Squid proxy doesn't respect fair bandwidth limiters.



  • Problem:
    I have implemented traffic limiters for dynamic fair bandwidth using limiters and adding them into the firewall LAN rule in IN/OUT pipe, along with captive portal and freeradius, the limiters work fine, but as soon as i add squid package and enable it, the limiters are not respected.

    Production Environment Details:
    3 WAN connections (8mbps, 40mbps, 4mbps) and 1 LAN (50 users).

    Environment Details To Test:
    Single WAN and Single Lan, Using a download speed of 1MBps, I am using 3 machines.

    • Two machines (let's name them A and B) using Internet Download Manager with 5 downloads, each download with 32 connections, so in all 160 connections.
    • One machine (machine C) with a simple download.

    Without Squid:
    The two machines A and B are capped at 300-400 KBps each and machine C is able to get roughly draw 250-300 KBps, inferring that limiters work.

    With Squid
    The two machines A and B are able to draw 300-600 KBps each and machine C only gets 8-11 KBps, which means the limiters do not work.

    Interesting Observations:
    I tried a lot of options and i have learned that, when you use squid, the squid captures the data before firewall rules are interpreted, because i changed the "Default IPv4 LAN rule to any" from pass to block, and added a single rule to allow DNS(53) protocol from LAN net to any above it, and normal HTTP internet works. Technically this should block all ports including 3128 for squid, but it does not.
    Also there were lot of posts of this not working with transparent proxy, but i tried transparent/ non transparent, both did not work.

    Options tried but did not work

    I think it's related to bug already mentioned here,
    if yes, a confirmation would be wonderful.

    Thanks,
    Kind regards,
    Anand


Log in to reply