Shaping traffic for users with pfsense 2.0
-
Hi to everybody! I hope to get some helpful advises and examples because I'm exhausted trying to figure out how this traffic shaping works, reading different topics and manual and having my boss on my back.
I have a WAN line of 10 Mbits (up/down). As there is no limit users started to download a lot hanging the network, so the important staff like director and managers wait 30 sec to check their mail. Because someone downloads a big file at a full bandwidth.
What do I want to have is - 2 groups (small staff and bosses). To divide the traffic in some proportions like 30% and 70% with ability to use traffic from other group if it is not required by other group. In addition to shape traffic inside a group with priorities for different types of traffic (e.g. mail, web, voip, vnc/rdp - normal or higher, torrents, p2p - lower.)
How can I do it with shapper (hfsc queues..?) How should I configure curves (examples?) How to divide users by ip's (everyone has static) to a specific queue and balance the load?
I have about 60-70 computers (with servers included). I need to have about 10-15 vip users. Some of users should not have access to internet at all. What's the best way to cut them off?
I tried wizard, but didn't see any changes. And it makes queues only for WAN not LAN. Should I clone those for LAN?? When I tried to do it whole office lost internet and I lost control over my computer at work (over RDP).
I think I need two queues for groups, and more children.. but what will be default group and what will be the difference between groups for WAN and LAN?
I understand more now about queues, curver in theory, how they work. Less about interfaces. So I ask for real examples on rules and queues for WAN and LAN. Toy or more complicated but examples would help!
I've read some more formal info like https://calomel.org/pf_hfsc.html - useful, but didn't bring me to result. Read http://forum.pfsense.org/index.php/topic,2718.msg48336.html#msg48336. A topic is old, helped a bit. http://forum.pfsense.org/index.php/topic,33870.msg175766.html#msg175766 - some description in russian but more logic, less real exaples, not clear with LAN and WAN, where-what.
Will appreciate your help =)
-
So experts? Any ideas, Help!
WAN - 10 Mbit
LAN - about 60 users (static ip)Divide into two groups. And prioritize different traffic.
I would very appreciate basic scheme and examples of rules and queues!
And what rules/queues are for WAN and what are for LAN? Why everything stopped working after cloning.
Steps?
-
Per-IP shaping/balancing is not a basic task in pfsense.
And 2.0 traffic shaper does not work. (To be honest: it 'works' only for half of traffic. In case of LAN to WAN access, only LAN to WAN packets are shaped. In case of WAN to LAN access, only WAN to LAN packets are shaped.) So even a conventional (not per-IP) shaping/balancing is not a basic task in 2.0.
-
antonavy just use the limiters a queues in a limiter with the right queues to get the right thing you need.
@dusan,
i have yet to do a test on what you mean but it works. -
@ermal:
antonavy just use the limiters a queues in a limiter with the right queues to get the right thing you need.
@dusan,
i have yet to do a test on what you mean but it works.When? I'm on Apr 15 snapshot. It does not work, basically.
I know it used to work until recently, six months ago maybe. But now, just a minor reconfiguration, or a minor event that triggers autoreconfig, for example, a "link down" or "high latency" event on one of many links, and it stops working.
The easiest way to see this is to monitor ICMP and UDP (such as NTP, IPSEC NAT-T tunnels etc) with pftop. I use 2.0 in production for over 2.5 years. Under really heavy load there is a big difference between shaped and non-shaped networks, so I know for sure what I'm saying.
-
Per-IP shaping/balancing is not a basic task in pfsense.
And 2.0 traffic shaper does not work. (To be honest: it 'works' only for half of traffic. In case of LAN to WAN access, only LAN to WAN packets are shaped. In case of WAN to LAN access, only WAN to LAN packets are shaped.) So even a conventional (not per-IP) shaping/balancing is not a basic task in 2.0.
You mean exactly what? Because considering your words it it can be suggested, that wan to lan traffic is shaped and lan to wan traffic is shaped too. Or do you mean that in current session initiated from user (LAN) to internet (WAN) only outgoing traffic is shaped? Could you be more specific?
@ermal:
antonavy just use the limiters a queues in a limiter with the right queues to get the right thing you need.
@dusan,
i have yet to do a test on what you mean but it works.I'll try the limiters (I've only got my hands on the server again). Do they have an option to borrow traffic - from one queue to another? And what does source and destination address correspond to?
I've upgraded pfsense (now it's RC2), but the shaper still doesn't create LAN rules via wizard. -
You mean exactly what? Because considering your words it it can be suggested, that wan to lan traffic is shaped and lan to wan traffic is shaped too. Or do you mean that in current session initiated from user (LAN) to internet (WAN) only outgoing traffic is shaped? Could you be more specific?
Network traffics are two-directional. You browse a Web site on the Internet, this is LAN-to-WAN access. You send packets to the Web site, that's only half of the traffic that is shaped by pfSense. The Web site must also send something to you, that's the second half that is not shaped.
For WAN-to-LAN access, the situation is similar.
Note. What I call LAN-to-WAN is called outbound and WAN-to-LAN inbound traffics in other contexts. However 'outbound' and 'inbound' in pf the terminology refer to something else.
-
You mean exactly what? Because considering your words it it can be suggested, that wan to lan traffic is shaped and lan to wan traffic is shaped too. Or do you mean that in current session initiated from user (LAN) to internet (WAN) only outgoing traffic is shaped? Could you be more specific?
Previously, you need only catch the traffic in one direction and the returning traffic will be shaped automatically (put in the same queue on the other interface).
Somewhere in the past 2 months or so, there were changes made as such that this doesn't happen anymore. i.e. If you put in a rule to catch say HTTP traffic going from LAN to the internet, the returning traffic does not hit the same queue anymore.
You can still work around it by having 2 similar rules (1 on LAN, 1 in floating) to match the traffic both ways. This is, however, quite a lot of extra work.
-
The wizard only creates the WAN queues. Follow the below steps that ermal posted a few months ago to create the LAN queues. This is working for me and all my rules are floating rules. I do have rules on my WAN interface but they only match inbound traffic to my web server/openvpn and few other services i'm running behind pfsense.
Go to firewall->traffic shaper
- Choose by queue view
- Click any of on the WAN interfaces
- For the LAN listed there click 'clone shaper/queue on this interface'
- Go to the By interface view
- Click LAN interface
- Change the scheduler type to PRIQ
- Change the bandwidth to the interface speed (100Mbit/s ….)
- Click save
- Apply settings
Note the LAN interface speed is the the speed of the interface and not your download speed. If you only have a WAN and LAN, then you could input your download speed for the LAN speed. If you have a couple of interfaces for different LANs(DMZ,Guest LAN) then make sure you use the interface speed or you will have speed issues when trying to access one of the interfaces via your LAN.
ermal explained it in a post before but traffic shaping can only be applied 1-way on a interface I believe. I think its in the sticky under the traffic shaping section.
Some links for reading:
http://forum.pfsense.org/index.php/topic,11986.0.html
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide -
hi to everyone ! i'm working on a project about pf sense and more specificly about the taffic shaper and the way l7 is being shapped. i found out while triyng to work with the trafic shaper that i must set a limiter and only then i can limit a specific protocol in the section " l7 " of traffic shapping. but i found out that there are some protocols that the traffic shapper use that i don't understand at all like "httpvideo" "httpaudio".
i'm working on pfsense 2.0 rc1 on vm ware and im trying to experiment the l7 feature like when i open a web page, videos take really longuer to be downloaded like other texte only web pages. and i need to understand what are the meaning or the way that pfsense works with "httpvideo" or "httpaudio" because i found nothing on google about this protocol or even on the pfsense site.
you may found me a little stupid but i'm juste new at the whole firewalll stuf and i'm tryn to understand how it works.
also escuse my english. hope a quick answer. thanks.
-
hi to everyone ! i'm working on a project about pf sense and more specificly about the taffic shaper and the way l7 is being shapped. i found out while triyng to work with the trafic shaper that i must set a limiter and only then i can limit a specific protocol in the section " l7 " of traffic shapping. but i found out that there are some protocols that the traffic shapper use that i don't understand at all like "httpvideo" "httpaudio".
i'm working on pfsense 2.0 rc1 on vm ware and im trying to experiment the l7 feature like when i open a web page, videos take really longuer to be downloaded like other texte only web pages. and i need to understand what are the meaning or the way that pfsense works with "httpvideo" or "httpaudio" because i found nothing on google about this protocol or even on the pfsense site.
you may found me a little stupid but i'm juste new at the whole firewalll stuf and i'm tryn to understand how it works.
also escuse my english. hope a quick answer. thanks.
make sure your using a snapshot that is pretty new(within the last couple of weeks)… There were changes made to Layer7 that are not included in the RC1 official release. As for the L7 protocols, go to the source: http://l7-filter.sourceforge.net/protocols
-
make sure your using a snapshot that is pretty new(within the last couple of weeks)… There were changes made to Layer7 that are not included in the RC1 official release. As for the L7 protocols, go to the source: http://l7-filter.sourceforge.net/protocols
do you mean that i should download the R C 4 ?
and thank you for the link, it was very usefull
-
there isn't RC4 yet… RC2 is unofficially out. Go to http://snapshots.pfsense.org/ for snapshots, download the one for your platform, i386 or AMD64. If you wait a couple of days, could be a couple of weeks, IDK; the pfSense team should be updating their blog with RC2 offical announcement. From there you can down a copy instead of using a snapshot.
Also the main dashboard will tell you if you there is an update and you can auto-download-install from there.
-
maybe it's little out of subject but i was asked to find out how to implement pfsense into an active directory server. is anyone has an idea about it ?
or in other word, how can pfsense features be usefull for me when implementing it into an active directory server.
-
maybe it's little out of subject but i was asked to find out how to implement pfsense into an active directory server. is anyone has an idea about it ?
or in other word, how can pfsense features be usefull for me when implementing it into an active directory server.
search the forum, search http://doc.pfsense.org then post a new topic in the correct section…