Shaping traffic for users with pfsense 2.0
-
antonavy just use the limiters a queues in a limiter with the right queues to get the right thing you need.
@dusan,
i have yet to do a test on what you mean but it works. -
@ermal:
antonavy just use the limiters a queues in a limiter with the right queues to get the right thing you need.
@dusan,
i have yet to do a test on what you mean but it works.When? I'm on Apr 15 snapshot. It does not work, basically.
I know it used to work until recently, six months ago maybe. But now, just a minor reconfiguration, or a minor event that triggers autoreconfig, for example, a "link down" or "high latency" event on one of many links, and it stops working.
The easiest way to see this is to monitor ICMP and UDP (such as NTP, IPSEC NAT-T tunnels etc) with pftop. I use 2.0 in production for over 2.5 years. Under really heavy load there is a big difference between shaped and non-shaped networks, so I know for sure what I'm saying.
-
Per-IP shaping/balancing is not a basic task in pfsense.
And 2.0 traffic shaper does not work. (To be honest: it 'works' only for half of traffic. In case of LAN to WAN access, only LAN to WAN packets are shaped. In case of WAN to LAN access, only WAN to LAN packets are shaped.) So even a conventional (not per-IP) shaping/balancing is not a basic task in 2.0.
You mean exactly what? Because considering your words it it can be suggested, that wan to lan traffic is shaped and lan to wan traffic is shaped too. Or do you mean that in current session initiated from user (LAN) to internet (WAN) only outgoing traffic is shaped? Could you be more specific?
@ermal:
antonavy just use the limiters a queues in a limiter with the right queues to get the right thing you need.
@dusan,
i have yet to do a test on what you mean but it works.I'll try the limiters (I've only got my hands on the server again). Do they have an option to borrow traffic - from one queue to another? And what does source and destination address correspond to?
I've upgraded pfsense (now it's RC2), but the shaper still doesn't create LAN rules via wizard. -
You mean exactly what? Because considering your words it it can be suggested, that wan to lan traffic is shaped and lan to wan traffic is shaped too. Or do you mean that in current session initiated from user (LAN) to internet (WAN) only outgoing traffic is shaped? Could you be more specific?
Network traffics are two-directional. You browse a Web site on the Internet, this is LAN-to-WAN access. You send packets to the Web site, that's only half of the traffic that is shaped by pfSense. The Web site must also send something to you, that's the second half that is not shaped.
For WAN-to-LAN access, the situation is similar.
Note. What I call LAN-to-WAN is called outbound and WAN-to-LAN inbound traffics in other contexts. However 'outbound' and 'inbound' in pf the terminology refer to something else.
-
You mean exactly what? Because considering your words it it can be suggested, that wan to lan traffic is shaped and lan to wan traffic is shaped too. Or do you mean that in current session initiated from user (LAN) to internet (WAN) only outgoing traffic is shaped? Could you be more specific?
Previously, you need only catch the traffic in one direction and the returning traffic will be shaped automatically (put in the same queue on the other interface).
Somewhere in the past 2 months or so, there were changes made as such that this doesn't happen anymore. i.e. If you put in a rule to catch say HTTP traffic going from LAN to the internet, the returning traffic does not hit the same queue anymore.
You can still work around it by having 2 similar rules (1 on LAN, 1 in floating) to match the traffic both ways. This is, however, quite a lot of extra work.
-
The wizard only creates the WAN queues. Follow the below steps that ermal posted a few months ago to create the LAN queues. This is working for me and all my rules are floating rules. I do have rules on my WAN interface but they only match inbound traffic to my web server/openvpn and few other services i'm running behind pfsense.
Go to firewall->traffic shaper
- Choose by queue view
- Click any of on the WAN interfaces
- For the LAN listed there click 'clone shaper/queue on this interface'
- Go to the By interface view
- Click LAN interface
- Change the scheduler type to PRIQ
- Change the bandwidth to the interface speed (100Mbit/s ….)
- Click save
- Apply settings
Note the LAN interface speed is the the speed of the interface and not your download speed. If you only have a WAN and LAN, then you could input your download speed for the LAN speed. If you have a couple of interfaces for different LANs(DMZ,Guest LAN) then make sure you use the interface speed or you will have speed issues when trying to access one of the interfaces via your LAN.
ermal explained it in a post before but traffic shaping can only be applied 1-way on a interface I believe. I think its in the sticky under the traffic shaping section.
Some links for reading:
http://forum.pfsense.org/index.php/topic,11986.0.html
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide -
hi to everyone ! i'm working on a project about pf sense and more specificly about the taffic shaper and the way l7 is being shapped. i found out while triyng to work with the trafic shaper that i must set a limiter and only then i can limit a specific protocol in the section " l7 " of traffic shapping. but i found out that there are some protocols that the traffic shapper use that i don't understand at all like "httpvideo" "httpaudio".
i'm working on pfsense 2.0 rc1 on vm ware and im trying to experiment the l7 feature like when i open a web page, videos take really longuer to be downloaded like other texte only web pages. and i need to understand what are the meaning or the way that pfsense works with "httpvideo" or "httpaudio" because i found nothing on google about this protocol or even on the pfsense site.
you may found me a little stupid but i'm juste new at the whole firewalll stuf and i'm tryn to understand how it works.
also escuse my english. hope a quick answer. thanks.
-
hi to everyone ! i'm working on a project about pf sense and more specificly about the taffic shaper and the way l7 is being shapped. i found out while triyng to work with the trafic shaper that i must set a limiter and only then i can limit a specific protocol in the section " l7 " of traffic shapping. but i found out that there are some protocols that the traffic shapper use that i don't understand at all like "httpvideo" "httpaudio".
i'm working on pfsense 2.0 rc1 on vm ware and im trying to experiment the l7 feature like when i open a web page, videos take really longuer to be downloaded like other texte only web pages. and i need to understand what are the meaning or the way that pfsense works with "httpvideo" or "httpaudio" because i found nothing on google about this protocol or even on the pfsense site.
you may found me a little stupid but i'm juste new at the whole firewalll stuf and i'm tryn to understand how it works.
also escuse my english. hope a quick answer. thanks.
make sure your using a snapshot that is pretty new(within the last couple of weeks)… There were changes made to Layer7 that are not included in the RC1 official release. As for the L7 protocols, go to the source: http://l7-filter.sourceforge.net/protocols
-
make sure your using a snapshot that is pretty new(within the last couple of weeks)… There were changes made to Layer7 that are not included in the RC1 official release. As for the L7 protocols, go to the source: http://l7-filter.sourceforge.net/protocols
do you mean that i should download the R C 4 ?
and thank you for the link, it was very usefull
-
there isn't RC4 yet… RC2 is unofficially out. Go to http://snapshots.pfsense.org/ for snapshots, download the one for your platform, i386 or AMD64. If you wait a couple of days, could be a couple of weeks, IDK; the pfSense team should be updating their blog with RC2 offical announcement. From there you can down a copy instead of using a snapshot.
Also the main dashboard will tell you if you there is an update and you can auto-download-install from there.
-
maybe it's little out of subject but i was asked to find out how to implement pfsense into an active directory server. is anyone has an idea about it ?
or in other word, how can pfsense features be usefull for me when implementing it into an active directory server.
-
maybe it's little out of subject but i was asked to find out how to implement pfsense into an active directory server. is anyone has an idea about it ?
or in other word, how can pfsense features be usefull for me when implementing it into an active directory server.
search the forum, search http://doc.pfsense.org then post a new topic in the correct section…