Traffic shaper changes [90% completed, please send money to complete bounty]

heiko

My Pleasure! ;)

neek

$50 sent to paypal@chrisbuechler.com

Thanks for all the work!

eri--

For all the bounty people a simple introduction to the new shaper interface:
There are 5 new things:
1- Floating rules
2- The way you configure queues
3- The way you setup traffic to belong to a queue
4- DSCP(diffserv codepoint) matching
5- IPSec tunnels shaping

1- Is a tool to allow all sort of things.
Basically from this tab you can choose multiple interfaces for a rule. Which direction the rule applies, if it is a terminating rule[quick], if you want to tag traffic with it for later matching it with this tag.
For example you want the http traffic is allowed to go out on every interface you have.
Just setup direction outgoing, port 80 and click save.
If you want the rule to apply only to certain interfaces select them at the interface selection with holding down CTRL button and choosing the ones you want and the above rule applies only to those interfaces.
This way for example you can load balance squid. With a rule as pass out from any to any port 80

Now if you do not select the quick option the rule is not terminating meaning even if it matches the traffic it goes to the next rule and matching against those. If the next rule matches it is the matching rule now. Tags can be applied from one rule to the other.
IE let say you want to pass/shape traffic from protocol tcp,icmp,udp from different interfaces to a same queue. Instead of having to choose the action/queue on each rule just setup the rules and on advanced section apply the same tag to them. At the end of these just setup a rule which passes or block the traffic tagged/marked with the previous tag or the queue they should go. So next time you decide this traffic should go to a different queue you just change one rule and not all of them.
Beaware that to preserve previous behaviour the rules created on the specific interface take priority meaning that they just are applied if traffic matches and that is the final verdict.
So i fyou want a mix of FloatingRules and specific interface rules you must be very specific on the specific interface rules so not to override the actions choosed on floating rules.

2- Now on the Firewall->Traffic shaper you configure only the queue parameters.
To know better what they mean you have to read the pf.conf manual page or just go at http://www.openbsd.org/faq/pf and read about shaping.

To shape traffic on multiple interfaces with only one rule. Just create on multiple interfaces queue with the same name and than just setup a rule that makes desired traffic go to that queue and even if traffic passes to different interface it will go to this queue and be shaped accordingly.
Be aware that the queues with the same names share only the name they can have different priority bandwidth discipline or even the hierarchy of queue may be different. Just the name has to be the same.

For example, if you have 3 interfaces. One LAN 1 and 2 internet links. Have created a load balancing pool for the 2 internet links and want to shape http traffic on the links to the queue http created with the desired parameter on the Traffic shaper configuration.
There are 2 ways to do it.
a) From the lan tab choose all traffic with a destination port of http and select queue http this takes care of it.
b) go to Floating tab and create the same rule there.
If you have Squid running and want to loadbalance the only place is the Floating tab. Create a rule with outgoing direction and select the 2 interfaces where the internet links are connected and choose the queue http for traffic with destination port 80 and protocol tcp.

3- Now the queues are specified on the rule tab and you have easily noticed that.

4- You can now match traffic based on DSCP so easier to match VoIP traffic.

5- IPSec inside tunnels is transparent.
Just setup rules as you do for traffic passing from LAN to WAN and choose the queue you want to apply.
So if you want RDP to have priority better than other thing on the tunnel just setup rules as said on 1-.

For any questions do not hesitate.

Regards and thank you again for your support,
Ermal

eri--

Forgot the By queues view:

It allows you to copy queues from one interface to the other.
Cloning a full interface is not currently supported.

sai

is it possible to make a new queue that is a child of an existing queue?

eri--

Sure.

sai

If I have a queue called qVoip23 in the Lan, how do I make a new queue that  has as parent qVoip23 ?

eri--

click qVoip23 on the tree and than click"Add queue" button at the bottom of the form.

I though it was intuitive enough, no?!

sullrich

Wondering if it would make sense to  be able to right click a queue and receive a popup that has delete queue and add new child queue?

eri--

@sullrich:

Wondering if it would make sense to  be able to right click a queue and receive a popup that has delete queue and add new child queue?

To me seems like hidden functionality since most web function are performed with click-and-go.

Nice would be to have drag-and-drop actually for the queues allowing them to clone easily but this version of the tree does not have it afaik.

sai

@ermal:

click qVoip23 on the tree and than click"Add queue" button at the bottom of the form.

I though it was intuitive enough, no?!

:-)

I didnt get it. I get it now.

maybe change "Add queue" to  "Add child queue"  ?

eri--

Maybe but as i thought of it a queue is always a child of its parent and the tree assumes that too!

No?! (If no, then maybe i can make that change.)

djmizt

Hi Ermal,

I'm getting this error when I click on the wizard:

Parse error: syntax error, unexpected T_STRING in /usr/local/www/firewall_shaper_wizards.php on line 61

I had queueing enable prior to upgrading to this version but those are not showing now. Let me know. Thanks. The new interface looks very nice btw :)

heiko

You can try an update or just remove the line 61 it is just the title in there which was wrong or copy it from.

• traffic_shaper_wizards.php, then it works. First you should try a recent update from ermals link. If this isn´t working, you can delete the line 61 manually as a workaround.

Greetings Heiko

djmizt

ok i commented line 61 on that file and I can use the wizard now;

I'm trying to do multiple wan/multiple LAN and everytime the wizard finishes I only have the shaper on the WAN interface  ..my other interfaces (opt1,2,3) do not have any queues in them!

I tried manually adding queues on each interface and it's not doing it

I tried cloning the queues from WAN and no luck there either

Maybe I dont have the latest files?? Can Ermal pm me the lastest cvs file location again? Thanks.

SlickNetAaron

Hi all,

It looks like you guys have put some good time and effort into getting the traffic shaper what it needs to be.  Hopefully this bounty is of value to me and I can throw in $50-100 for it.

It sounds like this is possible to do, but I just wanted to verify.

I have 1 wan (probably 2 in the future) on pfSense. It's about a 12/2meg connection. 
LAN has a local router and also 2 access points.  I would like to split/share the bandwidth amongst these 3 devices attached to the LAN.  The trick here is that I need to have more than 2 layers of queues

wan > pf (10.0.0.1) > switch > AP1           > customer router1(10.5.x.1) (Linksys Tomato)
                                                            > customer router 2(10.5.x.1)

                                         > AP2          > customer router 3(10.6.x.1)
                                                               > etc(10.6.x.1)
                                         >local router  > Local PCs             

Sorry that diagram isn't working well. Basically - the AP1, AP2 and local router are attached to pfSense by a switch.  Then customer routers are static routed networks off of pf.

The caveat is that each AP is only capable of about 5-6mbps of total traffic.  I would like to  let customers share the full-speed of the bandwidth from the AP.  Also, there may be some customers that would get less than an even share (penalty box per customer?)

At the same time, we obviously need to prioritize VoIP, http, DNS and set everything else to a lower priority.

So, I believe what I need to do is:
1. Ident traffic type (flags in new shaper?)
2. Setup multiple queues within queues?
    a. WAN queues > b. queues for the individual APs (1 for the 10.5.xxx network and 1 for 10.6.xxx network) >
    c. within the queues for the individual APs: queues or rules for traffic types (http, dns, etc)?
    d. a way to limit individual customers (ie 10.5.3.x network gets limited to 512k but the rest of 10.5.xxxx gets to share the full bandwidth of the AP)

Does that make sense? Will the new shaper allow me to do this?  I think it's just multiple layers of queues?  I do have outbound traffic shaping on the customer routers so they can't saturate the AP.  Customer routers inbound shaping is limited to dropping packets -  I don't want to use that option on the customer routers.

Thanks for your input.  I would love if I can throw in some cash to the pot and get access to the new shaper if it will work for me.

Regards,
Aaron

eri--

Yeah it can do multiple level of queues and all of what you describe.

SlickNetAaron

Great! Thank you!  I just sent $75 to Chris.

@ermal:

Yeah it can do multiple level of queues and all of what you describe.

SlickNetAaron

So I guess I need to know how to access and install this.  I will get a PM?  This is an embedded install on ALIX.2C3

Regards,
Aaron

@SlickNetAaron:

Great! Thank you!  I just sent $75 to Chris.

eri--

@SlickNetAaron:

So I guess I need to know how to access and install this.  I will get a PM?  This is an embedded install on ALIX.2C3

Regards,
Aaron

@SlickNetAaron:

Great! Thank you!  I just sent $75 to Chris.

Yes, pretty soon.