Emulate a slower connection, PBX is outside of FW & it needs dedicated bandwidth
-
I apologize ahead of time of this is noted anywhere as I didn't see it. In short: my company has a SIP-based PBX outside control of the firewall. I want to dedicate a set bandwidth to it (for voice quality) & preferably time/schedule-based. Thus as I understand I need to throttle, which is obviously through the shaper itself or its limiter. However as I was playing around today I suddenly realized there is 3 (if not more) ways you could do this:
1)Throttle every individual to the max bandwidth (ex: you have 4.5Mb internet, you throttle all to 4.1Mb, however that means at any point-in-time you could have 2 people using the max, totaling 8.2Mb, which would use all 4.5Mb)
2)Throttle every individual to the min bandwidth (ex: you have 4.5Mb internet, 25 users, you throttle all to 0.146Mb, however that means everyone has slow bandwidth, bad for expandability [if we were to add another user], & reality tells me we would never combined hit the 4.1Mb, thus wasting bandwidth)
3)Emulate or only allow a max throughput of 4.1Mb to WAN (thus someone can still hog bandwidth which I can deal with later, but it gives the dedicated bandwidth to the PBX)I NEED option 3, I speculate that is how pfSense does it, but I wanted to confirm (as I have a netgear firewall in place currently & throttling groups of people did it as #1, per etherape tool I am watching)
Any feedback is appreciated, I don't pretend to know alot, but I definitely enjoy learning networking!
MORE IN-DEPTH DETAIL to our current setup:
internet–>three T1 cards-->adtran modem-->WAN switch-->pfsense-->LAN switch-->end-users-How things are connected/pass-through the adtran: Three T1's are NET1,2,4; PBX is NET3 of adtran modem; WAN switch is ETH 0/1
-I am more then happy to remove the WAN switch (its a unmanaged variation) if requested. However it currently allows us multiple gateways to internet (as we currently have another firewall actively in use & are actually live-testing pfsense with one PC)Side note to forum admins: your registration email sent my password in cleartext, not really cool for a security-based organization
-
As I anticipated might happen, I figured it out through trial-and-error. I have limited understanding of linux/unix/freebsd & with the limited info I found (the definitive pfsense guide & http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter) I couldn't figure it out. Sure enough its THIS simple:
setup two limiters (as suggested), apply to firewall rule (I did it to LAN). I knew that, however there are a few catches a newbie like me didn't catch:
1)you cannot set the Destination to WAN address (I believe because it will them pump it through WAN, bypassing the virtual dummynet limiters)
2)you HAVE to put the rule ABOVE the 'Default allow LAN to any rule'. Either that or simply modify that existing rule to add the in/out limitersI was pulling my hair out. Sure enough it IS working in 3rd way I described above, where two or more people cannot reach past the set limiter. Right now I am testing the schedule-based aspect of this, crossing my fingers. I am sure some more knowledgeable people are giggling at me.
If anyone wants to chime-in the best way to setup some kind of content filter (without changing our existing DNS system) through pfSense my ears are open wide!
Also note to admin's again:
Broken link: http://files.pfsense.org/tutorials/squidguard/squidGuardQuick.htm on the main tutorial page: http://doc.pfsense.org/index.php/TutorialsSide note to people use the schedules: you can't use a space in the name, it took me like 5min to figure out why it didn't like mine