Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Layer 7 Traffic Shaping of Skype and BitTorrent

    Traffic Shaping
    4
    5
    15229
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lee.davis last edited by

      Hi,

      I am in the process of configuring pfSense for an NGO in south east Asia. As you can imagine, torrenting is rife and hampering the office network.
      Whilst the first action has been education, I am looking to achieve the following using pfSense:

      • Shape torrent traffic so that it receives the lowest priority
      • Promote Skype traffic so that it receives the highest priority (the NGO uses Skype almost exclusively to communicate with overseas benefactors)
      • Balance other http traffic to receive equal priority

      Is this possible using pfSense? I'm using version 2.0.3-RELEASE (i386).

      I have used the Wizard to configure the Traffic Shaper with HFSC, created additional queues for p2p (lower priority) and Skype (higher priority) and created two Layer 7 Containers, one including bittorrent and assigned to the p2p queue and the other including skypeout and skypetoskype assigned to the Skype queue, but to no avail.

      It doesn't seem to make a difference whether the torrent clients are configured to encrypte traffic or not, I have not seen any data registered against any of the p2p or skype queues (0 packets / bytes per seconds and no borrows/suspends/drops registered when running uTorrent or a Skype test call.)

      Please let me know what further information I can supply to help solve this (if it is indeed solvable.)

      Thanks,
      Lee

      1 Reply Last reply Reply Quote 0
      • cyber7
        cyber7 last edited by

        From my Blog:
        http://aubreykloppers.wordpress.com/2013/02/07/pfsense-per-ip-traffic-shaping

        I do the following to shape specific IP's:  (I am sure you could do this for domains…)
        Ok guys and girls, this took me a while to figure out, but once in place, it works like a charm!

        The idea is to limit an IP or range of IP’s to a specific bandwidth slice.

        NOTE: This limiter will be created on your LAN interface.

        Create 4 Limiters per client:
        IncomingWan —>> Download  (Select Mask “Destination addresses” when creating the limiter , select also desire bandwidth here)
        OutgoingLan — >> Download  (Select Mask “Source addresses” when creating the limiter , select also desire bandwidth here)
        IncomingLan —->> Upload (Select Mask “Source addresses” when creating the limiter , select also desire bandwidth here)
        OutgoingWan —->>Upload ( (Select Mask “Destination addresses” when creating the limiter , select also desire bandwidth here)

        After creating the limiters you need to apply them on Firewall Rules LAN interface:
        Create 2 rules by IP:
        You need to specify the IP or IP group as source in one rule and the other as destination.
        On each rule , go to advanced and select IN/OUT limiters  .
        Example : IncomingWan — OutgoingLAN  ( when the IP is the destination) download
        IncomingLAN — OutgoingWAN  ( when the IP is the source) upload

        That’s it!

        Keep on SHAPIN’

        When you pause to think, do you start again?

        2.2.4-RELEASE (amd64)
        built on Sat Jul 25 19:57:37 CDT 2015
        FreeBSD 10.1-RELEASE-p15
        and
        pfSense 2.3.2-RELEASE-p1 (amd64 full-install) on pfSense

        1 Reply Last reply Reply Quote 0
        • L
          lee.davis last edited by

          Hi cyber7,

          thanks for the suggestion and detailed instructions, however I'm not sure that this is a sustainable solution for my network.

          I have ca. 100 devices on the network, most of which are personal, rather than owned by the NGO. Setting up reservations to use for the IP based shaping would become a time consuming task, especially as staff come and go taking old devices away and introducing new. There is also the issue of users that will use both BitTorrent and Skype from the same machine. I feel that filtering by application/layer 7 is the right solution for this environment I just can't seem to get it working.

          Regards,
          Lee.

          1 Reply Last reply Reply Quote 0
          • F
            francisuk22 last edited by

            For Skype i have this Rule and works no problems at 1Mb/1Mb, The calls not laggy but the webcam is very slow but you can higher or slower the bandwidith to your needs.

            Skype App
            Untick UDP, Untick Port 80,443 as an alternative
            Use port 1010 for incoming connections :)
            Like this….
            http://i.imgur.com/FUb9sPr.png

            pFsense box

            Firewall > Rules
            Add
            Pass
            LAN
            Protocol UDP
            Click Advanced and you will see Source?
            Network YOU RIP and 31
            from: 1010
            to: 1010

            go to
            Advanced features at the bottom
            In/Out - you select this whatever speed you wont, first been Download/Upload.

            Repeat again for PC two but with port UDP port 1011 and the next 1012 so on

            When done

            Save
            Apply

            2.0.2-RELEASE (amd64) - Dell OptiPlex GX520 SFF @ Intel P4 HT 3.0GHz
            Cisco SR224 24-port Switch (4 PCs, 1 Wireless AP, 2 Consoles)

            1 Reply Last reply Reply Quote 0
            • K
              kathampy last edited by

              The only secure way is to use a transparent HTTP proxy or regular HTTP proxy and deny CONNECT to untrusted sites. Only trusted clients should be given routed/NATed access to the Internet. If any kind of routed connection to the outside is possible, BitTorrent can be made to bust through.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post