OPNsense Forum
English Forums => General Discussion => Topic started by: temporaryuser on March 22, 2016, 08:54:24 pm
-
Hi all,
comparing pfSense and OPNsense side-by-side I noticed a major difference in the Firewall>Traffic Shaper menu
There seem to be great differences in the general approach and in the available options.
Since I have not used Traffic shaping with pfSense or OPNsense, but will have to use it from now on, I am wondering what reasons for and the consequences of those differences are.
Is there anybody here who has knowledge about this topic?
Cheers
-
Nobody? :'(
-
The framework behind the "limiter" tab in pfSense is essentially what we have picked as our shaper technology. All other parts based on ALTQ were removed, mostly because ALTQ is disabled in FreeBSD GENERIC builds and also because OpenBSD removed ALTQ in favour of a directly plugged HFSC shaping algorithm. ALTQ was thought of as a way to deliver many shaping technologies, but over the years (at least for OpenBSD) only HFSC came to matter.
ALTQ is directly plugged into pf(4), while the limiter technology based on ipfw(4) and dummynet(4) runs as a second completely detached packet filter. This brings a few limitations: you cannot use pf(4) rules to shape traffic anymore, this is an important detail, because the filtering in ipfw(4) is not as advanced (it has the day to day basics but not such things as e.g. OS detection).
This also brings an advantage: when disabling the firewall, you can still shape the traffic for routing...
dummynet(4) used to misses the CoDel algorithm which pfSense ALTQ has, but it recently became available in a first version, which we have picked up already and will provide GUI support for in a couple of weeks[1].
[1] https://lists.freebsd.org/pipermail/freebsd-ipfw/2016-February/006026.html
The main difference is in configuration approach (queues, pipes, rules) and in the rules complexity itself. In the majority of use cases, the missing rules flexibility does not matter.
This is just a technical overview. Others can tell more about the shaper differences from an actual user perspective or how they are using the shaper.
-
Will there be support for using aliases in the traffic shaper rules, as it would save having so many rules setup for different ip's/ hosts as I need to set priorities by machine rather than protocol. Aliases would make this far simpler as I would only need to setup an alias for each priority group.
-
@k666mac we don't have immediate plans to support aliases there, but I agree it would be a practical feature. It would probably cost quite some time to build this, because our traffic shaper uses a different technology (ipfw) then our firewall (pf). And the current aliases depend heavily on the features provided by pf.
If I'm not mistaken, we should load the addresses / ports in ipfw tables to reach a similar experience.
You could add a feature request in our github (https://github.com/opnsense/core/issues (https://github.com/opnsense/core/issues)), maybe when there's time and enough demand, we may pick this one up.