Transparent Squid and Traffic Shaping!!

  • I have been trying to get squid (in transparent mode) to work with traffic shaping for a while now, and was successful today.
    Not that its doesn't completely work but if you have squid and traffic shaping enabled and have setup priority for http traffic it doesn't work with squid as all traffic coming from squid gets pushed into the default queue (qLanDef). It was very annoying cause at peak p2p and other traffic browsing will be sluggish and pages timeout. It wasn't possible to change the priority on the default queue as most traffic gets pushed there by default. It was hard to lower the priority of p2p apps cause most users changed the standard p2p ports.

    Why its doesnt work? generates a few rules for squid, first the redirect rule.

    rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> port 3128

    and passed:

    pass in quick on {$lanif} inet proto tcp from any to port 3128 flags S/SA keep state label
    this rule completely bypass the traffic shaping rules for http.

    How to get it to work?

    Hack /ect/inc/ !!
    Change the squid redirect rule (unfortunately assigning a specify interface from the webgui for squid to use doesn't work)
    change            rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> port 3128
    to                  rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> {$lanip} port 3128

    this will change the redirect rule to reassign http packets to the lan ip address. This will make it bypass the default pass rule for squid. However that is not the end of it. If you got anti web lockout turned on in System -> Advance. it will generate a rule:
    (mine look like this:)
    pass in quick from to keep state label "anti-lockout web rule"

    will still make squid redirects bypass the shaper rules once more since the packets were translated to the lan ip address in the redirect.

    You got 3 choices:
    1. Disable AntiLock out from (System -> Advance), but make sure you got the default lan -> any rule in Firewall -> Rules -> Lan.
    2. Again disable antilockout, but create specfic rules for webgui and ssh (if enabled). Make sure you use the port numbers in the rules.
    3. Hack to create a more specific rule for antilockout (rather than a general pass for lan, uses the admin ports).

    Well I modified cause I was afraid to make a specify rule for webgui & ssh only to forget about it, accidentally changed the ports and lock myself out. here is the change if your interested.

    if (!isset($config['system']['webgui']['noantilockout'])) {
    		if($lansa and $lansn) {
    			$webgui_port = $config['system']['webgui']['port'];
    			$ssh_port = $config['system']['ssh']['port'];
    			if (isset($webgui_port) && ($webgui_port !== "")) {
    				$a_port = $webgui_port;
    			else {
    				$admin_protocol = $config['system']['webgui']['protocol'];
    				switch ($admin_protocol) {
    					case "http";
    						$a_port = '80';
    					case "https";
    						$a_port = '443';
    						$a_port = '80';
    			if (isset($ssh_port) && ($ssh_port !== "")) {
    				$a_port .= ',' . $ssh_port;
    			else { $a_port .= ',22'; }
    		$ipfrules .= << <eod<br># make sure the user cannot lock himself out of the webGUI or SSH
    anchor "anti-lockout"
    pass in quick proto tcp from {$lansa}/{$lansn} to $lanip port {{$a_port}} keep state label "anti-lockout web rule"

    heres my generated rule after the mod:
    pass in quick proto tcp from to port {445,22} keep state label "anti-lockout web rule"
    It works everytime I change the ports in System -> Advance.

    be sure to use non standard ports for webgui !(80 or 443) as antilock out will still bypass the shaper rules.
    use the wizard to priotorize http traffic and it works. I created specfic queus for each ip on my lan and it this works also.
    If there are no shaper rules for squid, squid redirects still gets passed by the default lan to any rule.

    Only sad thing is I'll have to chnage ever time I upgrade!!

    non the less hope I helped someone.

  • Bravo!  Thats awesome!