What´s the issue with transparent shaping



  • Hi,

    we have serious problems with integration of the pfsense box into our company LAN. (request for details)
    As I know shaping only works in non-transparent mode. But no one says where the problem is!?

    so please let me know what the issue with the transparent traffic shaper is…

    thank you,
    mrt_ok



  • @mrt_ok:

    Hi,

    we have serious problems with integration of the pfsense box into our company LAN. (request for details)
    As I know shaping only works in non-transparent mode. But no one says where the problem is!?

    so please let me know what the issue with the transparent traffic shaper is…

    thank you,
    mrt_ok

    Don't remember….something to do with IP's maybe, but some have claimed it works, so YMMV.  It hardcodes the network address of the LAN interface if I remember correctly...so if that address isn't on the bridged LAN segment, then I believe it doesn't shape.  This is from memory...try it out, let us know what you find (let us know if the rules look "sane" - for our definition of sane).

    --Bill



  • @mrt_ok:

    Hi,

    we have serious problems with integration of the pfsense box into our company LAN. (request for details)
    As I know shaping only works in non-transparent mode. But no one says where the problem is!?

    so please let me know what the issue with the transparent traffic shaper is…

    This would interest me also. I have a quite similar situation: have a bunch of ip's which we are using in our LAN. In order to achieve good performance for all the users we'd need a traffic shaper but seems like there aren't any available that support transparent mode. m0n0wall, pfsense etc all have this NAT issue which makes them unsuitable for our use. Was wondering if I could achieve this kind of functionality with some basic Linux distro? Any pointers on this?



  • Hi,

    yes, I read it in the "tricks" thread at the  beginning….

    dvserg said that his experience is that, only incoming traffic is shaped....

    can you point me to some files?

    kind regards,
    mrt_ok



  • @mrt_ok:

    Hi,

    yes, I read it in the "tricks" thread at the  beginning….

    dvserg said that his experience is that, only incoming traffic is shaped....

    can you point me to some files?

    kind regards,
    mrt_ok

    /etc/inc/filter.inc
    /etc/inc/shaper.inc
    /usr/local/www/shaper
    /usr/local/www/wizards/traffic_shaper_wizard.xml (or something…going from memory)
    /tmp/rules.debug (dynamically generated rules file)

    That should get you just about everything related to traffic shaping.
    --Bill



  • thank you guys,

    mrt_ok



  • Good luck, if you can improve it, I am interested in looking at the code.  Else some day in the mythical future when I have time to get a round tuit I'll probably spend some time on the shaper code again…too many projects, not enough time.

    --Bill



  • Hi all,

    after a brief code review and of cause the generated rules for certain configurations I´m a bit confused because I´m not sure aboout the basic configuration for a bridged shaper setup. then i dig into pf basics, transparent firewall setup and bridged setup.

    the guidelines which I found are (taken from http://ezine.daemonnews.org/200207/transpfobsd.html):

    1. create only rules for outgoing traffic (ingoing is not supported, doesn´t make sense)
    2. create rules only on one interface of the bridge, allow all traffic in each direction on the other

    after this configuration mentioned in the example above, only adding the altq stuff is needed (I guess), taken from pf-FAQ:
    altq on fxp0 cbq bandwidth 2Mb queue { std, ssh, ftp }
    queue std bandwidth 50% cbq(default)
    queue ssh bandwidth 25% { ssh_login, ssh_bulk }
    queue ssh_login bandwidth 25% priority 4 cbq(ecn)
    queue ssh_bulk bandwidth 75% cbq(ecn)
    queue ftp bandwidth 500Kb priority 3 cbq(borrow red)

    having a rule which assigns the desired traffic to this queues:
    e.g. pass out on fxp0 from any to any port 22 queue ssh

    now my traffic shaping setup on a bridged environment should be complete!?

    comments are welcome ;-)

    sorry that this is just a theoretically approach…

    thx,
    mrt_ok



  • Now look at how our rules are generated.  There's a reason it's difficult for humans to hand write shaping rules.

    –Bill



  • We really want to get these thing fixed but everyone should stop and read what we have read.  There are many sections in wiki.pfsense.com (not to be confused with doc.pfsense.com) which go over what we have learned from HFSC.  HFSC is quite the math gurus dream come true.  It does require a bit of thought and there IS ways of making this work.

    I would highly recommend reading the thread http://forum.pfsense.org/index.php/topic,2484.0.html … Quite a eye raiser.



  • Hi,

    after reading your suggested posts, I´m a bit confused again :-)

    of cause it´s not easy to calculate the different bandwidth of the queues, but that was not my intention …

    I just wanted to know, what has to be done to get this transparent shaping thing to work (with or without wizard)

    thanks,
    mrt_ok



  • hi guys,

    please let me know when do you start to solve the transparent shaper issues. I´d like to contribute if my old PHP and firewall know how can help.

    i had to tell my customer to timeshift the decision a bit - so there is a chance to place pfsense again - cause I think it´s a great project !
    in case of a deal i´d like to donate - of cause!

    kind regards,
    mrt_ok



  • @mrt_ok:

    hi guys,

    please let me know when do you start to solve the transparent shaper issues. I´d like to contribute if my old PHP and firewall know how can help.

    i had to tell my customer to timeshift the decision a bit - so there is a chance to place pfsense again - cause I think it´s a great project !
    in case of a deal i´d like to donate - of cause!

    kind regards,
    mrt_ok

    http://forum.pfsense.org/index.php/topic,2686.0.html


Log in to reply