Custom Traffic Shaper rules in 2.0.x



  • Dear Forum,
    pfSense is great OS. I like to learn new things while running it at home..

    Now it's time for QoS. This might be interesting task :)
    Let's summarize my needs:

    • My link is:
      30Mbit down, 3Mbit up.
    • Shaper Wizard used:
      traffic_shaper_wizard_multi_lan.xml
    • I'm running following services (I'm learning how they work and what is needed for best performance):
      1 x VPN server (OpenVPN)
      2 x DNS server
      4 x TeamSpeak
      1 x Mumble
      3 x Minecraft
      1 x WWW server (few websites)
      3 x SSH service
    • They require:
      DNS, TS, Mumble, SSH - low latency, low bandwidth, high priority
      VPN - low latency, middle bandwidth
      Minecraft - low latency, high bandwidth
      WWW server - middle latency, middle bandwidth
    • what's available:
      enough cpu resources (2 x vCPU)
      enough RAM (assigned 2GB)
      enough hdd space (10GB)
    • Additional requirements:
      rules as % of link speed value for easy expanding
      upload with guaranteed speeds, download shaped for all services dynamically - HFSC would be best I think
      protection against various DDoS attacks
      own XML (wizard) would be best
      not running Squid, but will soon (I have to assume queues will not limit this kind of service)
    • external KB sources:
      http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/
      http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/
    • What I don't fully understand - questions:
      why traffic shaper wizard creates qLink and qInternet on LAN while on WAN is only qInternet?
      what Random Early Detection and Explicit Congestion Notification exacly means?
      why there is pps limit on qLink set exacly to 500? shouldn't be more on faster links?
      I created rules using HFSC and PRIQ indepedently, rules based on port number (as example: 25565) were ignored when using HFSC.. however with PRIQ packets travelling to same port were in correct queue. I don't understand this.
      Why ACK queue is so large (~20% both up/down)? I understand this is specific to ACKNOWLEDGE packets while they're required for successful transmission.
    • Giving here few screenshots as examples of rules I tried/learned so far..

    In result, I would like to create custom traffic shaper wizard which fits these needs and share it to Community.



















  • Another functionality is logging firewall rules to external MySQL database
    I would like to add this via option in Shaper Wizard with option fields like:
    database server
    database name
    database user
    database pass
    as far I know this can be done with Remote syslog server like this:
    http://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog
    This would be configured on syslog-ng host - question is: is it compatible with pfSense syslog?
    http://www.gho.no/2008/10/setting-up-remote-syslog-to-mysql-with-cisco-ios-and-syslog-ng-in-linux/

    I'm currently running on 2.0.3 i386.


Locked