Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: ThomasE on January 10, 2025, 11:29:09 AM

Title: Traffic shaping based on target IPs
Post by: ThomasE on January 10, 2025, 11:29:09 AM
Hello everyone,

is there a way to use traffic shaping to limit traffic based on target IPs?

We're managing literally thousands of Apple devices which are in need of updates that we roll out in regular intervals. Sadly, triggering those updates causes severe performance issues on our firewall which are discussed here (https://forum.opnsense.org/index.php?topic=44391.0), but that's not what I'm here for. ;-)

While it may not actually solve the problem, I thought we might mitigate it a bit by limiting all traffic originating from public Apple IPs - we already have an alias for those. Simply put, we want to limit the total traffic caused by thousands of clients downloading updates from a specific source. Can this be done using traffic shaping and if so, how?

We're already using caching servers and chances are, we will eventually find out that we want more of them or better hardware, but working on that will take much longer, which is why we're looking for a more short term and likely temporary solution to reduce pressure and buy us time. :)
Title: Re: Traffic shaping based on target IPs
Post by: Seimus on January 10, 2025, 11:41:44 AM
Yes it can,

You can allocate a portion of the BW in a fixed value (separate pipe) or a ratio to specific set of IPs (One pipe with WFQ and proper Weight allocation per queue), or Subnets as the Shaper uses ruleset for matching the traffic based on 5-tuple. Aliases cant be used in the Shaper rules.

Check the official docs, there are examples for this.

Regards,
S.
Title: Re: Traffic shaping based on target IPs
Post by: ThomasE on January 13, 2025, 08:15:11 AM
We've created an alias for all networks used by Apple. Am I correct in assuming that there's not to use that alias in a traffic shaping rule and that I have to copy the content of that alias? This would limit my options as I'm not able to use FQDNs within such a rule, though right now I don't think that'll be a problem.
Title: Re: Traffic shaping based on target IPs
Post by: Seimus on January 13, 2025, 11:13:53 AM
Correct as mentioned > Aliases cant be used in the Shaper rules.
The Shaper rules are separate entity from the Rules used in Firewall > Rules

If you had a specific subnet for the Apple devices you could use that as Base. Otherwise sadly you need to copy all the content from Alias.

There is maybe as well another way. By using QoS DSCP marking, you can potentially classify MARK packets from Apple Devices with specific DSCP value and match it in the Shaper Rules. But I didn't try this out.

Regards,
S.
Text only | Text with Images