Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Is it possible to do traffic shaping based on categories?

    Off-Topic & Non-Support Discussion
    2
    5
    65
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      talz last edited by talz

      I have HTTP and HTTPS traffic on my LAN going to the internet.
      I need to be able to look at the domain the traffic is destined to, and compare it to a list of domains to determine if the traffic is social media, or business, or porn, or something else.

      Based on what category it's in, I then want to throttle that traffic.

      So all social media traffic might be limited to 1Mbps (for everyone, not per user), all youtube traffic might be limited to 5Mbps, etc.

      I imagine to categorize traffic, I would need a subscription to squidblacklist, which I have.

      I also imagine that HTTPS traffic can be monitored using the SNI field.

      Is this possible with a pfsense appliance?

      Note: I do NOT want to do DNS filtering. Yes, DNS filtering is efficient, and simple, and can use squidblacklist, but it either blocks a website, or allows it. It can't throttle anything.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        You can't change the QoS of traffic after a connection state has been established. Looking at things like SNI is too late for that to happen, and you can't look at the domain of traffic at the firewall level.

        So you have a couple choices:

        1. Run the traffic through a proxy that can deep inspect the traffic and handle the throttling you want in the way you want (I don't think squid on pfSense can do what you're after, so it would have to be something external)
        2. Find the AS numbers for the networks you want to target and run them through pfBlocker to build lists to use for classifying traffic -- gets you the closest but since it only works by organization and not site, may not classify things how you want. For example it couldn't distinguish Youtube from gmail.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          talz last edited by

          I guess what I'm looking for is option #1: a proxy that can do deep packet inspection, even if it runs on raw Linux (not necessarily pfsense). As far as I know, squid is the most popular proxy around. If it can't do it, do any others come to mind that I should look into that might?

          Squidblacklist has 2 million domains that it categorizes. Even if we only cared about some of the categories, that would still be tens, if not hundreds of thousands of domains. Finding the AS number for each one would probably be impractical.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            I don't know if squid can do it or not. It may be able to, just not squid on pfSense since it is constrained by what is possible in the GUI.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              talz last edited by

              Ok - I'll have to look into it.

              Thanks for the info

              1 Reply Last reply Reply Quote 0
              • First post
                Last post