Is it possible to do traffic shaping based on categories?

  • I have HTTP and HTTPS traffic on my LAN going to the internet.
    I need to be able to look at the domain the traffic is destined to, and compare it to a list of domains to determine if the traffic is social media, or business, or porn, or something else.

    Based on what category it's in, I then want to throttle that traffic.

    So all social media traffic might be limited to 1Mbps (for everyone, not per user), all youtube traffic might be limited to 5Mbps, etc.

    I imagine to categorize traffic, I would need a subscription to squidblacklist, which I have.

    I also imagine that HTTPS traffic can be monitored using the SNI field.

    Is this possible with a pfsense appliance?

    Note: I do NOT want to do DNS filtering. Yes, DNS filtering is efficient, and simple, and can use squidblacklist, but it either blocks a website, or allows it. It can't throttle anything.

  • Rebel Alliance Developer Netgate

    You can't change the QoS of traffic after a connection state has been established. Looking at things like SNI is too late for that to happen, and you can't look at the domain of traffic at the firewall level.

    So you have a couple choices:

    1. Run the traffic through a proxy that can deep inspect the traffic and handle the throttling you want in the way you want (I don't think squid on pfSense can do what you're after, so it would have to be something external)
    2. Find the AS numbers for the networks you want to target and run them through pfBlocker to build lists to use for classifying traffic -- gets you the closest but since it only works by organization and not site, may not classify things how you want. For example it couldn't distinguish Youtube from gmail.

  • I guess what I'm looking for is option #1: a proxy that can do deep packet inspection, even if it runs on raw Linux (not necessarily pfsense). As far as I know, squid is the most popular proxy around. If it can't do it, do any others come to mind that I should look into that might?

    Squidblacklist has 2 million domains that it categorizes. Even if we only cared about some of the categories, that would still be tens, if not hundreds of thousands of domains. Finding the AS number for each one would probably be impractical.

  • Rebel Alliance Developer Netgate

    I don't know if squid can do it or not. It may be able to, just not squid on pfSense since it is constrained by what is possible in the GUI.

  • Ok - I'll have to look into it.

    Thanks for the info

Log in to reply