Traffic shaper changes [90% completed, please send money to complete bounty]
-
The company I work for may be interested in this. Right now we have a pfsense box with a /24 of ips on 20 mb/s metro e, and a /26 on 6 mb/s 4 bonded t-1's and a managed cisco 3600 series. We recently met with a ccie about a cisco 3845 for the metro e, and implementing bgp.
Would the new shaper changes allow us to shape the connections and allow for one to be much faster than the other? We don't really need load balancing, just failover. Also, could we use the failover capabilities of pfsense instead of a 3845 to completely failover the metro e to the bonded t's? I would much rather use pfsense for everything possible as long as it's very stable like the test box I set up on the metro e and just left there because it worked so well. We would also want to purchase the support because downtime is really big $$$ for us now that we've grown. That's why we need the failover.
-
The company I work for may be interested in this. Right now we have a pfsense box with a /24 of ips on 20 mb/s metro e, and a /26 on 6 mb/s 4 bonded t-1's and a managed cisco 3600 series. We recently met with a ccie about a cisco 3845 for the metro e, and implementing bgp.
Would the new shaper changes allow us to shape the connections and allow for one to be much faster than the other? We don't really need load balancing, just failover. Also, could we use the failover capabilities of pfsense instead of a 3845 to completely failover the metro e to the bonded t's? I would much rather use pfsense for everything possible as long as it's very stable like the test box I set up on the metro e and just left there because it worked so well. We would also want to purchase the support because downtime is really big $$$ for us now that we've grown. That's why we need the failover.
If "one to be much faster than the other" you mean that the failover is not the same speed as the primary, the answer is a simple yes.
-
Sorry, let me try to clarify.
What we want is our main connection to be the metro e on dark fiber setup as an oc-12 ring and upgradable to oc-192. We have a /24 of ips on it that we want to automatically fail over to the bonded t-1's that we may upgrade to a t-3 if our critical traffic increases past the 6 mb/s mark. We currently have 20 mb/s on the ring and 6 mb/s with the t-1's. We've started moving our internet servers in house, and are getting ready to implement our new intranet to around 50 branch offices over the year. Those vpns combined with the 70 other vpns to our partners will put us well over 100 site to site vpns. We will also be implementing around 200 client vpns for our ae's notebook computers. We're currently using a sonicwall 4060 as the vpn concentrator, nat, gateway anti-virus and content filter for the corporate office and were thinking of upgrading it to an e class when necessary. We also do video conferencing and voip. We will be adding a large streaming media server also. The main connection will need to be able to handle at least 40 mb/s of heavy traffic. I would prefer it be able to truly handle 100 mb/s of heavy traffic. We have a ccie that wants to put in a 3845 and says it will handle 45 mb/s and it can be set up with bgp. The 3600 series is managed by the phone company.
What I would like to propose to the owners is a system that we can traffic shape all these services on the faster connection. When it goes down for some reason, I want it to switch to the t-1's and change the shaping to commit the necessary bandwidth to the critical services, and give non-critical much less priority. I would prefer not to have to buy the cisco stuff. It tends to be reliable, but it's way to expensive for the performance. That's why we standardized on the sonicwall stuff when we first opened. I also think it would be better for our company to work with a group that will actually customize the system based off our needs. I know this will probably need to be in a new bounty, but I would appreciate a little feedback so I can figure out what I really need to ask for. Also, we're in Lexington, KY, so we're pretty close to some of you.
-
Well about the failover and commited bandwidth you can do it. Just need to setup it properly.
But it is doable pretty easily. The new interface helps with that to.For the other things another thread would be appropriate so we can discuss.
-
Forgive me if this is a stupid question, but how is the rest of the process going to work ? It looks like people are sending there $$ in, when will the patch be release ? Once it is will it become part of the main project code or just exist as a patch ?
Read the "Bounty board rules and guidelines" post but that didnt seem to answer many questions.
-
The code has been commited to RELENG_1 and HEAD and is being rapidly tested and abused by us. We have identified a few major issues but all I can say is that this code is going to kick so much ass it's not even funny. You can select different schedulers per interface now and a bunch of other neat goodies. Stay tuned!
-
wow pf rules ! Ok, sorry for the sudden outburst of enthusiasm. If you guys (the pf community) ever want some prizes for contests or anything like that let me know and I can hook you guys up with some free music gift cards (around $50-100 worth) for grooveshark.com (I work there).
prob the wrong place to post a random thought like this … feel free to move
-
I have been testing the new shaper and OMG. It's incredible!
However, I hate beating this dead horse. We have only collected 500$ of what was around 5K!
So please, do your part and paypal the amount you pledged today to paypal@chrisbuechler.com !!!!
If we can get folks moving, we might be able to convince Ermal to make a 1.2 patch and I'll create a package for it.
-
sounds good! i guess you mean the $500 from me :)
-thomas
-
Just an idea, PM those that haven't paid up or email them as i can see wcoolnet & Delphinus hasn't been around lately. And make a list here.
Following has donated to this bounty.
Still waiting to here from.
Maybe a list of features added could help getting more money.
hope it helps. -
Hi!
Would just like to check….
I've got:
- PPPOE with multiple IPs
- WAN, LAN and DMZ interfaces
- VOIP on LAN
- Email and Web on separate IPs in DMZ
What I'd like to be able to do is:
- Give VOIP highest priority
- Then Web
- Email low priority
Will this mod do what I want?
Thanks!
James. -
What it can do:
1- Supports CBQ, HFSC, PRIQ schedulers whith any combination of them on any number of interfaces. To suit any strange environment.
2- You can shape
Bridge, PPTP, PPPoE, OpenVPN or tun devices, IPSec incoming, Overall IPSec tunnels, L2TP, or any other device/software that does IP traffic in a distinguishable way.
3- You can create policy filtering as there is a new tab which allows expressing a late match syntax with support for tagging and matching on tags(i call them marks in the GUI), directions. Simple allows one PF expert to do policy filtering.
4- The queues are specified in each rule you create, there is no more a rules tab on the shaper section. This makes things cleaner and easier to manage.
5- You can shape/override DHCP, DNS, or any default policy of pfSense by just creating rules from the GUI.
6- The easiest way to create a policy for multiple interface shaping and filtering, at least in contrast with what i have used.
7- [Is on its way] Multiple wizards to use on different environments.Requirments:
1- Know how.
Meaning you should know what you want then i guarantee it can be done with this new module and the wizards should help on this,Am i missing anything Scott?!
-
What is with outgoing traffic eg. a range of ports within an ipsec-tunnel? Is this possible, for example
rdp -3389 outgoing traffic through the ipsec tunnel with a highest priority? -
For now it is not supported, but is planned after i totally finish the gui cleanup and some small fixes for the current one to be ready to use.
The incoming part should be ready approximately by mid September.
Let's hope the people will respect this bounty first.
-
i have send you a personal message…
-
Uppss that should read mid february. Just a mismatch with my native language :)
-
Also for the outgoing packets through the ipsec tunnel eg. portbased….
mid february :D
Please send me the first invoice for about 800 $ ....you have the details....
Greetings heiko
-
What it can do:
1- Supports CBQ, HFSC, PRIQ schedulers whith any combination of them on any number of interfaces. To suit any strange environment.
2- You can shape
Bridge, PPTP, PPPoE, OpenVPN or tun devices, IPSec incoming, Overall IPSec tunnels, L2TP, or any other device/software that does IP traffic in a distinguishable way.
3- You can create policy filtering as there is a new tab which allows expressing a late match syntax with support for tagging and matching on tags(i call them marks in the GUI), directions. Simple allows one PF expert to do policy filtering.
4- The queues are specified in each rule you create, there is no more a rules tab on the shaper section. This makes things cleaner and easier to manage.
5- You can shape/override DHCP, DNS, or any default policy of pfSense by just creating rules from the GUI.
6- The easiest way to create a policy for multiple interface shaping and filtering, at least in contrast with what i have used.
7- [Is on its way] Multiple wizards to use on different environments.Requirments:
1- Know how.
Meaning you should know what you want then i guarantee it can be done with this new module and the wizards should help on this,Am i missing anything Scott?!
Adding another feature so it remains as a documentation too:
8- If you have 3 different networks separated from each other and you want to combine to a single centralized management with pfSense and the new shaper, they can be handled/shaped separated or even provide failover for them. Kinda, basic support for different domains.
-
Eri,
however….it must only work as it should.... (ipsec shaping portbased incoming/outgoing)So, my payment is now 1600 $, per invoice 800 $.... that´s my offer.
Greetings
Heiko -
It will do that, possibly more!