Custom Traffic Shaper rules in 2.0.x
-
Dear Forum,
pfSense is great OS. I like to learn new things while running it at home..Now it's time for QoS. This might be interesting task :)
Let's summarize my needs:- My link is:
30Mbit down, 3Mbit up. - Shaper Wizard used:
traffic_shaper_wizard_multi_lan.xml - I'm running following services (I'm learning how they work and what is needed for best performance):
1 x VPN server (OpenVPN)
2 x DNS server
4 x TeamSpeak
1 x Mumble
3 x Minecraft
1 x WWW server (few websites)
3 x SSH service - They require:
DNS, TS, Mumble, SSH - low latency, low bandwidth, high priority
VPN - low latency, middle bandwidth
Minecraft - low latency, high bandwidth
WWW server - middle latency, middle bandwidth - what's available:
enough cpu resources (2 x vCPU)
enough RAM (assigned 2GB)
enough hdd space (10GB) - Additional requirements:
rules as % of link speed value for easy expanding
upload with guaranteed speeds, download shaped for all services dynamically - HFSC would be best I think
protection against various DDoS attacks
own XML (wizard) would be best
not running Squid, but will soon (I have to assume queues will not limit this kind of service) - external KB sources:
http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/
http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/ - What I don't fully understand - questions:
why traffic shaper wizard creates qLink and qInternet on LAN while on WAN is only qInternet?
what Random Early Detection and Explicit Congestion Notification exacly means?
why there is pps limit on qLink set exacly to 500? shouldn't be more on faster links?
I created rules using HFSC and PRIQ indepedently, rules based on port number (as example: 25565) were ignored when using HFSC.. however with PRIQ packets travelling to same port were in correct queue. I don't understand this.
Why ACK queue is so large (~20% both up/down)? I understand this is specific to ACKNOWLEDGE packets while they're required for successful transmission. - Giving here few screenshots as examples of rules I tried/learned so far..
In result, I would like to create custom traffic shaper wizard which fits these needs and share it to Community.
- My link is:
-
Another functionality is logging firewall rules to external MySQL database
I would like to add this via option in Shaper Wizard with option fields like:
database server
database name
database user
database pass
as far I know this can be done with Remote syslog server like this:
http://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog
This would be configured on syslog-ng host - question is: is it compatible with pfSense syslog?
http://www.gho.no/2008/10/setting-up-remote-syslog-to-mysql-with-cisco-ios-and-syslog-ng-in-linux/I'm currently running on 2.0.3 i386.