Disable limiters when TOS marked packets received as response

  • Hey fellow pfSensers!

    We have 2 pfSense servers running in production environment with over 2000 hosts.

    First server is  used for routing / bandwidth sharing, pointing at second as default gateway.
    No NAT, only stateful firewall (used with Limiters download/upload pipe), + some minor packages not important for this discussion.

    Second is running Transparent Squid proxy, NAT/Pfblocker/Snort and connected directly to the Internet.

    Currently: all traffic is passing through first server, where limiters are applied
    then it goes to second server, where HTTP is intercepted by Squid, rest of traffic is NATed, checked by PfBlocker/Snort and going out.

    This setup ( two servers instead of one) had to be made because of incompatibilities issues of limiters  + transparent proxy and limiters + NAT on pfSense 2.3

    Just to reiterate: limiters are applied to All traffic on first server, i.e. each IP on LAN is dynamically allocated bandwidth based on its availability, fair bandwidth sharing (works very well).

    I am trying to achieve the following:
    All local hits (cached content that is passed by Squid to LAN clients) should avoid being capped by limiters.

    How to achieve it with current pfSense GUI?

    This is what has been done so far:

    • Once object is retrieved from cache its marked with TOS 0x30 value using qos_flows local-hit=0x30 directive
      quick tcpdump check (on both servers ) has shown that packets have been marked correctly.

    Now, how to catch that with firewall on first server and build exception rule ?

    The thing is that since its stateful firewall, state is established starting (once allowed to pass) on LAN interface (where I currently apply limiters) and then goes on.

    I could apply DSCP value AF12 in firewall–>advanced options to catch packets marked with TOC 0x30 (they correspond to each other),
    Of course it won't work, since its not a NEW connection state established by Proxy, packets are flowing using rule for already established state.

    So, how can I catch it? ;)
    i.e. packets are received as replies from the Internet (in fact from transparent squid running on second server), and only that are specifically marked, need to bypass the existing firewall rule that has limiters attached to it.

    It seems to be, since its deep packet inspection and stateful firewall that is coupled with limiters, its not possible.

    Other Traffic Shaping technologies seems not having what we need to achieve (dynamic fair distribution of bandwidth between all local hosts)

    Any help or ideas are appreciated!



Log in to reply