Layer 7 Traffic Shaping of Skype and BitTorrent
-
Hi,
I am in the process of configuring pfSense for an NGO in south east Asia. As you can imagine, torrenting is rife and hampering the office network.
Whilst the first action has been education, I am looking to achieve the following using pfSense:- Shape torrent traffic so that it receives the lowest priority
- Promote Skype traffic so that it receives the highest priority (the NGO uses Skype almost exclusively to communicate with overseas benefactors)
- Balance other http traffic to receive equal priority
Is this possible using pfSense? I'm using version 2.0.3-RELEASE (i386).
I have used the Wizard to configure the Traffic Shaper with HFSC, created additional queues for p2p (lower priority) and Skype (higher priority) and created two Layer 7 Containers, one including bittorrent and assigned to the p2p queue and the other including skypeout and skypetoskype assigned to the Skype queue, but to no avail.
It doesn't seem to make a difference whether the torrent clients are configured to encrypte traffic or not, I have not seen any data registered against any of the p2p or skype queues (0 packets / bytes per seconds and no borrows/suspends/drops registered when running uTorrent or a Skype test call.)
Please let me know what further information I can supply to help solve this (if it is indeed solvable.)
Thanks,
Lee -
From my Blog:
http://aubreykloppers.wordpress.com/2013/02/07/pfsense-per-ip-traffic-shapingI do the following to shape specific IP's: (I am sure you could do this for domains…)
Ok guys and girls, this took me a while to figure out, but once in place, it works like a charm!The idea is to limit an IP or range of IP’s to a specific bandwidth slice.
NOTE: This limiter will be created on your LAN interface.
Create 4 Limiters per client:
IncomingWan —>> Download (Select Mask “Destination addresses” when creating the limiter , select also desire bandwidth here)
OutgoingLan — >> Download (Select Mask “Source addresses” when creating the limiter , select also desire bandwidth here)
IncomingLan —->> Upload (Select Mask “Source addresses” when creating the limiter , select also desire bandwidth here)
OutgoingWan —->>Upload ( (Select Mask “Destination addresses” when creating the limiter , select also desire bandwidth here)After creating the limiters you need to apply them on Firewall Rules LAN interface:
Create 2 rules by IP:
You need to specify the IP or IP group as source in one rule and the other as destination.
On each rule , go to advanced and select IN/OUT limiters .
Example : IncomingWan — OutgoingLAN ( when the IP is the destination) download
IncomingLAN — OutgoingWAN ( when the IP is the source) uploadThat’s it!
Keep on SHAPIN’
-
Hi cyber7,
thanks for the suggestion and detailed instructions, however I'm not sure that this is a sustainable solution for my network.
I have ca. 100 devices on the network, most of which are personal, rather than owned by the NGO. Setting up reservations to use for the IP based shaping would become a time consuming task, especially as staff come and go taking old devices away and introducing new. There is also the issue of users that will use both BitTorrent and Skype from the same machine. I feel that filtering by application/layer 7 is the right solution for this environment I just can't seem to get it working.
Regards,
Lee. -
For Skype i have this Rule and works no problems at 1Mb/1Mb, The calls not laggy but the webcam is very slow but you can higher or slower the bandwidith to your needs.
Skype App
Untick UDP, Untick Port 80,443 as an alternative
Use port 1010 for incoming connections :)
Like this….
http://i.imgur.com/FUb9sPr.pngpFsense box
Firewall > Rules
Add
Pass
LAN
Protocol UDP
Click Advanced and you will see Source?
Network YOU RIP and 31
from: 1010
to: 1010go to
Advanced features at the bottom
In/Out - you select this whatever speed you wont, first been Download/Upload.Repeat again for PC two but with port UDP port 1011 and the next 1012 so on
When done
Save
Apply -
The only secure way is to use a transparent HTTP proxy or regular HTTP proxy and deny CONNECT to untrusted sites. Only trusted clients should be given routed/NATed access to the Internet. If any kind of routed connection to the outside is possible, BitTorrent can be made to bust through.