Per User Bandwidth through Radius.
-
Ok i looked at the code quickly and it is all usermode and it uses a bare and bones leaky bucket algorithm for shaping(in user mode!!!). So it should be slow and not recommended by me for many users.
The shaper in user mode would be directly substituted to dummynet freebsd even gaining features.
Okay, thanks for checking. I am not sure we want to do this in userland.
-
I've been thinking about this a little more. I'm probably out of place here, but this would be fairly simple using flow data and tables (yeah, I know I've said this before and never actually done it). It would require something like perl to munge the flow data so it probably wouldn't be self contained enough to work on the embedded platform, but nether would the coova stuff since it required sql. I'm still playing catchup so I'm not sure. Does pfsense do tables (even in RELENG_1 or HEAD)? I know it was on the roadmap but last time I looked (2006-ish) it wasn't yet available.
-
What you want to use flows for?!
Per user bandwidth?! (if yes, don't bother it is not the right solution)Something else, please explain i am not following.
-
What you want to use flows for?!
Per user bandwidth?! (if yes, don't bother it is not the right solution)Something else, please explain i am not following.
I beg to disagree. I've used flows to control user (IP/MAC) bandwidth for years and years with much success. It's not perfect by any means but I challenge you to find anything that doesn't control windowing to do a better job.
Coupled with static DHCP mappings it works exceptionally well. The key is the goo that reads and writes the QoS rules based on the flow data. -
On FreeBSD netgraph offers the tools to do what you want, but i am resaying this that there are better ways of doing it.
-
On FreeBSD netgraph offers the tools to do what you want,
Yeah, either netgraph or pfflowd could be used. I've always had problems with netgraph personally but I have not tried it in a while.
but i am resaying this that there are better ways of doing it.
I welcome any and all suggestions.
-
I am going to tweak my setup alittle and modify my admin gui to support the ability to auth to remote radius/mysql server. There are a couple of reasons for this idea.
#1, will provide an alternative to the CP embedded in pf. (won't debate if it is better or worse). I have recently complied a pfsense ver of coova-chilli which is the sister to chillispot. Chillispot has been a dead project since 2005.
#2, will support being installed on an embedded device since mysql will be remote. (cf r/w issues)
User management will still need to be done with whatever method you choose. Certainly you could install freeradius right in pfsense and use the pf gui to admin freeradius. Certainly will leave the door open to customization. Like I have said before, I don't know now to write a true pfsense package, but ill zip up the coova package & php files. I am assuming I can just attach the file right to this thread.
thoughts?
-
If memory serves me right, chilli spot is able to do its own packet switching, on userland.
Can WE (Myself included if i can develop with PASCAL language) develop a traffic shapping tcp/udp proxy ?
I dont need help with the daemon part, i have lots of experience developing tcp/ip apps with freepascal/synapse but i will need help to package and put this thing to work with pfsense…
-
If memory serves me right, chilli spot is able to do its own packet switching, on userland.
Can WE (Myself included if i can develop with PASCAL language) develop a traffic shapping tcp/udp proxy ?
I dont need help with the daemon part, i have lots of experience developing tcp/ip apps with freepascal/synapse but i will need help to package and put this thing to work with pfsense…
Absolutely. We can use until someone creates a kernel version of it. Or if you could create a kernel facility?
Either way, sounds great. How would we invoke the userland portion? Ipfw divert?
-
There are two ways i can think of :
A tun/tap device or a tcp and a udp proxy.
a tcp and udp proxy requires that all packets be diverted to the proxy (just like squid) but its somewhat more tricky because it needs to divert ALL ports (So the daemon will have to either install itself on all ports - not realistic - or use raw sockets…)
the tun/tap devices looks more promising, but i need to understand how to setup it using the bsd calls...
imagine the following :
[real lan device] -> pf rule to forward everything to TAP0 -> [TAP0 device … per ip bandwidth management ... TAP1 device] -> pf rule to forward everything to real WAN device
using two pairs of tap devices (one for downstream other for upstream) we can make bandwidth manager on userland.
easier yet : use two pairs of tap devices for EACH ip, so the cpu intensive task of ip checking goes to the kernel device were the code is more tight written…
but I dont know what are the performance penalties of having so many TAP devices...
- a tap device is a software only ethernet device, so we can even shape by packet/sec instead of byte/sec (packet/sec seems to be the thing that makes emule/similars kill my network...)
http://en.wikipedia.org/wiki/TUN/TAP
hmmmm seems most of the work is already done... vtund is able to speed shape...
http://vtun.sourceforge.net/
theres an option "Speed" where the speed can be limited, bet it doesnt uses dummynet because vtund is portable across multiple operating systems...
attached diagram...
-
I wonder if one could use netgraph to create virtual interfaces and pass it through them for similar purposes as opposed to using the vtun stuff. I've been reading a lot about ng and it seems to be created for purposes such as this, and should be pretty fast since it is all done in-kernel.
-
The problem is that developing for the kernel has a range of consequences, a bug can kill the system in a myriad of ways… on userland, at least, most critical work is already done for us...
-
The problem is that developing for the kernel has a range of consequences, a bug can kill the system in a myriad of ways… on userland, at least, most critical work is already done for us...
I totally agree, thats why netgraph is so cool, it allows for hooks into it with minimal impact. Granted, I'm not a netgraph expert, but everything I've read and done with it has worked really well. It's certain;y worth investigating as a "hook" into the existing system that was meant to do similar tasks.
I'm a poor developer but I can volunteer any insight I have into using NG.nb
-
even using ng, the fact that the program runs on kernel space makes it possible that a bad subscript in an array (for example) be able to overwrite other parts of the kernel… i dont like kernel programming, its too damn critical (and the fact that it must be done using C guarantees that I WILL make a mistake with pointers/arrays...) Java & Pascal have a lot of ways to avoid that classes of mistakes (unfortunately they are slower than plain C, java being the slowest)
PS.: Im a bad C programmer, most of what i did using C was in the university... But a good kernel programmer can very well write this for us, but if someone is willing to program this, the same person could just help debug the kernel PFIL ordering issues and solve the original problem...
-
even using ng, the fact that the program runs on kernel space makes it possible that a bad subscript in an array (for example) be able to overwrite other parts of the kernel… i dont like kernel programming, its too damn critical (and the fact that it must be done using C guarantees that I WILL make a mistake with pointers/arrays...) Java & Pascal have a lot of ways to avoid that classes of mistakes (unfortunately they are slower than plain C, java being the slowest)
I'll defer to your expertise, I'm a poor programmer at best. =)
-
I have a basic idea of how to solve this :
A binary captive portal app that upon login builds an TAP device for this specific user and transfers packet by packet to a (time based) bucket on the secondary TAP device (wich needs to be just one…) and vice versa. Unlogged users cant get routed trought the "virtual wires" inside de app, so it is left up to the rest of the system rules if this guy will navigate the internet...
i developed a small http(s) server using Freepascal/Synapse, now im translating tun/tap lib headers to allow me to write a "virtual wire" using it...
LAN -----> TAP1 ----virtual wire with speed control/captive portal functionality----> TAP0 -----> WAN or whatever.
In max 1 month i will come back with news...
-
Amazing, I started this a while back, had to abandon PFSense for m0n0 good to see it taking off!!!
-
Nice, now i have a virtual switch/hub :D
my little program creates two virtual ethernet devices : tap0 and tap1 and swaps packets from one another…
it doesnt do any traffic shapping yet. but... its the basis for some tests...
it is running on linux, but freebsd does have tun/tap drivers, only their setup is somewhat different (not much).
who can help me test this concept on a linux box ?
-
When you are ready to test on FreeBSD let me know. I cannot assist in Linux however.
-
This is great guys can't wait for it to be ready. Just what I'm looking for
Thanks