OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: mb on May 06, 2021, 01:33:01 am

Title: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: mb on May 06, 2021, 01:33:01 am

Dear OPNsense users,

I'm happy to bring you the news that we're very close to providing Application & Web Category based Traffic Shaping and Prioritization to the beloved OPNsense firewall.

Initial tests with the engine implementation looks very promising. We are able to prioritize and/or set bandwidth caps on select traffic according to L7 criteria like Application/Application Category/Web Category.

Next step is the User Interface.

Here, we're trying to decide whether we should provide different policies for filtering and shaping or we should handle them in a single policy. I guess we need to hear your use cases and opinions.

Your feedback will be much appreciated.

Title: Re: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: ChrisBues on May 17, 2021, 01:58:46 am

I’d say separate would provide the most flexibility.


Sent from my iPhone using Tapatalk

Title: Re: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: binaryanomaly on May 17, 2021, 01:07:53 pm

What are the implications and limitations of choosing one over the other?

Title: Re: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: mb on May 20, 2021, 12:19:09 am

@ChrisBues, thanks for the feedback.

@binaryanomaly,

With a single policy, you have the convenience of managing both shaping and filtering with a single policy.
This might be handy if you do not enforce different shaping / filtering policies for the same group of devices.

But if you do enforce different shaping / filtering rules for the same group, it might be helpful to have dedicated policies for both of the functions.

We're more inclined to have seperate policies for Shaping/Filtering (and also TLS inspection) for now.

Title: Re: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: binaryanomaly on May 20, 2021, 10:21:30 am

Ok, understood.

For home users such as myself efficiency and simplicity of configuration is certainly of importance in addition to flexibility.

I'm not even sure if I'll need traffic shaping and prioritization in my setup at all as bandwidth and latency have never been an issue so far.

Title: Re: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: xpendable on June 01, 2021, 05:12:12 pm

I agree with keeping the policies separate for more management flexibility, however the policy license limit may need to be revisited... Home version only has Up to 3 policies (Default + 2). If someone already has 2 policy + the default, then they will be out of luck I assume.

Out of curiosity, how would this behave with the default firewall shaper? would those rules need to be disabled?

Currently I am using DSCP in OPNsense and at the switch level which works for applications that properly tag the packets. Would Sensei QoS work in conjunction with this setup?

Title: Re: Request for Feedback: Application/Web Category based Traffic Shaping
Post by: dinguz on June 25, 2021, 09:37:48 pm

An use case for me would be to deprioritize bulk downloads (i.e. p2p/torrent), so they don't block other traffic.

Out of curiosity, how would this work together with the system default shaper?