Traffic Shaper + Simple brigde possible?

mogie

It is possible I will try to DMZ the modemrouter to the pfsense and NAT it from there instead. However the transparent bridge shaper would be much easier and more reliable since I would not have to move all my settings from the modemrouter over to pfsense. Unfortunately it would be a whole set of webservers to NAT properly, which will bring me a lot of deadtime for my pretty critical internet services..

dvserg

@mogie:

@dvserg:

I have this configuration. But Shapped only incoming traffic.

Well, it's a first step. :) Any way to share how you've done it? Much manual configuration after (or without) the wizard?

After all, is this feature possible at all? Traffic shaping on both in and out?

I create basic rules by wizard and adapted them to my need's (delete one and add other).
Shaping outgoing traffic i can't (tested different variants)

mogie

So to shape both incoming and outcoming, I will need to NAT the network then? Alternately use m0nowall for transparrent bridge? The DMZ alternative seems to it then? :)

thanks for the reply btw!

dvserg

I have this rules.debug (altq part)

# System Aliases 
loopback = "{ lo0 }"
lan = "{ rl0  bridge0 }"
wan = "{ xl0  bridge0 }"
enc0 = "{ enc0 }"

 ...

scrub all random-id  fragment reassemble
altq on xl0 hfsc bandwidth 4Mb queue { qwanRoot }
altq on rl0 hfsc bandwidth 256Kb queue { qlanRoot }

queue qwanRoot bandwidth 4Mb priority 0 hfsc { qwandef, qwanacks, qwanHi, qRdpUp, qwebUp, qmailUp, smtp_up, qtestW }
queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qlanHi, qRdpDown, qwebDown, qmailDown, smtp_down, qtestL }
queue qwandef bandwidth 20% priority 3 hfsc (  default realtime 10% )
queue qlandef bandwidth 20% priority 3 hfsc (  default realtime 10% )
queue qwanacks bandwidth 24Kb priority 7 hfsc (  realtime 8Kb )
queue qlanacks bandwidth 24Kb priority 7 hfsc (  realtime 8Kb )
queue qwanHi bandwidth 32Kb priority 7 hfsc (  realtime 16Kb )
queue qlanHi bandwidth 32Kb priority 7 hfsc (  realtime 16Kb )
queue qRdpUp bandwidth 48Kb priority 6 hfsc (  realtime(64Kb 300 32Kb) )
queue qRdpDown bandwidth 48Kb priority 6 hfsc (  realtime(32Kb 300 32Kb) )
queue qwebUp bandwidth 24Kb priority 4 hfsc (  red ecn linkshare 24Kb realtime(48Kb 300 24Kb) )
queue qwebDown bandwidth 24Kb priority 4 hfsc (  red ecn rio realtime(48Kb 300 24Kb) )
queue qmailUp bandwidth 24Kb priority 2 hfsc (  red ecn rio realtime(48Kb 300 12Kb) )
queue qmailDown bandwidth 24Kb priority 2 hfsc (  red ecn upperlimit 48Kb realtime(48Kb 300 24Kb) )
queue smtp_down bandwidth 4Kb priority 2 hfsc (  red ecn rio upperlimit 4Kb realtime 4Kb )
queue smtp_up bandwidth 4Kb priority 2 hfsc (  red ecn rio upperlimit 4Kb realtime 4Kb )
queue qtestW bandwidth 10Kb priority 2 hfsc (  red ecn rio realtime 10Kb )
queue qtestL bandwidth 10Kb priority 2 hfsc (  red ecn rio realtime 10Kb )

...

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto esp from any  to any  keep state tagged unshaped tag qwandef 
pass out on $lan proto esp from any to any keep state tagged qwandef tag qlandef
pass in on  $lan proto esp from any  to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto ah from any  to any  keep state tagged unshaped tag qwandef 
pass out on $lan proto ah from any to any keep state tagged qwandef tag qlandef
pass in on  $lan proto ah from any  to any  keep state tagged unshaped tag qlandef 
pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef
pass in on  $wan proto icmp from any  to any  keep state tagged unshaped tag qwanHi 
pass out on $lan proto icmp from any to any keep state tagged qwanHi tag qlanHi
pass in on  $lan proto icmp from any  to any  keep state tagged unshaped tag qlanHi 
pass out on $wan proto icmp from any to any keep state tagged qlanHi tag qwanHi
pass in on  $lan proto tcp from any  to any port 53  keep state tagged unshaped tag qlanHi 
pass out on $wan proto tcp from any to any port 53 keep state tagged qlanHi tag qwanHi
pass in on  $lan proto udp from any  to any port 53  keep state tagged unshaped tag qlanHi 
pass out on $wan proto udp from any to any port 53 keep state tagged qlanHi tag qwanHi
pass in on  $wan proto tcp from any port 3389  to any  keep state tagged unshaped tag qRdpUp 
pass out on $lan proto tcp from any to any keep state tagged qRdpUp tag qRdpDown
pass in on  $lan proto tcp from any  to any port 3389  keep state tagged unshaped tag qRdpDown 
pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp
pass in on  $wan proto tcp from any  to any port 25  keep state tagged unshaped tag smtp_up 
pass out on $lan proto tcp from any to any port 25 keep state tagged smtp_up tag smtp_down
pass in on  $lan proto tcp from any  to any port 25  keep state tagged unshaped tag smtp_down 
pass out on $wan proto tcp from any to any port 25 keep state tagged smtp_down tag smtp_up
pass in on  $wan proto tcp from any port 110  to any  keep state tagged unshaped tag qmailUp 
pass out on $lan proto tcp from any to any keep state tagged qmailUp tag qmailDown
pass in on  $lan proto tcp from any  to any port 110  keep state tagged unshaped tag qmailDown 
pass out on $wan proto tcp from any to any port 110 keep state tagged qmailDown tag qmailUp

...

# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on xl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwanHi queue (qwanHi, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged qmailUp queue (qmailUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state tagged smtp_up queue (smtp_up, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qlanHi queue (qlanHi, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged qmailDown queue (qmailDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state tagged smtp_down queue (smtp_down, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from any to 10.62.0.3 keep state label "anti-lockout web rule"

dvserg

Looking to last part on pass present real interfaces only
In previous rules part present $wan and $lan aliases.
In Last part bridge0 interfase not writed (only default)
–-
I rewrite last part as

# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on $wan all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on $wan all keep state tagged qwanHi queue (qwanHi, qwanacks) label "let out anything from firewall host itself"
pass out quick on $wan all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on $wan all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on $wan all keep state tagged qmailUp queue (qmailUp, qwanacks) label "let out anything from firewall host itself"
pass out quick on $wan all keep state tagged smtp_up queue (smtp_up, qwanacks) label "let out anything from firewall host itself"
pass out quick on xl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qlanHi queue (qlanHi, qlanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qmailDown queue (qmailDown, qlanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged smtp_down queue (smtp_down, qlanacks) label "let out anything from firewall host itself"
pass out quick on rl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from any to 10.62.0.3 keep state label "anti-lockout web rule"

Aliases $lan and $wan contains bridge0 inerface.
After - i have work shaper IN and OUT (work two queue's).
I unknown how this influense on system work, but shaper really need more what all other..

–-
Test to be continued.  ::)
ps I already change my shaper sources for generate "right" ruleset.

dvserg

/etc/inc/filter.inc[2972]:

	foreach ($config['shaper']['queue'] as $queue) {
		if(!filter_is_queue_being_used_on_interface($queue['name'], $ifname, 'out'))
			continue;
		if ($ackq == "" || $defq == "") {
		    /* Shaper must not be enabled on this interface */
		    $q = "";
		} else {
		    $q = "queue ({$queue['name']}, {$ackq})";
		}
#	             $rule .="pass out quick on {$int} all keep state tagged {$queue['name']} {$q} label \"let out anything from firewall host itself\"\n";
# dvserg bridge fix
		$zzz = convert_real_interface_to_friendly_descr($int);
		$rule .="pass out quick on \${$zzz} all keep state tagged {$queue['name']} {$q} label \"let out anything from firewall host itself\"\n";
	}

xromain

This patch will be applied in next RC ?

dvserg

@xromain:

This patch will be applied in next RC ?

No. This my private modification for ALTQ on BRIDGE.
I use this to achieve the desired effect, and don't know how this affect the entire system to other regimes.
But now i use WAN-LAN bridged and OPT1-inet interface. Ft first glance, it works well.

xromain

I have tested your patch. But, outgoing traffic (from LAN to bridged WAN) is queued in qlandef instead custom queue. Only incoming traffic is correctly queued.

Here's my rules:

loopback = "{ lo0 }"
lan = "{ re0  bridge0 }"
wan = "{ vr0  bridge0 }"
enc0 = "{ enc0 }"

...

pass out quick on $wan all keep state tagged qwanDNS queue (qwanDNS, qwanacks) label "let out anything from firewall host itself"
pass out quick on $wan all keep state tagged qwanTEST queue (qwanTEST, qwanacks) label "let out anything from firewall host itself"
pass out quick on vr0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qlanDNS queue (qlanDNS, qlanacks) label "let out anything from firewall host itself"
pass out quick on $lan all keep state tagged qlanTEST queue (qlanTEST, qlanacks) label "let out anything from firewall host itself"
pass out quick on re0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself"
pass out quick on bridge0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"

...

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan proto udp from any  to X.X.X.X port 53  keep state tagged unshaped tag qwanDNS
pass out on $lan proto udp from any to X.X.X.X port 53 keep state tagged qwanDNS tag qlanDNS
pass in on  $wan proto udp from any  to Y.Y.Y.Y port 53  keep state tagged unshaped tag qwanDNS
pass out on $lan proto udp from any to Y.Y.Y.Y port 53 keep state tagged qwanDNS tag qlanDNS
pass in on  $wan proto udp from any  to X.X.X.X port 1024:65535  keep state tagged unshaped tag qwanTEST
pass out on $lan proto udp from any to X.X.X.X port 1024:65535 keep state tagged qwanTEST tag qlanTEST
pass in on  $lan proto udp from X.X.X.X port 53  to any  keep state tagged unshaped tag qlanDNS
pass out on $wan proto udp from any to any keep state tagged qlanDNS tag qwanDNS
pass in on  $lan proto udp from Y.Y.Y.Y port 53  to any  keep state tagged unshaped tag qlanDNS
pass out on $wan proto udp from any to any keep state tagged qlanDNS tag qwanDNS
pass in on  $lan proto udp from X.X.X.X port 1024:65535  to any  keep state tagged unshaped tag qlanTEST
pass out on $wan proto udp from any to any keep state tagged qlanTEST tag qwanTEST

What's wrong doctor ?

eri--

With the new shaper code you will be able to do bridge shaping and more.

This is just an update for people to not mess with their systems.