Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid proxy doesn't respect fair bandwidth limiters.

    Scheduled Pinned Locked Moved Traffic Shaping
    1 Posts 1 Posters 356 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anand_phulwani
      last edited by

      Problem:
      I have implemented traffic limiters for dynamic fair bandwidth using limiters and adding them into the firewall LAN rule in IN/OUT pipe, along with captive portal and freeradius, the limiters work fine, but as soon as i add squid package and enable it, the limiters are not respected.

      Production Environment Details:
      3 WAN connections (8mbps, 40mbps, 4mbps) and 1 LAN (50 users).

      Environment Details To Test:
      Single WAN and Single Lan, Using a download speed of 1MBps, I am using 3 machines.

      • Two machines (let's name them A and B) using Internet Download Manager with 5 downloads, each download with 32 connections, so in all 160 connections.
      • One machine (machine C) with a simple download.

      Without Squid:
      The two machines A and B are capped at 300-400 KBps each and machine C is able to get roughly draw 250-300 KBps, inferring that limiters work.

      With Squid
      The two machines A and B are able to draw 300-600 KBps each and machine C only gets 8-11 KBps, which means the limiters do not work.

      Interesting Observations:
      I tried a lot of options and i have learned that, when you use squid, the squid captures the data before firewall rules are interpreted, because i changed the "Default IPv4 LAN rule to any" from pass to block, and added a single rule to allow DNS(53) protocol from LAN net to any above it, and normal HTTP internet works. Technically this should block all ports including 3128 for squid, but it does not.
      Also there were lot of posts of this not working with transparent proxy, but i tried transparent/ non transparent, both did not work.

      Options tried but did not work

      • https://forum.netgate.com/topic/57476/per-ip-traffic-shaping-share-bandwith-evenly-between-ip-addresses/157#
      • https://forum.netgate.com/topic/72977/transparent-squid-ignores-bandwidth-limiter-rules/5#
        *https://www.reddit.com/r/PFSENSE/comments/3e67dk/flexible_vs_fixed_limiters_troubleshooting_with/

      I think it's related to bug already mentioned here,
      if yes, a confirmation would be wonderful.

      Thanks,
      Kind regards,
      Anand

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.