Re: [pfSense] 2 LANs and time based limits
Hi, From: Adam Thompson athom...@athompso.net Sent: Sat May 12 07:36:48 NCT 2012 To: 'jerome alet' jerome.a...@univ-nc.nc Subject: RE: [pfSense] 2 LANs and time based limits I understand (thanks to your explanations) but what I was thinking was not playing with the WAN side of the pipe which is shared, but with the interfaces between pfSense and the two sets of clients, which are not ADSL but traditional Ethernet links. That had not occurred to me. I believe, although I hope someone more expert will confirm or deny this, that inbound and outbound QoS should be applied on the same interface, and since you *will* want to apply outbound limits... However, that's an interesting idea and I don't know right now if your idea is a better way to do it. I've done some testing and it seems to work as expected. I've created two limiters, DownloadOPT1 set to 10 Mbits/s and UploadOPT1 set to 2 Mbits/s, then I've defined a PASS firewall rule on the OPT1 interface, with a 7 a.m. to 6 p.m. from Monday to Friday schedule, and the UploadOPT1 limiter assigned to the IN direction, and DownloadOPT1 limiter assigned to the OUT direction (my naming is backwards I think but the OUT direction is what comes from my WAN interface to my OPT1 interface, i.e. datas downloaded by our students). I've not yet modified anything for the other interface, but I don't think anything is necessary since only OPT1 will have limiters, the other one should be able to consume all the remaining bandwidth, and more if needed (classrooms have priority... of course) I think this will be perfect for our needs. bye, and thanks all for your help Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2 LANs and time based limits
Hi, We've got a pfSense 2.0.1 box with a single WAN (in fact it's behind a load balancer with 6 ADSL modems) and currently a single set of client machines which are students' computers in their appartments. We are planning to add a second set of client machines to this pfSense box, which are computers in our classrooms. Actually, and for several years now, we used 2 separate pfSense boxes, with 2 separate sets of modems, but we'd like to consolidate this onto a single box (with the future option of having a second box acting as an instant failover) So in the setup we envision all machines must share the single WAN interface for Internet access. But... Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? Thanks in advance -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi again, From: Ermal Luçi e...@pfsense.org Sent: Fri May 11 21:29:17 NCT 2012 To: jerome alet jerome.a...@univ-nc.nc, pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] 2 LANs and time based limits On Fri, May 11, 2012 at 4:11 AM, jerome alet jerome.a...@univ-nc.nc wrote: Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? It is possible through time based rules and limiters. You just set up limiters with the limits you want guaranteed during weekdays and use those limiters in time based rules. So am I correct with this scenario : 1 - Create the 7a.m. to 6p.m. schedule 2 - Create a single limiter, say 20 Mbits/s, with no other option, to dedicate 20 Mbits/s to classrooms (so appartments will use the remaining bandwidth that is still available when this limiter applies) 3 - When creating a rule, I add this rule only to the classrooms interface, and use the single limiter's name in both the IN and OUT drop down lists in the Advanced features of rule creation. Then I put this rule with PASS mode at the top for it to be evaluated first (or is it important at all where I put it wrt other rules) ? Am I correct ? Thanks for your feedback, I've never used limiters before and since I'll do this on the production system I'd like to not make too much mistakes. Thanks in advance for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
So am I correct with this scenario : 1 - Create the 7a.m. to 6p.m. schedule 2 - Create a single limiter, say 20 Mbits/s, with no other option, to dedicate 20 Mbits/s to classrooms (so appartments will use the remaining bandwidth that is still available when this limiter applies) 3 - When creating a rule, I add this rule only to the classrooms interface, and use the single limiter's name in both the IN and OUT drop down lists in the Advanced features of rule creation. Then I put this rule with PASS mode at the top for it to be evaluated first (or is it important at all where I put it wrt other rules) ? Am I correct ? Thanks for your feedback, I've never used limiters before and since I'll do this on the production system I'd like to not make too much mistakes. Thanks in advance for your help That looks right, BUT... QoS on ADSL is notoriously difficult, and does not usually work quite as expected. There are implementation issues to blame, as well as a theoretical/logical problem. When you configure your system as described, you will rarely - if ever - get exactly the results you expected. Aim for good enough, instead of perfect and you will likely succeed. First and foremost: you do not directly control what data is being transmitted to you. You have indirect control over it, at most. To fully control the downstream (i.e. towards you) traffic flow, you would need to have a device sitting at the ISP end of the connection implementing your policies. I have this problem as an ISP; the best traffic shaper in the world can only *indirectly* affect what comes back down the pipe towards me. I can easily drop packets once they arrive at my network (and artificially limit what each client receives), but at that point, why bother, because they've already consumed the scarce resource: incoming bandwidth. You *will* be able to control outgoing bandwidth - as long as you never saturate the ADSL modems' buffers. This means capping the outbound bandwidth at around 95% of your theoretical upstream; this needs to be done on the last device before the modem, so I hope your load-balancer can do this! Depending on how your load-balancer works, the bandwidth you need to limit to at the pfSense gateway might not be obvious - some experimentation may be required. (BTW: for a more detailed explanation of why you need to cap outbound bandwidth, read http://www.bufferbloat.net/projects/bloat/wiki/Introduction.) Assuming you aren't hosting publicly-available services (e.g. a public webserver or FTP site) standard traffic-shaping tools like what pfSense provides will probably be good enough for your purposes. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi, From: Adam Thompson athom...@athompso.net Sent: Fri May 11 22:51:08 NCT 2012 To: 'jerome alet' jerome.a...@univ-nc.nc, 'pfSense support and discussion' list@lists.pfsense.org Subject: RE: [pfSense] 2 LANs and time based limits QoS on ADSL is notoriously difficult, and does not usually work quite as expected. There are implementation issues to blame, as well as a theoretical/logical problem. I understand (thanks to your explanations) but what I was thinking was not playing with the WAN side of the pipe which is shared, but with the interfaces between pfSense and the two sets of clients, which are not ADSL but traditional Ethernet links. What I'm in doubt about now, is where to put the limiter rule ? Should the limiter be seen by me as a way to guarantee bandwidth, in which case I should set it high an apply it on the classrooms interface, or should it be seen by me as a bandwidh limiter, in which case I set it low and apply it on the appartments interface ? When you configure your system as described, you will rarely - if ever - get exactly the results you expected. Aim for good enough, instead of perfect and you will likely succeed. good enough is good enough for us : up until now there was only a single ADSL line for each set of clients, needless to say students will be happy whatever the solution. right now there's no limiter in use, so they ENJOY pfSense ;-) thanks for your help. -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list