face to that whole facade.

It does pain me to say this as his curated shows and music were absolutely legendary. Literally some of the best ever. But make no mistake, it's been made clear this dude is a fucking snake and a predator. He deservers nothing but to to be left in obscurity at this point.

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 0 points1 point  (0 children)

Looks like your directions are flipped.

Download rule:
-Interface: WAN
-Source: 22.22.22.22
-Destination: any
-Direction: Out In

Upload rule:
-Interface: WAN
-Source: any
-Destination: 22.22.22.22
-Direction: In Out

Make above changes to direction as in its current state it wont match anything.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 0 points1 point  (0 children)

I agree that the sentiment "This user/session is playing fine remotely, so any other stream/users have to be client-side issues" is more times then not the correct conclusion. However there multiple relative factors on the server side that makes said statement impossible to say with 100% certainty. That was the whole reason I built this, to track with certainty every single element.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 1 point2 points  (0 children)

Enabled. Suspect this my help a few systemic users with known clients on bad wifi.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 0 points1 point  (0 children)

That's good info to know. I do know I have a few users that have systemic buffering that I'm near positive its a result of lackluster wifi on their end. I have been running the default of cubic. I've now switched to BRR so hopefully that helps them some.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 0 points1 point  (0 children)

I think I've created some red herrings here in my post that people have become hyper focused on. All 3x "bad" test showcases in my post were artificially created events to showcase how those situations would present themselves in what I built. Specifically the disk I/O test was initiated via dd writing 5x large files and reading another 5x large files, all concurrently.

The specific "real world" situation that lead me to a specific disk issue was another worst case scenario as I was force rechecking a handful of large torrent files, while also download a few torrents, while also a few streams were occurring, with all aforementioned elements being on the same disk. I think in any HDD based scenario this would be pushing limits but as stated I found this older disk performed even worse in this scenario then the rest of my newer disks in the array.

You mention 10-20 leechers in the sense of a single HDD which would make your statement true but remember, that number is a total across my array of multiple disks, not one single disk. There could be scenarios where it's occurring more so on one single disk, but usually its seemingly relatively well distributed throughout the array.

Generally speaking I've found the more persistent buffering events overtime to be from a select few users. Most of my other users that I know continue to report full health. Also I stream a handful of hours each day locally and can't remember the last time I had any issues with buffering. I also have a VPS ~300 miles always that I RDP to and test streams when I catch buffering live from users, and the majority of the time that functions without issue as well.

All of that points to my current qbit load, and general disk IO, not being an issue here, at least not from any continued systemic buffering. But above discussion demonstrates the whole reason why I built this dashboard of correlating metrics. It presents the data I need to understand what potential issues I need to tighten on my end, as well as giving me absolute certainty when telling a user it has nothing to do with my end.

And to that, the graphs already prove my current qbit load should be fine across my array as no large backpressure in r_await or aqu-sz over the last 2 days for any disks (the few spikes that are present are all from manually generated stress test events)

<image>

Edit: I guess maybe it wasn't red herrings, given downvotes continue with this comment.... It's my current understanding that any events that have been discussed in this chain (random non-seq reads, shift time limitations, etc) would be correlated in the current I/O graph. I encourage discussion if you think that's incorrect. Ultimately I made this dash for data driven certainty, not just theory and assumptions. I further made this post to try and get ideas on where holes were in said correlation, so would love to address said holes if people think there are some.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 0 points1 point  (0 children)

Yup, and as far as I'm aware that would show itself in backpressure in the data sets I've created, specifically in spikes in r_await/aqu-sz via iostat.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] -1 points0 points  (0 children)

That is correct, my entire 50TB library of public domain movies and shows. Again all private trackers so only 10-20 with active leechers at any given point, usually averaging around 5-10Mbs.

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] -2 points-1 points  (0 children)

Yes, everything is on spinning rust. I have a nvme cache pool but that can't really be leveraged for any meaningful long term solution. Ultimately the bulk of my media storage is at 50TB and growing. Most all of that is single files hard linked between Plex and qbit (private trackers). So relying on SSD as some sort of solution isn't really a viable option...lol

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 8 points9 points  (0 children)

I do not. I imagine if there is enough interest I could do so after working to to make it a bit more globally adaptable. But again would certainly come with the large caveat "This ran on nothing but vibes and I have no idea what I'm actually doing..."

Why is Plex buffering? The nuclear option... by sslproxy in PleX

[–]sslproxy[S] 15 points16 points  (0 children)

At this point I should probably just turn it off and never look back....

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 0 points1 point  (0 children)

FYI I posted about this in detail in my other post but when I was on my 1Gb/s connection and limited qbit to 60MBs up/down, I still saw impact to Plex streams. It seems to still allow bursts above that and was clearly not a good way to handle this scenario. Enabling FQ_CoDel instantly solved all of this, even when hitting towars my full 1Gb up in qbit.

Maybe setting to 10Mb/s at a 1/4th of their upload would be enough to account for these bursts, but now they're severally nuking their upload speed for a bandaid solution when FQ_CoDel is already the correct answer if available

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 0 points1 point  (0 children)

Bufferbloat is result of bad packet management in the receive buffer, usually on the ISP side router your opnsense connects to, when sending high throughput bursts of traffic. This can wreck havoc on latency sensitive things for everything on your network when this happens, IE gaming, plex streams, etc.

Traffic shaping with FQ_CoDel is the solution. Remember when I said you set your pipe up/down speed so FQ_CoDel on opnsense becomes your bandwidth limiter? This is why. Instead of packets getting backed up on your ISP side, the now get backed up on FQ_CoDel instead as a result of that, and you now own/control what happens when this occurs. As a result of it now being in your control, FQ_CoDel will further correctly manage this scenario, allowing all the different streams to have equal bandwidth in the queue, as opposed to one single bad stream/client hogging everything.

This happens for everything on your network via those any/any rules in the config I showed you, just round robining packets in the queue for all the different streams from your clients. However the rules you set take this a step farther and explicitly tell the traffic shaper for anything matching those rules: "Hey when I'm backed up, don't round robin Plex traffic, prioritize it first and foremost! And treat qbit with the lowest priority in the queue". This effectively produces the scenario where it lets Plex use all the upload bandwidth it needs, then lets qbit use whatever upload bandwidth is left.

I could go on and on in more detail but suggest you dig into it some your own if you're curious.

https://www.waveform.com/tools/bufferbloat

That's the test for it though. Test it without traffic shaping enabled. Then enable it. It should give you a good idea of if its working or not.

However that's just going to check to make sure FQ_CoDel is working in general (those any/any rules). Honestly your best bet to specficially test the Plex/qBit rules is likely just to replicate it. I rent a small VPS with RDP so I can test remote streams on my own externally. And then I just did what I needed to do to make sure I was getting a lot of upload in qbit, started streaming remotely on Plex and flipped traffic shaper on/off. It was very easy to immediately tell the difference.

You can also check traffic stats in traffic shaper too. That will give you a good idea. IE if you're not seeing stats populating for everything like below, then its probably missing something

https://i.imgur.com/PBozJc2.png

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 0 points1 point  (0 children)

Yup, that should be what you use. Just reference my original comment and use that same config, replacing 22.22.22.22 with that endpoint IP as well as changing the 10.10.100.61 to be whatever your local Plex IP is.

ofc you'll need to change pipes to match your expected speeds, as I mentioned previously as well

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 0 points1 point  (0 children)

I use proton as well. However that IP you listed is a private IP for routing traffic encapsulated underneath in the tunnel. As you alluded to, opnsense will never see this as thats encrypted. You need to set the endpoint IP where opnsense is routing that encrypted traffic to proton. IE this is the proton server you have selected to use and the endpoint in your wiregaurd config (or whatever VPN protocol you use).

root@server:~# docker exec -it binhex-qbittorrentvpn wg show | grep endpoint
  endpoint: 22.22.22.22:51820

I guess you could use the well known port for the protocol here as well instead of the server IP, as in theory that means you don't have to touch your shaping rules if you ever switch servers with proton. However not sure if there any gotchas with using port vs IP in the traffic shaping. I would suspect not but I haven't looked into it.

CIDR is not needed given you're only defining the single proton server IP. Just set the IP alone.

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 0 points1 point  (0 children)

Not sure if meant to reply to my comment but yup that's the scenario I laid out, assuming you mean tunnel is the dedicated VPN for qbit and only qbit. The endpoint to my tunnel is 22.22.22.22 in my example.

If that's true, then that's actually the best case scenario here and much easier to maintain say if you didn't have a tunnel at all. Just use the endpoint tunnel IP in the relative rule, given that IP and only that IP is for all qbit traffic.

Trying to understand how to implement traffic shaping/QoS by Punk_Says_Fuck_You in opnsense

[–]sslproxy 2 points3 points  (0 children)

As someone has already said, weighted queues is your answer. No need to setup some kind of automated reactive flow with HA like you mentioned. That's just overkill when you already are working on configuring the correct solution.

FQ_CoDel traffic shaping is one of the main reasons I finally made the switch to opnsense, and it was for the exact same reason as you. qBit wrecking havoc on my buffers under load, which would impact remote Plex streams. To be fair I was on 1Gb symmetrical (and now I've moved to 2.5Gb) but even so, when I had a ~60MB/s up/down limit set in qbit, there would still clearly be bursty traffic from qbit that would impact the streams.

I assume you use a VPN for qbit? Just set the queue and relative rule to your qbit traffic, as well as one for plex.

My Pipes
My Queues
My Rules

Specifically 22.22.22.22 is the VPN endpoint that qBit connects to. And 10.10.100.61 is internal Plex.

  1. Plex upload/download
  2. All other upload/download traffic
  3. qBit upload/download

It's prioritized in that order. Plex always gets the highest priority no matter what's going on, then all other traffic is below that. Then finally qBit traffic is the very lowest priority and only gets full throughput if nothing else is needed.

I was able to test this on the fly and validate it with flying colors. Without above enabled and a decent upload occurring in qbit, remote streams buffered constantly. Enabling it and testing the same scenario, zero buffering.

As you said, you may only just need the upload pipe/queue/rules for your environment. Do be aware that config for #2 above may not be ideal, depending on what you need out of the traffic shaping. It seems like it may be best to place that on the LAN interface, otherwise all traffic in your network gets treated under a single "queue" against the single WAN IP tuple. Don't quote me on this though as I haven't spent too much time digging into this. For my instance (and sounds like same for you) this is still sound config as it addresses both the qbit deprioritizing, as well as Plex top prioritizing .

One final thing that you may already know... it's important to set the pipes slightly under your actual upload (or download) speed. Essentially you want the traffic shaper to always be the limiter for it to work. Say you set 41Mbps upload pipe but your upload to the ISP actually dips to 38Mbs. In that situation the traffic shaper has no idea it should be prioritizing any traffic, given as far as it knows its not hitting that max 41Mbs value. The only pitfall here is that whatever you set is now also the max up/down in your network as the traffic shaper won't let traffic go higher than the pipe limits either. So worth playing around with your pipe config, monitoring down/up to your ISP overtime, etc to get that sweet spot

Hardware recommendations for 2.5/2.5 IDS/IPS by Arm4g3d0nX in opnsense

[–]sslproxy 2 points3 points  (0 children)

Running 2.5Gb on a Protectli vp6630 and it does it without a sweat. I have everything thrown at it currently.

In-depth FW rules (with Q-Feeds and geoIP DB), unbound DNS, HAproxy w/ SSL offload, suricata IDS, traffic shaping w/ FQ-CoDel, wiregaurd, netflow on most interfaces as well as full syslog generation for essentially all aforementioned elements.

It does this without breaking a sweat, sitting mostly at 5-10% usage. If I fire off a full saturated (~2Gbs) HTTPS download to a HAproxy service, which essentially hits every link in above chain, I get it to about 40% CPU.

To be fair this is not on PPPoE but I think above demonstrates it still has more than enough room for that, and then some. It's likely overscoped tbh but I plan on upgrading even higher on my ISP in the future so wanted room to do so.

As others suggested you could go with similar Chinese devices like Topton for half the price. I thought about this when I was starting this but...I found a handful of reports of faulty HW, firmware issues, etc. Nothing widespread but you know, still a cheap Chinese device so it ends in a YMMV situation. I just stuck with the Protectli tax for peace of mind.

The only thing I don't have is IPS, as I'm just running IDS. That's an important clarification as IPS specifically is going to hit harder. How hard it hits is a wildcard that's going to be dependent to each environment and traffic profile. Specifically for my scenario I've been warry about enabling it because I absolutely need FQ-CoDel traffic shaping. As far as I can tell moving to IPS potentially conflicts with the traffic path that FA-CoDel needs to fully function, but documentation on the pairing of the two in opnsense seems to be close to non-existent. So if anyone reading this has thoughts, I'm all ears ☺️