Need Help Configuring Limiters with Squid Proxy

tman222

@Harvy66:

Assuming limiters with Squid works, I would make a limiter that is fq_Codel and force all traffic into it.

Thanks Harvy66 - I actually already created a limiter and enabled fq_codel on it for the network interface that has Squid running on it.  The problem is if I enable the limiter/queues on the LAN firewall rule for that interface that allows outbound traffic, I just end up limiting the speed from the client to the proxy, but not from the proxy to the internet.  If I wanted to limit to limit the speed of the Squid proxy to the internet, what kind of firewall rule would I have to setup, and where would I setup it up?  Am I on the right track with what I posted above yesterday, or do I need to approach it differently?

Thanks again for all your help, I really appreciate it.

Derelict

Floating Rule:
1)  Action:  Match
2)  Interface: WAN
3)  Direction:  Any
4)  Protocol:  Any
5)  Source:  LAN segment that has Squid running on it, let's call it LAN1 net
6)  Destination:  Any
7)  Then under advanced set in/out pipe to the appropriate limiters/queues created under traffic shaping

This won't work for two reasons:

1. Connections to the internet come from squid itself and not anything on Source: LAN Net

2. Even if the connections were sourced from LAN Net that would not match because NAT has almost certainly already translated the source address of the connection in the outbound direction at the stage that rule is evaluated.

You might be able to mark specific squid traffic with a QoS marker then match that in the floating rule for putting in the correct pipe/queue:

https://wiki.squid-cache.org/Features/QualityOfService

A limiter should be configurable to work for uploads and downloads. Other than that, squid itself would have to limit the download speeds, if that is even possible. Looks like delay pools might do it if they're available.

tman222

@Derelict:

Floating Rule:
1)  Action:  Match
2)  Interface: WAN
3)  Direction:  Any
4)  Protocol:  Any
5)  Source:  LAN segment that has Squid running on it, let's call it LAN1 net
6)  Destination:  Any
7)  Then under advanced set in/out pipe to the appropriate limiters/queues created under traffic shaping

This won't work for two reasons:

1. Connections to the internet come from squid itself and not anything on Source: LAN Net

2. Even if the connections were sourced from LAN Net that would not match because NAT has almost certainly already translated the source address of the connection in the outbound direction at the stage that rule is evaluated.

You might be able to mark specific squid traffic with a QoS marker then match that in the floating rule for putting in the correct pipe/queue:

https://wiki.squid-cache.org/Features/QualityOfService

A limiter should be configurable to work for uploads and downloads. Other than that, squid itself would have to limit the download speeds, if that is even possible. Looks like delay pools might do it if they're available.

Thanks for the response - I really appreciate it.

I did a bit more research on the issue - would setting up Delay Pools in Squid also accomplish what a limiter would do (i.e. limiting total bandwidth of the proxy):

https://wiki.squid-cache.org/Features/DelayPools
https://forum.pfsense.org/index.php?topic=74595.0

Thanks again.

Derelict

Sorry. Don't know. You'll need to ask in the squid forum.

tman222

@Derelict:

Sorry. Don't know. You'll need to ask in the squid forum.

I'll go ahead and do that - thanks again for your help.  I did try out delay pools with Squid, but unfortunately I was only able to limit download bandwidth.  Back to the drawing board….

Derelict

Yeah. upload bandwidth should be able to be limited by marking and matching as explained above.

periko

Until now, Traffic Shape/Limiters doesn't work with squid in the same box right?

matt_

I think if you use limiters with floating rules matching on the WAN state creation (out direction) it will limit Squid.  Someone can correct me if I'm totally wrong…

magokbas

manual proxy redirect
maybe it might work
https://forum.pfsense.org/index.php?topic=147247.0

periko

Need to test again… :)

tman222

Thanks guys for this additional info.  I"d be curious to see if the manual redirect method might work.

Hi Matt - if I was to use a floating rule on the WAN interface, what would I use for the source of the traffic?

Thanks again.