Traffic Shaper + Simple brigde possible?
-
Hi, I know it may be a stupid question, but I've searched the forum for 2 hours not being able to find any spesific.
The case is simple: To set up a traffic shaper in bridgemode between my router and the local network:
modem with router (PPPoE) <–-----> traffic shaper (pfsense/monowall?) <----> switch <--> local PCs
- I'd like to use the wizard for shaping. Is this possible with pfSense or/and m0n0wall?
- Currently using 1.2RC2.
- No other filtering rules needed. (all traffic open both in/out)
- I have no possibility to use remove the routerfunction from the modem, so I can configure PPPoE on the pfsense-sever.
A small HOWTO would be appreciated :)
*please remove this post/lock it if this has been asked in an other thred.
-
Hi, I know it may be a stupid question, but I've searched the forum for 2 hours not being able to find any spesific.
The case is simple: To set up a traffic shaper in bridgemode between my router and the local network:
modem with router (PPPoE) <–-----> traffic shaper (pfsense/monowall?) <----> switch <--> local PCs
- I'd like to use the wizard for shaping. Is this possible with pfSense or/and m0n0wall?
- Currently using 1.2RC2.
- No other filtering rules needed. (all traffic open both in/out)
- I have no possibility to use remove the routerfunction from the modem, so I can configure PPPoE on the pfsense-sever.
A small HOWTO would be appreciated :)
*please remove this post/lock it if this has been asked in an other thred.
I have this configuration. But Shapped only incoming traffic.
-
I have this configuration. But Shapped only incoming traffic.
Well, it's a first step. :) Any way to share how you've done it? Much manual configuration after (or without) the wizard?
After all, is this feature possible at all? Traffic shaping on both in and out?
-
It is possible I will try to DMZ the modemrouter to the pfsense and NAT it from there instead. However the transparent bridge shaper would be much easier and more reliable since I would not have to move all my settings from the modemrouter over to pfsense. Unfortunately it would be a whole set of webservers to NAT properly, which will bring me a lot of deadtime for my pretty critical internet services..
-
I have this configuration. But Shapped only incoming traffic.
Well, it's a first step. :) Any way to share how you've done it? Much manual configuration after (or without) the wizard?
After all, is this feature possible at all? Traffic shaping on both in and out?
I create basic rules by wizard and adapted them to my need's (delete one and add other).
Shaping outgoing traffic i can't (tested different variants) -
So to shape both incoming and outcoming, I will need to NAT the network then? Alternately use m0nowall for transparrent bridge? The DMZ alternative seems to it then? :)
thanks for the reply btw!
-
I have this rules.debug (altq part)
# System Aliases loopback = "{ lo0 }" lan = "{ rl0 bridge0 }" wan = "{ xl0 bridge0 }" enc0 = "{ enc0 }" ... scrub all random-id fragment reassemble altq on xl0 hfsc bandwidth 4Mb queue { qwanRoot } altq on rl0 hfsc bandwidth 256Kb queue { qlanRoot } queue qwanRoot bandwidth 4Mb priority 0 hfsc { qwandef, qwanacks, qwanHi, qRdpUp, qwebUp, qmailUp, smtp_up, qtestW } queue qlanRoot bandwidth 256Kb priority 0 hfsc { qlandef, qlanacks, qlanHi, qRdpDown, qwebDown, qmailDown, smtp_down, qtestL } queue qwandef bandwidth 20% priority 3 hfsc ( default realtime 10% ) queue qlandef bandwidth 20% priority 3 hfsc ( default realtime 10% ) queue qwanacks bandwidth 24Kb priority 7 hfsc ( realtime 8Kb ) queue qlanacks bandwidth 24Kb priority 7 hfsc ( realtime 8Kb ) queue qwanHi bandwidth 32Kb priority 7 hfsc ( realtime 16Kb ) queue qlanHi bandwidth 32Kb priority 7 hfsc ( realtime 16Kb ) queue qRdpUp bandwidth 48Kb priority 6 hfsc ( realtime(64Kb 300 32Kb) ) queue qRdpDown bandwidth 48Kb priority 6 hfsc ( realtime(32Kb 300 32Kb) ) queue qwebUp bandwidth 24Kb priority 4 hfsc ( red ecn linkshare 24Kb realtime(48Kb 300 24Kb) ) queue qwebDown bandwidth 24Kb priority 4 hfsc ( red ecn rio realtime(48Kb 300 24Kb) ) queue qmailUp bandwidth 24Kb priority 2 hfsc ( red ecn rio realtime(48Kb 300 12Kb) ) queue qmailDown bandwidth 24Kb priority 2 hfsc ( red ecn upperlimit 48Kb realtime(48Kb 300 24Kb) ) queue smtp_down bandwidth 4Kb priority 2 hfsc ( red ecn rio upperlimit 4Kb realtime 4Kb ) queue smtp_up bandwidth 4Kb priority 2 hfsc ( red ecn rio upperlimit 4Kb realtime 4Kb ) queue qtestW bandwidth 10Kb priority 2 hfsc ( red ecn rio realtime 10Kb ) queue qtestL bandwidth 10Kb priority 2 hfsc ( red ecn rio realtime 10Kb ) ... # UPnPd rdr anchor rdr-anchor "miniupnpd" block in all tag unshaped label "SHAPER: first match rule" pass in on $wan proto esp from any to any keep state tagged unshaped tag qwandef pass out on $lan proto esp from any to any keep state tagged qwandef tag qlandef pass in on $lan proto esp from any to any keep state tagged unshaped tag qlandef pass out on $wan proto esp from any to any keep state tagged qlandef tag qwandef pass in on $wan proto ah from any to any keep state tagged unshaped tag qwandef pass out on $lan proto ah from any to any keep state tagged qwandef tag qlandef pass in on $lan proto ah from any to any keep state tagged unshaped tag qlandef pass out on $wan proto ah from any to any keep state tagged qlandef tag qwandef pass in on $wan proto icmp from any to any keep state tagged unshaped tag qwanHi pass out on $lan proto icmp from any to any keep state tagged qwanHi tag qlanHi pass in on $lan proto icmp from any to any keep state tagged unshaped tag qlanHi pass out on $wan proto icmp from any to any keep state tagged qlanHi tag qwanHi pass in on $lan proto tcp from any to any port 53 keep state tagged unshaped tag qlanHi pass out on $wan proto tcp from any to any port 53 keep state tagged qlanHi tag qwanHi pass in on $lan proto udp from any to any port 53 keep state tagged unshaped tag qlanHi pass out on $wan proto udp from any to any port 53 keep state tagged qlanHi tag qwanHi pass in on $wan proto tcp from any port 3389 to any keep state tagged unshaped tag qRdpUp pass out on $lan proto tcp from any to any keep state tagged qRdpUp tag qRdpDown pass in on $lan proto tcp from any to any port 3389 keep state tagged unshaped tag qRdpDown pass out on $wan proto tcp from any to any port 3389 keep state tagged qRdpDown tag qRdpUp pass in on $wan proto tcp from any to any port 25 keep state tagged unshaped tag smtp_up pass out on $lan proto tcp from any to any port 25 keep state tagged smtp_up tag smtp_down pass in on $lan proto tcp from any to any port 25 keep state tagged unshaped tag smtp_down pass out on $wan proto tcp from any to any port 25 keep state tagged smtp_down tag smtp_up pass in on $wan proto tcp from any port 110 to any keep state tagged unshaped tag qmailUp pass out on $lan proto tcp from any to any keep state tagged qmailUp tag qmailDown pass in on $lan proto tcp from any to any port 110 keep state tagged unshaped tag qmailDown pass out on $wan proto tcp from any to any port 110 keep state tagged qmailDown tag qmailUp ... # pass traffic from firewall -> out anchor "firewallout" pass out quick on xl0 all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state tagged qwanHi queue (qwanHi, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state tagged qmailUp queue (qmailUp, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state tagged smtp_up queue (smtp_up, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state tagged qlanHi queue (qlanHi, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state tagged qmailDown queue (qmailDown, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state tagged smtp_down queue (smtp_down, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself" pass out quick on bridge0 all keep state label "let out anything from firewall host itself" pass out quick on $enc0 keep state label "IPSEC internal host to host" # make sure the user cannot lock himself out of the webGUI or SSH anchor "anti-lockout" pass in quick from any to 10.62.0.3 keep state label "anti-lockout web rule" -
Looking to last part on pass present real interfaces only
In previous rules part present $wan and $lan aliases.
In Last part bridge0 interfase not writed (only default)
–-
I rewrite last part as# pass traffic from firewall -> out anchor "firewallout" pass out quick on $wan all keep state tagged qwandef queue (qwandef, qwanacks) label "let out anything from firewall host itself" pass out quick on $wan all keep state tagged qwanHi queue (qwanHi, qwanacks) label "let out anything from firewall host itself" pass out quick on $wan all keep state tagged qRdpUp queue (qRdpUp, qwanacks) label "let out anything from firewall host itself" pass out quick on $wan all keep state tagged qwebUp queue (qwebUp, qwanacks) label "let out anything from firewall host itself" pass out quick on $wan all keep state tagged qmailUp queue (qmailUp, qwanacks) label "let out anything from firewall host itself" pass out quick on $wan all keep state tagged smtp_up queue (smtp_up, qwanacks) label "let out anything from firewall host itself" pass out quick on xl0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qlandef queue (qlandef, qlanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qlanHi queue (qlanHi, qlanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qRdpDown queue (qRdpDown, qlanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qwebDown queue (qwebDown, qlanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qmailDown queue (qmailDown, qlanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged smtp_down queue (smtp_down, qlanacks) label "let out anything from firewall host itself" pass out quick on rl0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself" pass out quick on bridge0 all keep state label "let out anything from firewall host itself" pass out quick on $enc0 keep state label "IPSEC internal host to host" # make sure the user cannot lock himself out of the webGUI or SSH anchor "anti-lockout" pass in quick from any to 10.62.0.3 keep state label "anti-lockout web rule"Aliases $lan and $wan contains bridge0 inerface.
After - i have work shaper IN and OUT (work two queue's).
I unknown how this influense on system work, but shaper really need more what all other..–-
Test to be continued. ::)
ps I already change my shaper sources for generate "right" ruleset. -
/etc/inc/filter.inc[2972]:
foreach ($config['shaper']['queue'] as $queue) { if(!filter_is_queue_being_used_on_interface($queue['name'], $ifname, 'out')) continue; if ($ackq == "" || $defq == "") { /* Shaper must not be enabled on this interface */ $q = ""; } else { $q = "queue ({$queue['name']}, {$ackq})"; } # $rule .="pass out quick on {$int} all keep state tagged {$queue['name']} {$q} label \"let out anything from firewall host itself\"\n"; # dvserg bridge fix $zzz = convert_real_interface_to_friendly_descr($int); $rule .="pass out quick on \${$zzz} all keep state tagged {$queue['name']} {$q} label \"let out anything from firewall host itself\"\n"; } -
This patch will be applied in next RC ?
-
This patch will be applied in next RC ?
No. This my private modification for ALTQ on BRIDGE.
I use this to achieve the desired effect, and don't know how this affect the entire system to other regimes.
But now i use WAN-LAN bridged and OPT1-inet interface. Ft first glance, it works well. -
I have tested your patch. But, outgoing traffic (from LAN to bridged WAN) is queued in qlandef instead custom queue. Only incoming traffic is correctly queued.
Here's my rules:
loopback = "{ lo0 }" lan = "{ re0 bridge0 }" wan = "{ vr0 bridge0 }" enc0 = "{ enc0 }" ... pass out quick on $wan all keep state tagged qwanDNS queue (qwanDNS, qwanacks) label "let out anything from firewall host itself" pass out quick on $wan all keep state tagged qwanTEST queue (qwanTEST, qwanacks) label "let out anything from firewall host itself" pass out quick on vr0 all keep state queue (qwandef, qwanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qlanDNS queue (qlanDNS, qlanacks) label "let out anything from firewall host itself" pass out quick on $lan all keep state tagged qlanTEST queue (qlanTEST, qlanacks) label "let out anything from firewall host itself" pass out quick on re0 all keep state queue (qlandef, qlanacks) label "let out anything from firewall host itself" pass out quick on bridge0 all keep state label "let out anything from firewall host itself" pass out quick on $enc0 keep state label "IPSEC internal host to host" ... block in all tag unshaped label "SHAPER: first match rule" pass in on $wan proto udp from any to X.X.X.X port 53 keep state tagged unshaped tag qwanDNS pass out on $lan proto udp from any to X.X.X.X port 53 keep state tagged qwanDNS tag qlanDNS pass in on $wan proto udp from any to Y.Y.Y.Y port 53 keep state tagged unshaped tag qwanDNS pass out on $lan proto udp from any to Y.Y.Y.Y port 53 keep state tagged qwanDNS tag qlanDNS pass in on $wan proto udp from any to X.X.X.X port 1024:65535 keep state tagged unshaped tag qwanTEST pass out on $lan proto udp from any to X.X.X.X port 1024:65535 keep state tagged qwanTEST tag qlanTEST pass in on $lan proto udp from X.X.X.X port 53 to any keep state tagged unshaped tag qlanDNS pass out on $wan proto udp from any to any keep state tagged qlanDNS tag qwanDNS pass in on $lan proto udp from Y.Y.Y.Y port 53 to any keep state tagged unshaped tag qlanDNS pass out on $wan proto udp from any to any keep state tagged qlanDNS tag qwanDNS pass in on $lan proto udp from X.X.X.X port 1024:65535 to any keep state tagged unshaped tag qlanTEST pass out on $wan proto udp from any to any keep state tagged qlanTEST tag qwanTESTWhat's wrong doctor ?
-
With the new shaper code you will be able to do bridge shaping and more.
This is just an update for people to not mess with their systems.