Layer 7 traffic shaping in pFsense 2.0 Beta 4



  • I currently have pFsense 2.0 B4 (12th Aug 2010) installed and would like to use the Layer 7 option to shape unclassified p2p traffic (xunlei - these are not encrypted and used by video streaming apps).
    How do I go about it since there seems to be 2 separate options - Layer 7 container groups and floating rules which reference it.
    I need only shape the UDP aspect since the Default rule catches the TCP traffic (I whitelist for priority).

    I've already setup a Layer 7 container group like so:

    Do I also need to setup a UDP catchall floating rule like so?:

    Thanks.

    Edit:  I have a UDP catchall for the purpose of online games where ports are dynamic UDP and there is no real way to classify the traffic.  Hence, I need to catch the P2P traffic before it goes on to match the rule for online games.



  • im on the same boat as you, torrent traffic going matching udp game ports..
    let us know what did you do to solve this please



  • I didn't.  I had subsequently found out that the L7 shaper is only capable of blocking traffic, not classifying them into queues.
    I simply restricted the torrent ports used by computers at home so that I can catch them via regular firewall rules.  For computers that I can't touch, I used the classifying function in uPNP to send them the right way.

    You also have to note that the L7 can't catch encrypted traffic.



  • Okay, reviving an old thread, but here is THE solution for torrents.

    You need to create a virtual ip address for your network interface where you use your torrent software. Then is your torrent software you go in advanced configuration and you find every "ip binding" settings and you put your new virtual ip address in and restart your software. In uTorrent there are two settings to change, I can't remember which one though.

    Then you shape this IP address completely without ports or anything.

    uTorrent will not use your listening port to connect to other peers, so those outgoing connections aren't shaped. Using my method everything uTorrent does is being shapped, even tracker scraping…

    I found this post because I was looking to learn how to make l7 working, I want to shape ftp and it needs a l7 to be shaped correctly because of passive servers. I want to shape my hosts connecting to remote passive ftp servers.

    MageMinds



  • Actually newer snapshot should have a fixed layer7 behaviour.
    You can find the comments in http://redmine.pfsense.org/issues/636



  • I do have good news about Layer 7 blocking, I was able to block all pop3 traffic from leave my box. I still have to do more testing but progress is being made :-) Thanks Ermal!!!!



  • @MageMinds:

    Okay, reviving an old thread, but here is THE solution for torrents.

    You need to create a virtual ip address for your network interface where you use your torrent software. Then is your torrent software you go in advanced configuration and you find every "ip binding" settings and you put your new virtual ip address in and restart your software. In uTorrent there are two settings to change, I can't remember which one though.

    Then you shape this IP address completely without ports or anything.

    uTorrent will not use your listening port to connect to other peers, so those outgoing connections aren't shaped. Using my method everything uTorrent does is being shapped, even tracker scraping…

    I found this post because I was looking to learn how to make l7 working, I want to shape ftp and it needs a l7 to be shaped correctly because of passive servers. I want to shape my hosts connecting to remote passive ftp servers.

    MageMinds

    I understand how to use Multi-home for uTorrent but in my case, I'm looking at software where I have no control over like some online video streaming software that uses P2P technologies.


Locked