Per User Bandwidth through Radius.
-
If memory serves me right, chilli spot is able to do its own packet switching, on userland.
Can WE (Myself included if i can develop with PASCAL language) develop a traffic shapping tcp/udp proxy ?
I dont need help with the daemon part, i have lots of experience developing tcp/ip apps with freepascal/synapse but i will need help to package and put this thing to work with pfsense…
-
If memory serves me right, chilli spot is able to do its own packet switching, on userland.
Can WE (Myself included if i can develop with PASCAL language) develop a traffic shapping tcp/udp proxy ?
I dont need help with the daemon part, i have lots of experience developing tcp/ip apps with freepascal/synapse but i will need help to package and put this thing to work with pfsense…
Absolutely. We can use until someone creates a kernel version of it. Or if you could create a kernel facility?
Either way, sounds great. How would we invoke the userland portion? Ipfw divert?
-
There are two ways i can think of :
A tun/tap device or a tcp and a udp proxy.
a tcp and udp proxy requires that all packets be diverted to the proxy (just like squid) but its somewhat more tricky because it needs to divert ALL ports (So the daemon will have to either install itself on all ports - not realistic - or use raw sockets…)
the tun/tap devices looks more promising, but i need to understand how to setup it using the bsd calls...
imagine the following :
[real lan device] -> pf rule to forward everything to TAP0 -> [TAP0 device … per ip bandwidth management ... TAP1 device] -> pf rule to forward everything to real WAN device
using two pairs of tap devices (one for downstream other for upstream) we can make bandwidth manager on userland.
easier yet : use two pairs of tap devices for EACH ip, so the cpu intensive task of ip checking goes to the kernel device were the code is more tight written…
but I dont know what are the performance penalties of having so many TAP devices...
- a tap device is a software only ethernet device, so we can even shape by packet/sec instead of byte/sec (packet/sec seems to be the thing that makes emule/similars kill my network...)
http://en.wikipedia.org/wiki/TUN/TAP
hmmmm seems most of the work is already done... vtund is able to speed shape...
http://vtun.sourceforge.net/
theres an option "Speed" where the speed can be limited, bet it doesnt uses dummynet because vtund is portable across multiple operating systems...
attached diagram...
-
I wonder if one could use netgraph to create virtual interfaces and pass it through them for similar purposes as opposed to using the vtun stuff. I've been reading a lot about ng and it seems to be created for purposes such as this, and should be pretty fast since it is all done in-kernel.
-
The problem is that developing for the kernel has a range of consequences, a bug can kill the system in a myriad of ways… on userland, at least, most critical work is already done for us...
-
The problem is that developing for the kernel has a range of consequences, a bug can kill the system in a myriad of ways… on userland, at least, most critical work is already done for us...
I totally agree, thats why netgraph is so cool, it allows for hooks into it with minimal impact. Granted, I'm not a netgraph expert, but everything I've read and done with it has worked really well. It's certain;y worth investigating as a "hook" into the existing system that was meant to do similar tasks.
I'm a poor developer but I can volunteer any insight I have into using NG.nb
-
even using ng, the fact that the program runs on kernel space makes it possible that a bad subscript in an array (for example) be able to overwrite other parts of the kernel… i dont like kernel programming, its too damn critical (and the fact that it must be done using C guarantees that I WILL make a mistake with pointers/arrays...) Java & Pascal have a lot of ways to avoid that classes of mistakes (unfortunately they are slower than plain C, java being the slowest)
PS.: Im a bad C programmer, most of what i did using C was in the university... But a good kernel programmer can very well write this for us, but if someone is willing to program this, the same person could just help debug the kernel PFIL ordering issues and solve the original problem...
-
even using ng, the fact that the program runs on kernel space makes it possible that a bad subscript in an array (for example) be able to overwrite other parts of the kernel… i dont like kernel programming, its too damn critical (and the fact that it must be done using C guarantees that I WILL make a mistake with pointers/arrays...) Java & Pascal have a lot of ways to avoid that classes of mistakes (unfortunately they are slower than plain C, java being the slowest)
I'll defer to your expertise, I'm a poor programmer at best. =)
-
I have a basic idea of how to solve this :
A binary captive portal app that upon login builds an TAP device for this specific user and transfers packet by packet to a (time based) bucket on the secondary TAP device (wich needs to be just one…) and vice versa. Unlogged users cant get routed trought the "virtual wires" inside de app, so it is left up to the rest of the system rules if this guy will navigate the internet...
i developed a small http(s) server using Freepascal/Synapse, now im translating tun/tap lib headers to allow me to write a "virtual wire" using it...
LAN -----> TAP1 ----virtual wire with speed control/captive portal functionality----> TAP0 -----> WAN or whatever.
In max 1 month i will come back with news...
-
Amazing, I started this a while back, had to abandon PFSense for m0n0 good to see it taking off!!!
-
Nice, now i have a virtual switch/hub :D
my little program creates two virtual ethernet devices : tap0 and tap1 and swaps packets from one another…
it doesnt do any traffic shapping yet. but... its the basis for some tests...
it is running on linux, but freebsd does have tun/tap drivers, only their setup is somewhat different (not much).
who can help me test this concept on a linux box ?
-
When you are ready to test on FreeBSD let me know. I cannot assist in Linux however.
-
This is great guys can't wait for it to be ready. Just what I'm looking for
Thanks
-
Hi Guys
Would just like to know how the development is coming along?
Can't wait to use it.Thanks
-
Any updates? I'm also very interested!
I am currently experimenting with Esomo (also a FreeBSD mod: esomoline.com), which basicaly gives me the features that I'm looking for (userbased upload/download limit), but I don't like the way you have to authenticate (users have to set up a VPN connection to get through to the internet, and the webbased login-apllication doesn't seem to work all the time).
-
It wiil be a very nice function, I'm also interested, is somebody still working on this, or exists a Bounty?
regards
Alfredo -
It is on my list for 1.3 though support wouldn't hurt ::)
-
Ok im A Wireless Internet Service Provider in my area serving over 250 people with internet but i have no control of my bandwidth m0n0wall has the feature but because we offer voip thou T-Mobile it wont work so i have to have two server one m0n0wall for normal login and pfsense for voip otherwise im sol this is a pain all i got to say is i've alot of great idea's of which has not been started or people are holding the feature to them selves which makes me mad so people get together like a team to come up with a solution to this matter it is very simple im new to freebsd/linux/unix and i have a degree im computer information system's and tech. so let come up with a common ground to where this will work in the web gui some people do not know how to program im still learning this new style but im taking the time to read books and the internet to see if a feature or php add on can be made to the index.php to make another like link to do per user bandwidth setting. If we get together with what we know how to do then each person can work on a part of it then a set of people can work on the kernel to come up with a featute package to add on to it.
-
Ok i've started a bounty so let all get involed.
http://forum.pfsense.org/index.php/topic,9068.0.html -
well, i abandoned this project because someone else demotivated me saying he was working on a kernel land patch to make pf work with dummynet (this is the REAL solution to this problem, but is damn complex).
I have some work to do (actually a lot) this month and most of my projects are stopped. After this critical month i can come back to this.
But IIRC the major obstacle for this userland traffic shaper was to get a good shaping algorithm…
Other solution i thought was to use pf pipes.
take my virtual "switch/hub" and place queues relative to the up/down sides, something like this :
tap0 is the virtual ethernet device that faces upstream
tap1 is the virtual ethernet device that faces downstreamaltq on tap0 bandwidth <sum of="" all="" clients="" upstream="" bandwidth="">queue ( <one queue="" per="" user="" ip="">)
queue bla bla bla // setup each user queue upload speedaltq on tap1 bandwidth <sum of="" all="" clients="" downstream="" bandwidth="">queue ( <one queue="" per="" user="" ip="">)
queue bla bla bla // setup each user queue download speedI.E. : Use pf own altq to shape traffic by using the virtual devices as "hooks"
then forward all incomming traffic on lan to the downstream face :
pass in on lan forward-to (tap1, tap1ip) bla bla bla (make this work with a table that lists users logged on the captive portal)
pass in on lan bla bla bla (redirect non-logged users to the captive portal, based on a table that lists non-logged users)</one></sum></one></sum>