On Wed, May 4, 2011 at 4:47 PM, Vaughn L. Reid III <[email protected]> wrote: > > > On 4/29/2011 4:49 PM, bsd wrote: >> >> Le 29 avr. 2011 à 19:08, bsd a écrit : >> >>> Le 29 avr. 2011 à 09:37, bsd a écrit : >>> >>>> Hi, >>>> >>>> I have created a simple L7 container where I have put SIP and SkypeOut >>>> traffic. >>>> >>>> Then created a Queue called VoIP where this traffic is supposed to end >>>> (HFSC with 10% reserved). >>>> >>>> Then two floating rule to put all traffic (TCP and UDP) in and selected >>>> the VoIP L7 container I have created. >>>> >>>> >>>> No traffic seems to go in that queue ?? >>>> >>>> Any hints ? >>>> Is L7 traffic shapping Out of order for the time beeing ? >>>> >>>> >>>> Thanks. >>> >>> May I had that my WLAN and LAN are bridged … >>> If this has any impact on the L7 Queuing. >>> >>> … and that my other queue (non L7) are also working very correctly. >>> >>> >>> Thx. >> >> And the system tunables have been set correctly… >> >> net.link.bridge.pfil_member Set to 0 to disable filtering on the >> incoming and outgoing member interfaces. 0 >> net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge >> interface 1 >> >> >> No one has any feedback on L7 that and v.2.0.RC1 ? > > Here is some feedback on my experience with the L7 filter: > > With this morning's snapshot (05/04/2011 approximately 06:00 EST was the > time I initiated a snapshot update), I have experienced the L7 filter > significantly slowing web traffic on a system containing Squid and > Squidguard once there were more than a couple of users sending traffic > through the firewall. Disabling the firewall rule passing traffic to the L7 > filter eliminated the bottleneck. Hardware is a a Core 2 Duo Processor, 4 > Gigs memory, Supermicro Server Board, Intel Server NIC's. Also, no other > traffic shaping other than a single L7 filter rule to block peer-to-peer > traffic was enabled. >
I would recommend putting a firewall rule to send traffic to layer 7 on the outging side when squid is in place or either just filter the tcp 80/443 through squid and the other through layer7 with rules on the lan side. > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- Ermal --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
