Hard situation - Many user/straming/voip



  • Hello everyone,
    I ask the Board to resolve a complicated situation:

    university college with 60 users, adjoining other reality with a load of 20 other users. Three pfSense firewall; one manages 20 users in captive portal; the other two firewalls are run by 60 users. All three firewalls, following different paths, arrive at a router that picks up the Aethra media converter fiber connections of 100Mbps.
    I have assigned to all users in the captive portal 850Kbps and 512Kbps in DL in Ul; Users of the student, 60, have 1Mbps to 512Kbps Dl and Ul. The situation has held up for a long time then, but now we have not; users complain. I removed from the college management proxy that I had installed and configured for quick navigation with the cache. Now the only firewall rules on the two configurations are applied to traffic shaping with the two limiter and a filter layer 7, I must say ineffective to block torrents and some other P2P protocol. Users complain of frequent disconnections, freezes when downloading files bodied (100MB or more), but most streaming almost impossibile and VOIP almost equal.

    How could you suggest me to review configurations? I still want to put a lock on the MAC to avoid having multiple devices on the network for each user, which would complicate things over.
    I noticed that the limiter 1MB downloadable applies to navigation (tested with speed test), but if you launch torrent, not just the filter layer 7 is not working, but the DL goes up 1Mbps bandwidth !!!!! !! and I swallowed so much !!!

    Please help : '(
    thanks,
    Alexander



  • I have virtually no experience on the subject, but if you treat all unknown traffic as P2P, then categorize all known traffic, you should be able to keep P2P from decimating your bandwidth.



  • This.  Bittorrent tries to hide itself and likes to use random ports and encryption.  Like Harvy said, classify your traffic into known vs unknown.  Handle the known and let the unknown fall into the heavily-limited queue.



  • Thank you harvy and thank yo kom,
    I've understood… Ok! I'll try! Tell me, please, how to do it in practice; could you suggest me the steps?

    Thank you very much,
    Alessandro



  • Again, I have little experience and am just learning myself. You could set the default queue to have virtually no bandwidth, then create other queues for stuff like games and web. So 80/443 would get web, and you could add a list of known common games and add their ports.


Log in to reply