Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Egress acls for traffic bandwidth limiting / qos

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 589 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      obadiah
      last edited by

      Hi All,

      We have a transparent squid proxy server. I would like to prioritize and bandwidth limit connections from squid to certain non business websites. i.e.

      users -> pfsense ingress ACL -> Squid -> pfsense egress ACL
                  ^Transparent TCP 3128              ^Limit certain websites (tumblr, youtube etc) during business hours to 4mb, and traffic shape (Hfsc)

      I already have enabled Squid ACL's and per host throttling, but this is not really what i am after. i would like something more granular, so that business websites have full priority and non business websites do not. Especially during working hours. Ironically i am able to achieve that WITHOUT the squid proxy.

      SRC                  DEST                                        PRTL                TrafficShape                                          TIME                                  Action
      <lan>            <business websites="">                <80,443>        High Priority, B/w guaranteed                <business hours="">                Allowed 
      <lan>            <non business="" websites="">        <80,443>        Low Priority, B/w limited                        <business hours="">                Allowed
      <lan>            <non business="" websites="">        <80,443>        Low Priority, B/w limited                        <business hours="">                Allowed

      With the proxy between SRC + Dest, i am unsure of how to apply egress ACL's so that traffic initiated from Squid will be forced to obey bandwith limiting rules.

      Has anyone had experience with bandwidth limiting connections made from squid?</business></non></lan></business></non></lan></business></business></lan>

      1 Reply Last reply Reply Quote 0
      • O Offline
        obadiah
        last edited by

        From my understanding of pf, it does appear that it is possible to have egress filtering. Its just not possible through the UI
        eg
        pass out inet proto tcp from $localnet to port $client_out_tcp
        pass out inet proto tcp from $localnet to port $client_out_udp

        Is there a way to do this through the WebUI (that i do not know of), or should i create a feature request?

        My logic is …

        SRC                          DEST                                                            Direction          PRTL              TrafficShape                                  TIME                                  Action
        <loopback>            <business websites="" (fqdns="" group="" )="">            Outbound          <80,443>      High Priority, B/w guaranteed        <business hours="">                Allowed 
        <loopback>            <non business="" websites="" (fqdns="" group)="">      Outbound          <80,443>      Low Priority, B/w LIMITED              <business hours="">                Allowed 
        <loopback>            ANY                                                              Outbound          <80,443>      B/w LIMITED                                <business hours="">                Allowed </business></loopback></business></non></loopback></business></business></loopback>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.