Per User Bandwidth through Radius.



  • Anyone willing to start development on this feature. A vital part of PFSense.



  • I am looking for the same feature but for Captive portal. per user bandwidth limiting (single limit for Tx and Rx added together) and Disabling of accounts rather then deletion after account Expiration date or limit reached.

    I'd post this under bounty but I am South African Student so my money doesn't go very far!!
    Let me know if anyone else is looking for similar thing

    Thanks guys



  • I've set up FreeRadius on an external server, which the captive portal authenticates the users against as well as providing accounting updates.

    From there, I'm going to set up some form of script as a cron job on the MySQL server that RADIUS ties into, to compare the amount of data used by the users against the amount of data they have available, and delete the users that have exceeded their limit from the users table.



  • I have custom chillispot/coova daemon running pfsense.  It replaces the CP that comes with pfsense.  It has bandwidth, allowed domains, and many other controls. it uses a local Freeradius & mySQL server within pfsense.  Not recommended for embedded users due to the mySQL R/W. I would be happy to share.



  • How did you fix the ipfw pfil issues?  Try per user bandwidth and let us know if it really works.



  • With Chillispot/Coova the per user bandwidth is given by the radius and controlled by the chilli deamon.  WISPr var.  Works great.  Each user has it own Upload & Download setting.



  • This is running on top of pfSense?  Can you please show me the output of ipfw show?



  • i am using pf not ipfw.



  • @mdouglas:

    I have custom chillispot/coova daemon running pfsense.  It replaces the CP that comes with pfsense.  It has bandwidth, allowed domains, and many other controls. it uses a local Freeradius & mySQL server within pfsense.  Not recommended for embedded users due to the mySQL R/W. I would be happy to share.

    Do you have a link I can grab this code from and look at it?  Is it documented at all?



  • as far as the chilli deamon, I havn't created a true pfsense package (I don't know how).  Although, I have created a gui integrated into the pfsense web gui for configuring the chilli daemon. as far as FreeRadius, as you know, is apart of the pfsense package list. There are some modifications to the FR setup files to get it to work with mysql instead of flat file structure. There are some how tos on getting mysql installed in pfsense, google "mysql pfsense" again, some custom config for getting it to work with mysql.

    all in all, its alittle work.  maybe the pfsense dev would like to look into working with me in getting this all added as a CP package.



  • @mdouglas:

    maybe the pfsense dev would like to look into working with me in getting this all added as a CP package.

    …they are listening already.  ;D
    SUllrich is THE coding mastermind of pfSense "with a little help of his friends".



  • I don't care if it's a package, I'd still like to see whatever code you have (webgui, etc.).  Just tar it up.  I'm competent enough to manually get it working.  I'm really just interested in your implementation of it.  If it's not documented, thats fine.  I can reverse engineer whatever you have.  No hurry, though, I still need to get my dev environment back up and running.

    nb



  • I still want to know how per user bandwidth is working.  Call me skeptical but I doubt it's working like you say.  Please tell us how it works.

    Not trying to sound negative but dummynet which a lot of the captive portal packages use to constrain the bandwidth values does not work with PF currently.



  • Its been running on my pf platform for months.

    Chilli uses RADIUS to provision access and to provide accounting.

    Direction of Input and Output
    The original ChilliSpot defined input and output as being data uploaded and downloaded by the client respectively. Uses the reverse meaning (per default) making it more compatible with some other commercial access controllers.

    In RFC 2866, it says:

    Acct-Input-Octets
    This attribute indicates how many octets have been received from the port over the course of this service being provided.
    Acct-Output-Octets
    This attribute indicates how many octets have been sent to the port in the course of delivering this service.

    However, this is not very conclusive as it depends on what side of the port you are referring to. In the manual for a popular commercial access controller, is says:

    Acct-Input-Octets
    Number of octets/bytes received by the customer.
    Acct-Output-Octets
    Number of octets/bytes sent by the customer.

    This is the definition adopted by CoovaChilli - one of the very first changes made to ChilliSpot, for use with back-end systems also supporting commercial access controllers.

    Access Provisioning
    The following RADIUS attributes are used to place limits on a session authorized by a RADIUS Access-Accept response:

    Session-Timeout = seconds
    Standard RADIUS attribute (defined in RFC 2865) for setting the maximum session timeout. The user is logged out after this amount of time; session duration.

    Idle-Timeout = seconds
    Standard RADIUS attribute (defined in RFC 2865) for setting the maximum idle timeout. The user is logged out after this amount of time of inactivity (no traffic).

    ChilliSpot-Max-Input-Octets = bytes
    ChilliSpot-Max-Output-Octets = bytes
    ChilliSpot-Max-Total-Octets = bytes
    Chilli vendor specific attributes for setting the max in, out, or total bytes transferred for the session. See above for the meaning of input and output.

    WISPr-Bandwidth-Max-Up = bits/second
    WISPr-Bandwidth-Max-Down = bits/second
    WISPr vendor specific attributes for setting the maximum bandwidth rate in bits per second.

    ChilliSpot-Bandwidth-Max-Up = kbits/second
    ChilliSpot-Bandwidth-Max-Down = kbits/second
    Chilli vendor specific attributes for setting the maximum bandwidth rate in kbits per second. Internally, chilli multiplies this value by 1000 in converting to bits per second.
    In all cases, the ChilliSpot vendor specific attributes override WISPr attribute values. However, using the WISPr attributes is perhaps the more standard way to go.

    Session Accounting
    In RADIUS Accounting, the following attributes are used to report session statistics:

    Acct-Session-Time = seconds
    Duration of session in seconds.

    Acct-Input-Octets = bytes
    Acct-Output-Octets = bytes
    The lower 32-bit value of the number of bytes of input and output (see above for a discussion of the meaning of input vs. output).

    Acct-Input-Gigawords = gigawords
    Acct-Output-Gigawords = gigawords
    The upper 32-bit value of the number of bytes of input and output; or how many times the above attributes have rolled-over the 32-bit value.

    Acct-Input-Packets = num-packets
    Acct-Output-Packets = num-packets
    The number of packets carrying input or output octets.



  • nevermind, we are obviously speaking on two different wavelengths.  I want to know TECHNICALLY how it is pulling off constraining the bandwidth from a FreeBSD perspective (ipfw divert, dummynet, etc).



  • np, obviously I don't know what your asking, nor is it important.  All I know is I have over 200 users, all with different bandwidth restrictions, all of it running through the chillispot/coovachilli daemon running in pfsense. I guess if you want to know more technical info, you might google chillispot and research for the info you are looking for.

    Scott, is this a project you would like to see included in pf? After reading the CP Forums, I see there are lots of CP users who are looking for a more robust CP package besides the one included in monowall/pfsense.  What dev is the pfsense team doing currently to improve the CP in pf?  Is pfsense still following the monowall dev of the CP?



  • A quick google search shows that it is using ipfw.  Please type ipfw show from a command shell and post the output if you do not mind.



  • ipfw show

    ipfw: getsockopt(IP_FW_GET): Protocol not available



  • chillispot can also be made to use pf, although to what extent I don't know at this point. There were patches for this under freebsd earlier this year that (I think) were committed.  Everything I've seen so far shows only NAT and L3 rules.  IT would likely be able to be made to talk to tables using pftabled or perl or something, but I don't see any indication of if that is currently the case. 
    I think what sullrich wants to know is what mechanism you are using to actually perform the QoS (ipfw, pf, some kind of weird alchemy or magic, etc.). 
    We understand where you are getting the data from to create the rules (radius).     If you post your stuff I'm sure it can be reverse engineered to see what it does.



  • @mdouglas:

    i am using pf not ipfw.



  • @mdouglas:

    i am using pf not ipfw.

    In that case is it using altq to enforce the bandwidth speed limits?  We are looking to reverse engineer how this works.



  • don't understand the "reverse engineer".  in any event, anyone who wants futher assistance getting it install on their box we should take it offline as to not ramble on in this thread. send me a pm, and ill help as much as I can.



  • Uhh, what else is this forum for?  I would rather keep this public.  If you do not wish to help us out that is fine but its not going to be taken private.



  • I am very interested in this but would prefer it if it was a proper pfsense package that way any changes in updates to the pfsense software will not result in this feature failing.

    I did a little google search on chillispot this is what i came back with www.chillispot.info i think it is the package the mdouglas has used to make this work.

    Thanks everyone



  • We want to add these types of features to our captive portal in the future.  If someone could setup this package on a local system and get the per user bandwidth features working and show the altq/pf/ipfw configuration it would be a HUGE help for us.  I would take the time to do it but I have 100 tasks currently in play on top of our pending 1.2 release.



  • @mdouglas:

    don't understand the "reverse engineer".  in any event, anyone who wants futher assistance getting it install on their box we should take it offline as to not ramble on in this thread. send me a pm, and ill help as much as I can.

    Reverse Engineer in this case just means to look at your work and see what you've done to gain any info we either didn't think to ask or you weren't able to provide.  I'm willing to look at this and I actually have a little time at the moment (dunno how long it will last till the next thing comes up, though) so if you'd be so kind, I'd really like to at least see your php gui code.  Having everything you've done would be optimal.  Feel free to PM it to me or email me directly if you must but I'd much rather keep it in the forum since I tend to get pulled away from stuff and don't want it to get dropped.



  • Just wanted to say I would love to see this project going somewhere good.



  • A quick guess says it has ALTQ_WFQ on :)

    Not really difficult to port and extend.
    Anyone interested buying me some time to do this!

    But i really would love to buy me some time for other cooler things like a 2 level shaper on pfSense.

    One level does per user bandwidth the other on the whole traffic priorization.
    If you think its worth it i will give you for bonus ipp2p(p2p traffic identification) for free ::)



  • Ok i looked at the code quickly and it is all usermode and it uses a bare and bones leaky bucket algorithm for shaping(in user mode!!!). So it should be slow and not recommended by me for many users.

    The shaper in user mode would be directly substituted to dummynet freebsd even gaining features.



  • @eri--:

    Ok i looked at the code quickly and it is all usermode and it uses a bare and bones leaky bucket algorithm for shaping(in user mode!!!). So it should be slow and not recommended by me for many users.

    The shaper in user mode would be directly substituted to dummynet freebsd even gaining features.

    Okay, thanks for checking.  I am not sure we want to do this in userland.



  • I've been thinking about this a little more.  I'm probably out of place here, but this would be fairly simple using flow data and tables (yeah, I know I've said this before and never actually done it).  It would require something like perl to munge the flow data so it probably wouldn't be self contained enough to work on the embedded platform, but nether would the coova stuff since it required sql.  I'm still playing catchup so I'm not sure.  Does pfsense do tables (even in RELENG_1 or HEAD)?  I know it was on the roadmap but last time I looked (2006-ish) it wasn't yet available.



  • What you want to use flows for?!
    Per user bandwidth?! (if yes, don't bother it is not the right solution)

    Something else, please explain i am not following.



  • @eri--:

    What you want to use flows for?!
    Per user bandwidth?! (if yes, don't bother it is not the right solution)

    Something else, please explain i am not following.

    I beg to disagree.  I've used flows to control user (IP/MAC) bandwidth for years and years with much success.  It's not perfect by any means but I challenge you to find anything that doesn't control windowing to do a better job. 
    Coupled with static DHCP mappings it works exceptionally well.  The key is the goo that reads and writes the QoS rules based on the flow data.



  • On FreeBSD netgraph offers the tools to do what you want, but i am resaying this that there are better ways of doing it.



  • @eri--:

    On FreeBSD netgraph offers the tools to do what you want,

    Yeah, either netgraph or pfflowd could be used.  I've always had problems with netgraph personally but I have not tried it in a while.

    @eri--:

    but i am resaying this that there are better ways of doing it.

    I welcome any and all suggestions.



  • I am going to tweak my setup alittle and modify my admin gui to support the ability to auth to remote radius/mysql server.  There are a couple of reasons for this idea.

    #1, will provide an alternative to the CP embedded in pf. (won't debate if it is better or worse).  I have recently complied a pfsense ver of coova-chilli which is the sister to chillispot.  Chillispot has been a dead project since 2005.

    #2, will support being installed on an embedded device since mysql will be remote. (cf r/w issues)

    User management will still need to be done with whatever method you choose.  Certainly you could install freeradius right in pfsense and use the pf gui to admin freeradius.  Certainly will leave the door open to customization.  Like I have said before, I don't know now to write a true pfsense package, but ill zip up the coova package & php files.  I am assuming I can just attach the file right to this thread.

    thoughts?



  • If memory serves me right, chilli spot is able to do its own packet switching, on userland.

    Can WE (Myself included if i can develop with PASCAL language) develop a traffic shapping tcp/udp proxy ?

    I dont need help with the daemon part, i have lots of experience developing tcp/ip apps with freepascal/synapse but i will need help to package and put this thing to work with pfsense…



  • @JorgeAldoBR:

    If memory serves me right, chilli spot is able to do its own packet switching, on userland.

    Can WE (Myself included if i can develop with PASCAL language) develop a traffic shapping tcp/udp proxy ?

    I dont need help with the daemon part, i have lots of experience developing tcp/ip apps with freepascal/synapse but i will need help to package and put this thing to work with pfsense…

    Absolutely.  We can use until someone creates a kernel version of it.  Or if you could create a kernel facility?

    Either way, sounds great.  How would we invoke the userland portion?  Ipfw divert?



  • There are two ways i can think of :

    A tun/tap device or a tcp and a udp proxy.

    a tcp and udp proxy requires that all packets be diverted to the proxy (just like squid) but its somewhat more tricky because it needs to divert ALL ports (So the daemon will have to either install itself on all ports - not realistic - or use raw sockets…)

    the tun/tap devices looks more promising, but i need to understand how to setup it using the bsd calls...

    imagine the following :

    [real lan device] -> pf rule to forward everything to TAP0 -> [TAP0 device … per ip bandwidth management ... TAP1 device] -> pf rule to forward everything to real WAN device

    using two pairs of tap devices (one for downstream other for upstream) we can make bandwidth manager on userland.

    easier yet : use two pairs of tap devices for EACH ip, so the cpu intensive task of ip checking goes to the kernel device were the code is more tight written…

    but I dont know what are the performance penalties of having so many TAP devices...

    • a tap device is a software only ethernet device, so we can even shape by packet/sec instead of byte/sec (packet/sec seems to be the thing that makes emule/similars kill my network...)

    http://en.wikipedia.org/wiki/TUN/TAP

    hmmmm seems most of the work is already done... vtund is able to speed shape...

    http://vtun.sourceforge.net/

    theres an option "Speed" where the speed can be limited, bet it doesnt uses dummynet because vtund is portable across multiple operating systems...

    attached diagram...




  • I wonder if one could use netgraph to create virtual interfaces and pass it through them for similar purposes as opposed to using the vtun stuff.  I've been reading a lot about ng and it seems to be created for purposes such as this, and should be pretty fast since it is all done in-kernel.


Log in to reply