Very simple (I hope) Traffic Shaping Scenario
-
There's only one service on our network that I would like to implement traffic shaping for: the nightly backup via rsync/ssh to a remote server on the WAN. Since the traffic is encrypted, deep packet inspection is impossible, but I can use any port I want to isolate that particular backup.
Let's say if I do the backup on port 12345. Since I don't want the backup to affect network performance, I would like traffic on port 12345 from LAN to WAN to be lower priority than anything else going out to the WAN.
I really don't understand traffic shaping. Is such a setup possible?
-
Yes. You simply add a rule for the traffic destined for port 12345 to be set to the lower priority queue. To further isolate, you might want to restrict the source to the server(s) initiating the outbound SSH/ RSYNC connection.
-
Thank you for your advice. Unfortunately, my knowledge of traffic shaping is not comprehensive enough to know how to do that.
I tried using http://doc.pfsense.org/index.php/Traffic_Shaping_Guide, but the document seems incomplete, so many questions are unanswered.
(1) This is for traffic going from LAN to WAN, so would I establish a traffic shaper for the LAN interface or for the WAN interface?
(2) The options the wizard gives me are: Single LAN/Multi WAN, Single WAN/Multi LAN, Multiple LAN/WAN, and Dedicated Links. I have Single LAN/Single WAN, which isn't listed. Which choice is appropriate?
(3) I have the choice to "Enable/disable discipline and its children." I can't find in the documentation what that means.
(4) I can choose HFSC, PRIQ, CBQ, or FAIRQ. PRIQ is described in the documentation, and seems to be what I want. No other choices are described.Other choices seem to be set up so that I can assign a bandwidth limit to each queue. I don't want to limit the bandwidth. I just want traffic on port 12345 to be lower priority than anything else.
Is there anywhere that this process is described in more detail?
-
You didn't mention if you were using pfSense version 2.0 or 1.2.x but the traffic shaper has been improved a lot in the newer version.
For question #2, use (single lan/multi wan) and enter 1 for the number of wan interfaces.
Walk through with screenshots on traffic shaping using pfSense 2.0
http://hubpages.com/_pfsense/hub/How-to-Configure-Deep-Packet-Inspection-Using-pfSense
For some of your more technical questions this guide is highly informative and goes pretty deep.
-
Thank you for the links. The hubpages link seems have the kind of step-by-step tutorial I need to get started.
BTW I'm using pfSense 2.0, which may be part of the problem. I suspect it's so new that many of the options haven't been documented yet.
Now it's time to educate myself from those links you provided.
-
Also, I would read through this excellent post below by ermal. I think this will further assist you in setting things up.
http://forum.pfsense.org/index.php/topic,2718.msg48336.html#msg48336
-
Thank you for your advice. Unfortunately, my knowledge of traffic shaping is not comprehensive enough to know how to do that.
I tried using http://doc.pfsense.org/index.php/Traffic_Shaping_Guide, but the document seems incomplete, so many questions are unanswered.
(1) This is for traffic going from LAN to WAN, so would I establish a traffic shaper for the LAN interface or for the WAN interface?
(2) The options the wizard gives me are: Single LAN/Multi WAN, Single WAN/Multi LAN, Multiple LAN/WAN, and Dedicated Links. I have Single LAN/Single WAN, which isn't listed. Which choice is appropriate?
(3) I have the choice to "Enable/disable discipline and its children." I can't find in the documentation what that means.
(4) I can choose HFSC, PRIQ, CBQ, or FAIRQ. PRIQ is described in the documentation, and seems to be what I want. No other choices are described.Other choices seem to be set up so that I can assign a bandwidth limit to each queue. I don't want to limit the bandwidth. I just want traffic on port 12345 to be lower priority than anything else.
Is there anywhere that this process is described in more detail?
1) On older pfSense 2.0 builds, you set a floating rule without selecting interface OR a rule on the LAN tab. On the newer RC1 builds (you can select Queue as the action), you will want 2 rules, one for the LAN tab and one floating. There are certain issues with matching the traffic both ways and I've found that setting 2 rules, one in floating, one in LAN, will help match the traffic both ways.
2) Choose Single LAN, Multi-WAN. Enter 1 for number of WAN connections when prompted.
3) Use the traffic shaper wizard and ignore that for now.
4) You want PRIQ, this can be set in the traffic shaper wizard. Follow the wizard through, don't select VOIP prioritising unless you have such traffic. For the applications page, select a random application (say HTTP) and set to lower priority.
After you're done with the wizard, head to Firewall -> Rules -> Floating. You will see a rule for HTTP, go ahead and delete the rule. We just needed it so that the shaper will create the lower priority queue for you. Now, head to LAN tab. Add a rule by clicking the '+' Sign at the top right corner.
For protocol, set the appropriate protocol (TCP or UDP) for the RSYNC or SSH service.
For source, you can select 'Single Host', enter the LAN IP of the server making the outbound connection.
For destination, select Any and the port as the port on your destination server (12345 in the example you gave).
Scroll down to Queues then select qAck/ qOtherLow for the queues.
Click save.You will be brought to the Rules page again. This time, head to the LAN tab and find the rule you just created. Click the '+' sign beside the rule to duplicate it. Follow the above but set the protocol and destination port as per the 2nd rule you need (SSH if the first rule was Rsync, vice versa). Click save.
Now head to Floating rules, add a new rule. For Action, select 'Queue'. Protocol as per above. Do not select direction and do not select the interface. Just select the destination port and set the queues below and save. Again, duplicate as with the LAN rules.
You should be good to go from there.
-
Thank you dreamslacker!
Your step-by-step procedure worked like a charm. The only thing I modified is that I only set it up for one port, since my understanding is that the command ' rsync -e "ssh -p 12345" ' only uses port 12345. No other ports are used, to the best of my knowledge.
-
Oh.. I was under the impression that you had 2 separate methods (RSYNC via other ports AND SSH FTP). In your case, you only need to prioritise the SSH tunnel (so to speak).
-
Just a quick followup:
Following dreamslacker's procedure, I allocated port 12345 traffic to a lower priority queue. Nothing else is prioritized.My firewall is an ancient Pentium III 1GHz computer with 512MB of memory (I chose it because it was a lot faster than my Commodore 64 :-)).
Now, when I do a bandwidth test with no other network activity, it maxes out at about 30Mbits. Before I implemented the traffic shaping, it maxed out at 60-70 Mbits. During the test, CPU load on the firewall remains low (0.2-0.3).
Is my Pentium III/1Ghz too slow, or is it possible that traffic that isn't assigned to a queue only gets 1/2 the available WAN bandwidth?
-
What NICs are you using and what QoS technique (PRIQ, HSFC etc)?
-
Here is my pciconf -lvc:
re0@pci0:1:8:0: class=0x020000 card=0x816910ec chip=0x816910ec rev=0x10 hdr=0x00 class = network subclass = ethernet cap 01[dc] = powerspec 2 supports D0 D1 D2 D3 current D0 skc0@pci0:1:10:0: class=0x020000 card=0x4b011186 chip=0x4b011186 rev=0x11 hdr=0x00 class = network subclass = ethernet cap 01[48] = powerspec 2 supports D0 D1 D2 D3 current D0 cap 03[50] = VPD
re0 is a Trendnet TEG-PCITXR Gigabit PCI card (Realtek RLT8169 chipset)
I'm not positive about the hardware for sk0; I believe is a D-Link DGE-530T (also a gigabit card).
sk0 is the WAN interface. re0 is the LAN interface.I'm not 100% sure this is hardware related. It seems suspicious to me that the maximum bandwidth drops by precisely 50% when I implement traffic shaping. Could it be that something is dividing the bandwidth in 2 and allocating half to most of my traffic?
I'm using the PRIQ QoS technique, as suggested in your how-to.
-
How many queues do you have?
Also, have you tweaked the Queue limits? You probably want to raise the Queue limits and play with the TBR size a little.
-
How many queues do you have?
Also, have you tweaked the Queue limits? You probably want to raise the Queue limits and play with the TBR size a little.
I just recreated the queues based on your instructions again, and ran the test, and it works fine now. The WAN interface can get full speed. It is possible I was dealing with a temporary problem with the ISP or I had somehow misconfigured the queues. In any case, when I ran through the wizard again, it created the following 4 queues. Traffic not assigned to the qACK/qOthersLow queue can get full bandwidth utilization.
-
qACK
-
qDefault
-
qOthersHigh
-
qOthersLow
Thanks again!
-
-
hi everyone. i'm trying to understant what does " the httpvideo " or the "httpaudio" protocols means or how do pfsense work with so that the traffic shapper can lower the video downloads on web pages or the audio download etc.
i'm working on a project about l7 filtring and i choosed pfsense to demonstrate and explain l7 filtring. i work on pfsense 2.0 RC1 on virtuals machine on vm ware and i need to shape traffic beetween lan interface and wan interface.
anw, that's why i want to understand how do httpvideo in 'l7' section into the trafic shapper works.
thanks you and hope a quick answer.