Request for Feedback: Application/Web Category based Traffic Shaping

Started by mb, May 06, 2021, 01:33:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 06, 2021, 01:33:01 AM
Dear OPNsense users,

I'm happy to bring you the news that we're very close to providing Application & Web Category based Traffic Shaping and Prioritization to the beloved OPNsense firewall.

Initial tests with the engine implementation looks very promising. We are able to prioritize and/or set bandwidth caps on select traffic according to L7 criteria like Application/Application Category/Web Category.

Next step is the User Interface.

Here, we're trying to decide whether we should provide different policies for filtering and shaping or we should handle them in a single policy. I guess we need to hear your use cases and opinions.

Your feedback will be much appreciated.
May 17, 2021, 01:58:46 AM #1
I'd say separate would provide the most flexibility.


Sent from my iPhone using Tapatalk
May 17, 2021, 01:07:53 PM #2
What are the implications and limitations of choosing one over the other?
May 20, 2021, 12:19:09 AM #3
@ChrisBues, thanks for the feedback.

@binaryanomaly,

With a single policy, you have the convenience of managing both shaping and filtering with a single policy.
This might be handy if you do not enforce different shaping / filtering policies for the same group of devices.

But if you do enforce different shaping / filtering rules for the same group, it might be helpful to have dedicated policies for both of the functions.

We're more inclined to have seperate policies for Shaping/Filtering (and also TLS inspection) for now.
May 20, 2021, 10:21:30 AM #4
Ok, understood.

For home users such as myself efficiency and simplicity of configuration is certainly of importance in addition to flexibility.

I'm not even sure if I'll need traffic shaping and prioritization in my setup at all as bandwidth and latency have never been an issue so far.
June 01, 2021, 05:12:12 PM #5
I agree with keeping the policies separate for more management flexibility, however the policy license limit may need to be revisited... Home version only has Up to 3 policies (Default + 2). If someone already has 2 policy + the default, then they will be out of luck I assume.

Out of curiosity, how would this behave with the default firewall shaper? would those rules need to be disabled?

Currently I am using DSCP in OPNsense and at the switch level which works for applications that properly tag the packets. Would Sensei QoS work in conjunction with this setup?
June 25, 2021, 09:37:48 PM #6
An use case for me would be to deprioritize bulk downloads (i.e. p2p/torrent), so they don't block other traffic.

Out of curiosity, how would this work together with the system default shaper?
In theory there is no difference between theory and practice. In practice there is.
October 23, 2024, 10:05:56 AM #7
Is this done?
October 24, 2024, 07:33:03 AM #8
I'm happy to hear that OPNsense is working on application and web category-based traffic shaping and prioritization. I would suggest creating different policies for filtering and shaping, as this would be convenient for business users to apply based on the requirements of different groups or departments.

As mentioned by @mb, there is indeed a need for TLS inspection now, which will greatly benefit business users.
Print
Go Up Pages1
User actions