Loadbalancing (PFSENSE) and Captiveportal (Monowall) managing connections



  • Hello,

    First I like to thank al the developers of PFsense for making a great product, I have been using it for some time now and it works great!

    I have some questions with which I hope you can help me! Ive been searching internet, forums and tried a lot of different configurations. My biggest problem is that the network is being used and when I do something wrong I get a lot of complaining people at my door…

    I live in a student building in Utrecht (Holland) and I arrange wireless internet for about 20 students that are living in the same building as I do because the tenant only offers very slow internet on the ground floor and not in the separate rooms.

    Most users connect via wireless (captive portal). Now I have a PFsense box  working as loadbancer and failover (works great!) and a Monowall box as Captive Portal. See pic below:


    http://213.206.110.6/rapportage/groot.gif–>Download big image

    Most users use the connection mainly for MSN Messenger, Browsing  and downloading and the last one is giving me more and more problems, specially downloading with bittorrent  (I think).
    Between 7 and 12 PM internet gets slow even when there is not much traffic going on. When I only had one internet connection, most of the time slow internet was caused by uploading but even after limiting the upload speed the problem stayed.

    I’ve done some research and think to problem is mainly caused by the amount of connections bittorrent clients make, during these hours PFsense shows between 2000 and 2600 firewall states of with most are P2P connection.

    Now the questions:

    1: What is the best way to manage downloading of users without blocking it totally or just use one line for HTTP and one for downloading. If this is not possible, what would you suggest I do?

    2: What is the best way to limit the number of connections per user, I know this is possible in the firewall rules(how much can 2 standard ADSL lines (modems) handle and what do I put in the firewall rule?  (lan/wan, block, pass, connections per host,  ect…)

    3: How can I optimize my network? I’d like to keep using Monowall only  for the captive portal, (because of the voucher system) but use PFsense  for the other functions. I found this on the forum :

    _enable advanced outbound nat at the m0n0. the pfSense needs a route back to the subnet behind the m0n0 via the m0n0 as gateway._but I don’t know how to translate this into pfsense settings, can someone please translate this in easy English?

    4: Does Squid or do any other package have any advantages in my situation?

    5: How do I use traffic shaping witch load balancing? If I use the speed of a single line my max download drops to that of one line but using the combined speed doesn’t work optimal…

    Thanks for your Help!!!!

    Mark



  • I personal dislike wireless and try to avoid using it.

    You could agree with your clients to use torrentflux on a server for p2p traffic. But I doubt all that is being downloaded is legal.

    Traffic shaping is improved in pfSense 2.0 (alpha alpha) but might have what you need.
    http://forum.pfsense.org/index.php/topic,2718.0.html for information on Traffic shaping.



  • @Perry:

    I personal dislike wireless and try to avoid using it.

    You could agree with your clients to use torrentflux on a server for p2p traffic. But I doubt all that is being downloaded is legal.

    Traffic shaping is improved in pfSense 2.0 (alpha alpha) but might have what you need.
    http://forum.pfsense.org/index.php/topic,2718.0.html for information on Traffic shaping.

    I Agree, for myself I only use cables but I live in a old hospital together with 90 other students and poeple are coming and going so a cabled network is no option. The downloading is probebly mostly illigal stuff but my goal is to provide a connection without limitations and legally it's not a big problem in holland (uploading is).

    The torrent server is a good idea to keep it central, I never use torrents (Usenet is much better) so i dont know a lot about it…

    About V2 Everywhere on the site i see that it shouldn't be used in a production server, but is it stable enough for loadbalancing and traffic swapping?

    Thanks!



  • Hi! What about question #2 of the original post?. Anyone knows how to limit the number of connections per host? Some pf statement? something within the firewall rules (btw, the advanced settings within the rules that are suppoused to do that seem not to be working…)? Please advise.

    Regards



  • Hello guys. Anyone can give me a lead about limmiting the number of connections per IP? TIA

    BR



  • @ipnet:

    Hi! What about question #2 of the original post?. Anyone knows how to limit the number of connections per host? Some pf statement? something within the firewall rules (btw, the advanced settings within the rules that are suppoused to do that seem not to be working…)? Please advise.

    Regards

    What exactly do you mean the advanced settings do not work?
    How did you test that?



  • OK, I had a user downloading P2P and he had more than 1000 connections opened at that time. I created a FW rule to filter that user an only that user. Redirected him to use one of my WAN connections )not the default one). I configured that rule (in the advanced settings as follow):

    "Simultaneous client connection limit": 500
    "Maximum state entries per host": 100
    "Maximum new connections / per second": Nothing
    "State Timeout in seconds": Nothing

    Resetted the current connections so they have to restart again.

    And….nothing the P2P user still can open more than 100 connections. Am I doing something wrong? ???



  • With reset the current connections do you mean you resetted the state table?
    Was the rule to redirect your testuser at the top of all other rules?

    To test this i would only have one single rule on the LAN interface (or which interface your testuser is on) and set these options in this rule.



  • Yes, I mean reset the state table.
    Yes, the rule was on top.

    BR.


Locked