HOWTO: pfSense 1.2.x Traffic Shaping with Squid Transparent Proxy
-
I have not setup or tested this in a Multi-WAN configuration. I'm sure there would be more configuration with your routing/rules which again be custom modifications to the base system. I would be interested in hearing more of your stories, for those who have attempted this. I will be setting up a multi-wan for testing purposes in a couple months to test some redundancy features of our WAN, and I will have to post an update with my results.
-
Hello
This could work in two interface lan (lan and Opt1) ? Sorry may english is not goodEsto podria trabajar en 2 interfaces lan (lan y opt1) pregunto por que yo tengo una red wireless en opt1
Gracias -
Tested and worked pretty well on 1.2 and 1.2.2, many thanks!!
Sticky! -
i wanted to let you know this works great in 1.2.3 but it didn't work at all until a reboot…very impressed
-
I'm having a similar problem (transparent Squid proxy with traffic shaping enabled (not traffic shaping within Squid, but under Firewall -> Traffic Shaper)) but that the Traffic Shaper is throttling Squid cache hits.
We have the cache tuned to cache large files and most of the hits are things like Windows updates and Ubuntu updates.
Please don't tell me to set up a WUS and Ubuntu mirror ;-)
-
I have installed squid and it works with traffic shaping. How to limit the download/upload if the user will use ftp or ssh then ftp using cli?
jigp
Davao City -
Works beautifully. Thanks
-
Thanks for the tutorials. Still fighting for ftp/ssh/http dl/up.. :(
jigp
Davao City -
Hey there,
something i didn't get… in squid.inc, do i have to change every "127.0.0.1" by "my.pfsense.lan.ip" ? Or only 3 times?
Cause i tried by changing all, changing the default https port & firewall rule, rebooted the pfsense box... and then i could not get the capitve portal page...
-
Thanks iBeej.
This hack is what I've been looking for a long time ago. It worked fine on pfsense 1.2 but now squidguard filter rules seem not to be working.
Some clues? -
This seemed to work for me:
add
function squid_resync_general() { global $g, $config, $valid_acls; $WAN_IP = "0.0.0.0.0"; foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { $WAN_IP = "{$real_ifaces[$i][0]}"; } }Change things like:
if (($settings['transparent_proxy'] == 'on')) { $conf .= "http_port 127.0.0.1:80 transparent\n"; }to
if (($settings['transparent_proxy'] == 'on')) $conf .= "http_port {$WAN_IP}:80 transparent\n"; -
You said this worked for you, but:
function squid_resync_general() { global $g, $config, $valid_acls; $WAN_IP = "0.0.0.0.0"; foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { $WAN_IP = "{$real_ifaces[$i][0]}"; } }Why do you use $WAN_IP here? I thought we are looking to let squid send traffic to LAN_IP?
I have rules on the LAN (to provide loadbalancing/failover), which are also not triggered when running a transparent proxy. So changing to WAN_IP above will not be the same as the hack that was described at the top of this post.
The you say:
Change things like:
if (($settings['transparent_proxy'] == 'on')) { $conf .= "http_port 127.0.0.1:80 transparent\n"; }to
if (($settings['transparent_proxy'] == 'on')) $conf .= "http_port {$WAN_IP}:80 transparent\n";Does this mean that the references below need to be changed as well?
acl localhost src 127.0.0.1/255.255.255.255
and
foreach ($ifaces as $iface) {
$rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";
}
/* Handle PPPOE case /
if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
$rules .= "rdr on $PPPOE_ALIAS proto tcp from any to 127.0.0.1 port 80 -> 127.0.0.1 port 80\n";
}
/ Handle PPTP case */
if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
$rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 172.0.0.1 port 80\n";Please comment, since this seems a little mixed up to me.
-
I also tried this hack. I changed every instance of 127.0.0.1 with 192.168.10.1 (my LAN ip address):
Search "192.168.10.1" (9 hits in 1 files) Line 603: $conf .= "http_port 192.168.10.1:80 transparent\n"; Line 766: acl localhost src 192.168.10.1/255.255.255.255 Line 1285: $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 192.168.10.1 port 80\n"; Line 1289: $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !192.168.10.1 port 80 -> 192.168.10.1 port 80\n"; Line 1289: $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !192.168.10.1 port 80 -> 192.168.10.1 port 80\n"; Line 1293: $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !192.168.10.1 port 80 -> 192.168.10.1 port 80\n"; Line 1293: $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !192.168.10.1 port 80 -> 192.168.10.1 port 80\n"; Line 1306: $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !192.168.10.1 port $port flags S/SA keep state\n"; Line 1309: $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !192.168.10.1 port $port flags S/SA keep state\n";but I ended up with a state table table full with almost 60.000 connections:
I think I´ve done something wrong…
-
i have 1.2.3-release and this REALLY slowed my net and webgui management to a crawl!!!
either it doesnt work with 1.2.3 or i did something wrong.
pls advise
-
So I'm using 1.2.3 with the transparent proxy enabled (and verified on b/c it's showing hits in the lightsquid logs). I am NOT seeing the behavior described in the first post. On my system, I see P2P traffic in the P2P queues and web traffic seems to go into the qOthersDownH queue.
Also curious is that I do not see any packets in my queues related to my VoIP adapter now that I've re-run the wizard and gave it the IP Address of the adapter. One of the first rules is that anything on that IP routes to the qVOIP queues… I saw some traffic being registered there when it was just set up to route the SIP port packets to those queues, but for whatever reason it doesn't show up when the whole IP is sent there.
Anyway, my main point in posting is to say that I'm NOT seeing the behavior of web traffic going to the default queues due to the proxy. It's possible that I've got something configured incorrectly, but it appears that the shaper is doing its job. Any thoughts?
-
Does this work with penalty ip shapping?
-
Hello iBeej,
I tried as you said, I am able to penalize the download and not the upload. Is there anything I need to follow. Please suggest me with more ideas. I am new to this.
Ver: 1.2.3-Release
-
I installed 1.2.3 and followed this guide. I noticed that there is 9 entries of 127.0.0.1 in the conf file instead of 3 but by reviewing the code abit I only changed the first 3 entries of 127.0.0.1 to the gateway IP and everything seems to be working fine for me!
-
Is this still relevant with 2.0RC1? I assume it is so after every update I make the changes that it tells you to. Thanks
-
so what should be the order? install squid package first then traffic shaper or the other way around mess first with traffic shaper and install squid last
