PfSense and Shaping Facebook – The Definitive Guide.



  • Hi Guys
    After struggling for a HUGE amount of time on the problem of limiting the speed of facebook traffic, I finally got my head around this and wrote a guide to do exactly this, LIMIT FACEBOOK TRAFFIC.

    Things you have to remember, this can not go into your LAN , it HAS to go into your WAN/FLOATING rules.  If you try to put it onto your LAN rules, you will not have a good time…  :P

    You can read the full instruction here:
    https://aubreykloppers.wordpress.com/2015/07/22/pfsense-and-shaping-facebook-the-definitive-guide/

    Enjoy and if you get to Cape Town, please buy me a beer :)

    as a last note: This is going to p >:( ss more than a couple of people off, so make sure you can take the punch  ;D

    ps - I will be writing a proper guide to limiting groups of LAN users over the next day or so…



  • I think your alias list might be a little light:

    http://bgp.he.net/search?search[search]=facebook&commit=Search



  • Hi KOM

    The alias-list might be light, but it works :)

    The full alias-list that one can use is:

    ad4game-a.akamaihd.net
    adaptv-a.akamaihd.net
    adaptvcdn-a.akamaihd.net
    amazonadsi-a.akamaihd.net
    amznadsi-a.akamaihd.net
    apiconstasurfinf-a.akamaihd.net
    appnext-a.akamaihd.net
    atdmt-a.akamaihd.net
    av00vimeo-i.akamaihd.net
    avvimeo-a.akamaihd.net
    azmtcdn-a.akamaihd.net
    bcsecure01-a.akamaihd.net
    bws2midas-a.akamaihd.net
    bzmtcdn-a.akamaihd.net
    canvasdp-a.akamaihd.net
    canvaspl-a.akamaihd.net
    cdn2sitescout-a.akamaihd.net
    cdncache-a.akamaihd.net
    cdncache1-a.akamaihd.net
    cdnrockyou-a.akamaihd.net
    cdnstats-a.akamaihd.net
    cloudinary-a.akamaihd.net
    combowhosay-a.akamaihd.net
    comedysec-a.akamaihd.net
    content-a.akamaihd.net
    contents-a.akamaihd.net
    contextual-a.akamaihd.net
    czmtcdn-a.akamaihd.net
    distilleryimage0-a.akamaihd.net
    distilleryimage1-a.akamaihd.net
    distilleryimage10-a.akamaihd.net
    distilleryimage11-a.akamaihd.net
    distilleryimage2-a.akamaihd.net
    distilleryimage3-a.akamaihd.net
    distilleryimage4-a.akamaihd.net
    distilleryimage5-a.akamaihd.net
    distilleryimage6-a.akamaihd.net
    distilleryimage7-a.akamaihd.net
    distilleryimage8-a.akamaihd.net
    distilleryimage9-a.akamaihd.net
    ds-aksb-a.akamaihd.net
    dzmtcdn-a.akamaihd.net
    evernote-a.akamaihd.net
    fashiononesec-a.akamaihd.net
    fbcdn-creative-a.akamaihd.net
    fbcdn-dragon-a.akamaihd.net
    fbcdn-gtvideo-a-a.akamaihd.net
    fbcdn-gtvideo-c-a.akamaihd.net
    fbcdn-gtvideo-d-a.akamaihd.net
    fbcdn-gtvideo-e-a.akamaihd.net
    fbcdn-gtvideo-f-a.akamaihd.net
    fbcdn-gtvideo-g-a.akamaihd.net
    fbcdn-gtvideo-h-a.akamaihd.net
    fbcdn-gtvideo-i-a.akamaihd.net
    fbcdn-gtvideo-j-a.akamaihd.net
    fbcdn-gtvideo-k-a.akamaihd.net
    fbcdn-gtvideo-m-a.akamaihd.net
    fbcdn-gtvideo-n-a.akamaihd.net
    fbcdn-gtvideo-o-a.akamaihd.net
    fbcdn-gtvideo-p-a.akamaihd.net
    fbcdn-photos-a-a.akamaihd.net
    fbcdn-photos-a.akamaihd.net
    fbcdn-photos-b-a.akamaihd.net
    fbcdn-photos-c-a.akamaihd.net
    fbcdn-photos-d-a.akamaihd.net
    fbcdn-photos-e-a.akamaihd.net
    fbcdn-photos-f-a.akamaihd.net
    fbcdn-photos-g-a.akamaihd.net
    fbcdn-photos-h-a.akamaihd.net
    fbcdn-profile-a.akamaihd.net
    fbcdn-sphotos-a-a.akamaihd.net
    fbcdn-sphotos-a.akamaihd.net
    fbcdn-sphotos-b-a.akamaihd.net
    fbcdn-sphotos-c-a.akamaihd.net
    fbcdn-sphotos-d-a.akamaihd.net
    fbcdn-sphotos-e-a.akamaihd.net
    fbcdn-sphotos-f-a.akamaihd.net
    fbcdn-sphotos-g-a.akamaihd.net
    fbcdn-sphotos-h-a.akamaihd.net
    fbcdn-static-b-a.akamaihd.net
    fbcdn-video-a-a.akamaihd.net
    fbcdn-video-a.akamaihd.net
    fbcdn-video-b-a.akamaihd.net
    fbcdn-video-c-a.akamaihd.net
    fbcdn-video-d-a.akamaihd.net
    fbcdn-video-e-a.akamaihd.net
    fbcdn-video-f-a.akamaihd.net
    fbcdn-video-g-a.akamaihd.net
    fbcdn-video-h-a.akamaihd.net
    fbcdn-video-i-a.akamaihd.net
    fbcdn-video-j-a.akamaihd.net
    fbcdn-video-k-a.akamaihd.net
    fbcdn-video-l-a.akamaihd.net
    fbcdn-video-m-a.akamaihd.net
    fbcdn-video-n-a.akamaihd.net
    fbcdn-video-o-a.akamaihd.net
    fbcdn-video-p-a.akamaihd.net
    fbcdn-vthumb-a.akamaihd.net
    fbexternal-a.akamaihd.net
    fbstatic-a.akamaihd.net
    foxnewsplayer-a.akamaihd.net
    fxdepo-a.akamaihd.net
    gamegos-a.akamaihd.net
    golfchannel-a.akamaihd.net
    grvaol-a.akamaihd.net
    hdapp1004-a.akamaihd.net
    hdapp1006-a.akamaihd.net
    hdapp1008-a.akamaihd.net
    hdliveextra-a.akamaihd.net
    hdsrc-a.akamaihd.net
    hfys5200-a.akamaihd.net
    hof-a.akamaihd.net
    hrsecsynd-a.akamaihd.net
    humblebundle-a.akamaihd.net
    ic41c1c00-ds-aksb-a.akamaihd.net
    igcdn-photos-a-a.akamaihd.net
    igcdn-photos-b-a.akamaihd.net
    igcdn-photos-c-a.akamaihd.net
    igcdn-photos-d-a.akamaihd.net
    igcdn-photos-e-a.akamaihd.net
    igcdn-photos-f-a.akamaihd.net
    igcdn-photos-g-a.akamaihd.net
    igcdn-photos-h-a.akamaihd.net
    igcdn-videos-b-0-a.akamaihd.net
    igcdn-videos-b-10-a.akamaihd.net
    igcdn-videos-d-9-a.akamaihd.net
    igcdn-videos-g-7-a.akamaihd.net
    igcdn-videos-h-12-a.akamaihd.net
    inmagazinesec-a.akamaihd.net
    inmobisdk-a.akamaihd.net
    instagramimages-a.akamaihd.net
    instagramstatic-a.akamaihd.net
    kbdownload1-a.akamaihd.net
    kbimages1-a.akamaihd.net
    kbmerch1-a.akamaihd.net
    kbstatic1-a.akamaihd.net
    lfavatar-a.akamaihd.net
    lfzor-a.akamaihd.net
    mindjolt-a.akamaihd.net
    mycbslocal-a.akamaihd.net
    mycdn-a.akamaihd.net
    myvegas-a.akamaihd.net
    networkten-a.akamaihd.net
    pdlvimeocdn-a.akamaihd.net
    photorankmedia-a.akamaihd.net
    photorankstatics-a.akamaihd.net
    prezi-a.akamaihd.net
    qsearch-a.akamaihd.net
    rdio-a.akamaihd.net
    rdio0-a.akamaihd.net
    rdio1-a.akamaihd.net
    rdio2-a.akamaihd.net
    redge-a.akamaihd.net
    rounds-a.akamaihd.net
    sharecarepmd-a.akamaihd.net
    shinezone-a.akamaihd.net
    snappytv-a.akamaihd.net
    splitsec-a.akamaihd.net
    static6-a.akamaihd.net
    sugarinc-a.akamaihd.net
    tapjoycdn-a.akamaihd.net
    tedcdnpa-a.akamaihd.net
    tedcdnpi-a.akamaihd.net
    tos-a.akamaihd.net
    uppercutsec-a.akamaihd.net
    ustvstaticcdn1-a.akamaihd.net
    ustvstaticcdn2-a.akamaihd.net
    vindicoasset-a.akamaihd.net
    wwwigame-a.akamaihd.net
    z1photorankmedia-a.akamaihd.net
    z2photorankmedia-a.akamaihd.net
    z3photorankmedia-a.akamaihd.net
    zchan0-a.akamaihd.net
    zephyrzoosk-a.akamaihd.net
    zynga1-a.akamaihd.net
    0-channel-proxy-04-frc3.facebook.com
    0-channel-proxy-06-ash2.facebook.com
    0-channel-proxy-06-frc1.facebook.com
    0-channel-proxy-07-ash2.facebook.com
    0-channel-proxy-13-prn1.facebook.com
    0-edge-chat.facebook.com
    0-p-04-frc3.channel.facebook.com
    0-p-06-ash2.channel.facebook.com
    0-p-06-frc1.channel.facebook.com
    0-p-07-ash2.channel.facebook.com
    0-p-13-prn1.channel.facebook.com
    0-undefined.facebook.com
    1-channel-proxy-04-frc3.facebook.com
    1-channel-proxy-06-ash2.facebook.com
    1-channel-proxy-06-frc1.facebook.com
    1-channel-proxy-07-ash2.facebook.com
    1-channel-proxy-13-prn1.facebook.com
    1-edge-chat.facebook.com
    1-p-04-frc3.channel.facebook.com
    1-p-06-ash2.channel.facebook.com
    1-p-06-frc1.channel.facebook.com
    1-p-07-ash2.channel.facebook.com
    1-p-13-prn1.channel.facebook.com
    1-undefined.facebook.com
    2-channel-proxy-04-frc3.facebook.com
    2-channel-proxy-06-ash2.facebook.com
    2-channel-proxy-06-frc1.facebook.com
    2-channel-proxy-07-ash2.facebook.com
    2-channel-proxy-13-prn1.facebook.com
    2-edge-chat.facebook.com
    2-p-04-frc3.channel.facebook.com
    2-p-06-ash2.channel.facebook.com
    2-p-06-frc1.channel.facebook.com
    2-p-07-ash2.channel.facebook.com
    2-p-13-prn1.channel.facebook.com
    2-undefined.facebook.com
    3-channel-proxy-04-frc3.facebook.com
    3-channel-proxy-06-ash2.facebook.com
    3-channel-proxy-06-frc1.facebook.com
    3-channel-proxy-07-ash2.facebook.com
    3-channel-proxy-13-prn1.facebook.com
    3-edge-chat.facebook.com
    3-p-04-frc3.channel.facebook.com
    3-p-06-ash2.channel.facebook.com
    3-p-06-frc1.channel.facebook.com
    3-p-07-ash2.channel.facebook.com
    3-p-13-prn1.channel.facebook.com
    3-undefined.facebook.com
    4-channel-proxy-04-frc3.facebook.com
    4-channel-proxy-06-ash2.facebook.com
    4-channel-proxy-06-frc1.facebook.com
    4-channel-proxy-07-ash2.facebook.com
    4-channel-proxy-13-prn1.facebook.com
    4-edge-chat.facebook.com
    4-p-04-frc3.channel.facebook.com
    4-p-06-ash2.channel.facebook.com
    4-p-06-frc1.channel.facebook.com
    4-p-07-ash2.channel.facebook.com
    4-p-13-prn1.channel.facebook.com
    4-undefined.facebook.com
    5-channel-proxy-04-frc3.facebook.com
    5-channel-proxy-06-ash2.facebook.com
    5-channel-proxy-06-frc1.facebook.com
    5-channel-proxy-07-ash2.facebook.com
    5-channel-proxy-13-prn1.facebook.com
    5-edge-chat.facebook.com
    5-p-04-frc3.channel.facebook.com
    5-p-06-ash2.channel.facebook.com
    5-p-06-frc1.channel.facebook.com
    5-p-07-ash2.channel.facebook.com
    5-p-13-prn1.channel.facebook.com
    5-undefined.facebook.com
    6-channel-proxy-04-frc3.facebook.com
    6-channel-proxy-06-ash2.facebook.com
    6-channel-proxy-06-frc1.facebook.com
    6-channel-proxy-07-ash2.facebook.com
    6-channel-proxy-13-prn1.facebook.com
    6-edge-chat.facebook.com
    6-p-04-frc3.channel.facebook.com
    6-p-06-ash2.channel.facebook.com
    6-p-06-frc1.channel.facebook.com
    6-p-07-ash2.channel.facebook.com
    6-p-13-prn1.channel.facebook.com
    6-undefined.facebook.com
    af-za.facebook.com
    api-read.facebook.com
    api.facebook.com
    apps.facebook.com
    b-api.facebook.com
    b-graph.facebook.com
    b-www.facebook.com
    badge.facebook.com
    channel-proxy-04-frc3.facebook.com
    channel-proxy-06-ash2.facebook.com
    channel-proxy-06-frc1.facebook.com
    channel-proxy-07-ash2.facebook.com
    channel-proxy-13-prn1.facebook.com
    connect.facebook.com
    da-dk.facebook.com
    de-de.connect.facebook.com
    developers.facebook.com
    edge-chat.facebook.com
    en-gb.facebook.com
    error.facebook.com
    es-la.facebook.com
    et-ee.facebook.com
    facebook.com
    fi-fi.facebook.com
    fr-fr.facebook.com
    graph.facebook.com
    hr-hr.facebook.com
    l.facebook.com
    lt-lt.facebook.com
    m.facebook.com
    m2.facebook.com
    mbasic.facebook.com
    mtouch.facebook.com
    nl-nl.facebook.com
    p-04-frc3.channel.facebook.com
    p-06-ash2.channel.facebook.com
    p-06-frc1.channel.facebook.com
    p-07-ash2.channel.facebook.com
    p-13-prn1.channel.facebook.com
    pixel.facebook.com
    pt-br.facebook.com
    s-static.ak.facebook.com
    secure.facebook.com
    ssl.connect.facebook.com
    static.ak.connect.facebook.com
    static.ak.facebook.com
    static.facebook.com
    upload.facebook.com
    vupload-edge.facebook.com
    webdav.facebook.com
    www.facebook.com
    
    

    ps - I have had some people over the last couple of days (on my LAN) trying to BS me saying internet is slow, but busting them that it is only FB in front of their managers and seeing the expressions on their faces is WAY BETTER :)

    ps2 - Love the Sisters of Mercy avatar!



  • but busting them that it is only FB in front of their managers and seeing the expressions on their faces is WAY BETTER

    Perhaps.  I find my life is much easier if I work with my users and have them not hate me while still accomplishing my goals

    ps2 - Love the Sisters of Mercy avatar!

    ???  You're talking about your own?  Mine is Rush's 'Starman'.



  • @KOM:

    but busting them that it is only FB in front of their managers and seeing the expressions on their faces is WAY BETTER

    Perhaps.  I find my life is much easier if I work with my users and have them not hate me while still accomplishing my goals

    ps2 - Love the Sisters of Mercy avatar!

    ???  You're talking about your own?  Mine is Rush's 'Starman'.

    I totally agree, but having someone watching FB videos whilst trying to work on an off-site database can only be pleasurable up to a point.  When the 4Mbit/s (You can see it is very limited) runs out, drastic steps has to be taken to curb and pull the bandwidth back to business use.  If people then become sour with their experience, I point out it is due to their own habits and to detriment of NPO business.

    Better to have a couple of haters than have a company on it's knees …



  • Thanks for sharing your configuration. I appreciate having tested configurations to refer to as traffic shaping can be tricky.
    There is a small typo in the article: the opening sentence-
    'The first ting you have to understand'
    And it looks like something might have been truncated at the end-
    'If you now look on your Diagnostics/Limiter Info you will see 2 limiters with the 300.000 Kbit/s limiters and anyone using Facebook (even your firewall) will be left using only 300 Kbit/s and your entire'



  • I point out it is due to their own habits and to detriment of NPO business.

    I prefer to have a stated policy so users know what's expected of them, and measures in place to enforce them.  My users are told that social media is off-limits, and I enforce that with URL filtering that only allows non-business stuff at lunchtime.  Everyone know the rules, they follow the rules and I don't have to be a BOFH.



  • if I'm understanding it correctly, and implement this on my pfsense box. that any individual using facebook (per device) will only get the speed provided in the limiter field?

    side question: if they click a vid in facebook, will it still retain the 300k limit? (assuming limit is 300k from limiter field?)



  • You are 100% correct in your understanding.  Although 300Kbit/s is a bit slow, all traffic through this limiter will be affected :)

    As a side-note: I have set this to 1500Kbit/s and it works like a charm!

    cyber7-out



  • There are cases where traffic shaping won't help, but I assume it's not an issue because your targeting a lowly 300Kb/s.

    You're taking about FB, which tends to use a lot of CDNs, akamai being one of them. I have a 1ms ping to my ISP's akamai CDN. This puts a lower limit on how slow TCP will go.

    Current TCP implementations have a minimum window size of two segments. That is 3000 bytes for most cases. With a 1ms RTT, 3000 bytes will roughly be transferred every 1ms. That's 24Mb/s. That means TCP will refuse to transfer data slower than 24Mb/s per TCP connection, assuming the ping stays constant. A traffic policer drops data when it comes in too quickly, which means the data comes in, but the data will be getting dropped a lot.

    As long as the limiter/policer has a large enough buffer, it will delay the packets but will cause buffer bloat to do so. If the buffer is too small, it will drop the packets, resulting in high packet loss.



  • @cyber7
    thanks for this, I'll implement this one in the near future as I also need this.

    @Harvy66
    honestly ^_^, I only got almost half of it I guess.
    if we where to example the 300kb/s one (this tread is doing), then with the one you mentioned with the 23Mb/s (assuming its akamai/facebook which is near the isp), it will result to either "bufferbloat and/or dropped packets" due to it being capped/limited right?

    sorry for this



  • Correct, but only for connections that have low latency relative to the bandwidth. This applies in my case because I have a 1Gb link, but it's rate limited to much less.


  • LAYER 8 Netgate

    I don't see any reason that can't go on LAN with more sanity.

    You are masking on destination address in both In and Out.  That will mean your users will get a limiter pipe for each facebook destination IP address, not for each LAN host.

    You can't match LAN hosts on WAN out floating rules because it's post-NAT (the source address will be the NAT address).

    Name: FBupPRI
    Bandwidth: 300 Kbit/s
    Mask: Source Address

    Name: FBdownPRI
    Bandwidth: 300 Kbit/s
    Mask: Destination address

    Interface LAN
    Action: Pass
    Protocol: any
    Source: LAN net
    Destination Type: Single host or Alias
    Destination Address: Facebook
    Advanced Features:
    In/Out: FBupPRI/FBdownPRI

    Result: 300kbit/sec up/down for each LAN host for all connections to Facebook addresses.



  • @Derelict:

    I don't see any reason that can't go on LAN with more sanity.

    You are masking on destination address in both In and Out.  That will mean your users will get a limiter pipe for each facebook destination IP address, not for each LAN host.

    You can't match LAN hosts on WAN out floating rules because it's post-NAT (the source address will be the NAT address).

    Name: FBupPRI
    Bandwidth: 300 Kbit/s
    Mask: Source Address

    Name: FBdownPRI
    Bandwidth: 300 Kbit/s
    Mask: Destination address

    Interface LAN
    Action: Pass
    Protocol: any
    Source: LAN net
    Destination Type: Single host or Alias
    Destination Address: Facebook
    Advanced Features:
    In/Out: FBupPRI/FBdownPRI

    Result: 300kbit/sec up/down for each LAN host for all connections to Facebook addresses.

    Hi Derelict
    Definitely going to try this!

    Thanx
    cyber7



  • @Derelict:

    Result: 300kbit/sec up/down for each LAN host for all connections to Facebook addresses.

    some dumb question on this:
    each will have 300kbit up/down for every computer on LAN?, lets say I have 3 computers with this implemented and all of them are doing facebook simultaneously, total is 900kb up/down right?

    how about something 1,000kbit for them to share? like if only 1 user is accessing facebook, then he will have the whole 1,000kbits, but if others joins, then they'll share the 1,000kbits allocation

    is this possible perhaps?


  • LAYER 8 Netgate

    @gratis.obake:

    @Derelict:

    Result: 300kbit/sec up/down for each LAN host for all connections to Facebook addresses.

    some dumb question on this:
    each will have 300kbit up/down for every computer on LAN?, lets say I have 3 computers with this implemented and all of them are doing facebook simultaneously, total is 900kb up/down right?

    how about something 1,000kbit for them to share? like if only 1 user is accessing facebook, then he will have the whole 1,000kbits, but if others joins, then they'll share the 1,000kbits allocation

    is this possible perhaps?

    New top-level limiter:

    Name: FBupPRIPool
    Bandwidth: 1000 Kbit/s
    Mask: None

    While viewing FBupPRIPool click Add new queue

    Name: FBupPRIByHost
    Mask: Source address

    New top-level limiter:

    Name: FBdownPRIPool
    Bandwidth: 1000 Kbit/s
    Mask: None

    While viewing FBdownPRIPool click Add new queue

    Name: FBdownPRIByHost
    Mask: Destination address

    Interface LAN
    Action: Pass
    Protocol: any
    Source: LAN net
    Destination Type: Single host or Alias
    Destination Address: Facebook
    Advanced Features:
    In/Out: FBupPRIByHost/FBdownPRIByHost

    Result: 1000kbit/sec up/down Pool split among all LAN hosts for all connections to Facebook addresses. If only one host, it gets the full 1000kbit.



  • thanks sir, I'll try this one



  • Thanks it works  ;D

    btw… what if i want to exclude a single pc/ip from the rule ?

    thanks again


  • LAYER 8 Netgate

    If it doesn't match the rule, or if it matches another rule above it it won't be put through the limiter.

    So put a rule above it that matches only that IP address but doesn't set the limiter.



  • @Derelict:

    If it doesn't match the rule, or if it matches another rule above it it won't be put through the limiter.

    So put a rule above it that matches only that IP address but doesn't set the limiter.

    You can see my limiter works and works 100%  - I did, however make it 1MB/s because the experience at 300kb/s is just not on :)

    Here you can see it in working (all the FB ip's and then my one single GW IP)



  • LAYER 8 Netgate

    Your point?



  • @Derelict:

    Your point?

    Did you read the entire topic?  My point being the original limiting works 100% and does not create multiple 1MB pipes, but a single pipe.  ALL FB traffic goes through the pipe and the 1MB pipe gets shared by all the FB ip's.

    YOUR point? ;)

    cyber7


  • LAYER 8 Netgate

    Except it doesn't.  If what you're doing works for you, good on you.

    It goes through a single pipe because it is post-NAT on WAN out, meaning a single source address, meaning a single pipe.

    You are missing the ability for the limiter to try to share the available pipe among LAN users (the users you should care about) by using the child limiters.

    But, again, if what you're doing works for you, have at it.

    The user I was responding to asked how to exclude a single source IP.

    Tell me how you are going to do that post-NAT on WAN out?



  • Hi Derelict
    Thanks for the extensive explanation!  Please could I pick your brain a bit?  (It will also help other users to understand when reading the topic)

    Are you saying that the big difference between my original writing and yours is that with yours you can manage the LAN IP's you want to limit, but with mine, you do it for the entire LAN?

    I suppose if it is true, it is actually ok in my environment where I want to limit ALL FB traffic, not just for some users…  BUT, the application of a 'child' limiter (in your example) has such potential for other technologies running away with your bandwidth.  For example, Dropbox and any other "clouded" services.

    My other headache is YOUTUBE (googlevideo) and limiting that traffic...  I found a solution using squid, but that is beyond this subject matter.

    kind regards
    cyber7 (aka Aubrey Kloppers)


  • LAYER 8 Netgate

    @cyber7:

    Hi Derelict
    Thanks for the extensive explanation!  Please could I pick your brain a bit?  (It will also help other users to understand when reading the topic)

    Are you saying that the big difference between my original writing and yours is that with yours you can manage the LAN IP's you want to limit, but with mine, you do it for the entire LAN?

    It all depends on what your goals are.  Post-NAT WAN out rules cannot see what the source IP is.  That is quite a limiting factor in most cases.

    I suppose if it is true, it is actually ok in my environment where I want to limit ALL FB traffic, not just for some users…  BUT, the application of a 'child' limiter (in your example) has such potential for other technologies running away with your bandwidth.  For example, Dropbox and any other "clouded" services.

    Your stated goal is to limit facebook.  The hardest part about that is identifying facebook traffic.  Your rules won't do anything to limit dropbox either, since it's all on destination Facebook.

    Limiters and child limiters work.  The outlier is usually bittorrent.  And that is usually because people put a WAN pass rule for their torrent port and don't set the limiter there too.

    My other headache is YOUTUBE (googlevideo) and limiting that traffic…  I found a solution using squid, but that is beyond this subject matter.

    The hard part is identifying the traffic.  Limiting identified traffic is pretty easy.  I think most people who go down this rabbit hole are overthinking things. (Facebook bad, google, ok, googlevideo bad, cnn ok).  Fuck it.  Just limit/shape them all and make the internet work.



  • @Derelict:

    The hard part is identifying the traffic.  Limiting identified traffic is pretty easy.  I think most people who go down this rabbit hole are overthinking things. (Facebook bad, google, ok, googlevideo bad, cnn ok).  Fuck it.  Just limit/shape them all and make the internet work.

    HAHAHA!  I like your attitude!  I am starting to really think in this direction as well!  I have set up limiters (1/2/3Mb/s).  It works, but after I implemented your solution, I am looking at making this more "smove" :)

    cyber7



  • @Derelict:

    The hard part is identifying the traffic.  Limiting identified traffic is pretty easy.  I think most people who go down this rabbit hole are overthinking things. (Facebook bad, google, ok, googlevideo bad, cnn ok).  Fuck it.  Just limit/shape them all and make the internet work.

    HAHAHA!  I like your attitude!  I am starting to really think in this direction as well!  I have set up limiters (1/2/3Mb/s).  It works, but after I implemented your solution, I am looking at making this more "smove" :)

    cyber7

    And you, Derelict, my dear sir ARE A GENIUS!  Re-Wrote all my Limiters with your specs and WOW, soooo smove!

    cyber7-out


Log in to reply