Web proxy and Traffic shaper

Started by fabianodelg, August 03, 2021, 07:13:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2021, 07:13:19 PM Last Edit: August 03, 2021, 07:14:54 PM by fabianodelg
Hi everyone,

I'm new to the forum -which I found to be a great source of knowledge-.

I'm using OPNsense 21.7 on an Intel NUC (i7 + 32 GB RAM + 1 TB NVME, LAN interface is running on the NUC Intel 10/100/1000 while the WAN is an external USB 10/100/1000) and I'm running the following services:

- Netflow
- Sensei (latest build)
- uPnP
- Web Proxy + C-ICAP (squid is configured in transparent mode with the SSL part only logging the SNI information)

I'd like to configure the traffic shaper, to be able to assign different priorities to some of the devices in my network; I'm aware that all the traffic between the WAN and the LAN is managed by squid; with that in mind, how should I configure the shaper to be effective with Squid?

Thanks in advance for your help!
August 17, 2021, 10:01:05 AM #1
Dear fabianodelg,

Squid got its own traffic management settings (Administration -> General Proxy Settings).

but if you want to use the traffic shaper instead you can do so (I used it before and can confirm that it works).

QuoteI'm aware that all the traffic between the WAN and the LAN is managed by squid; with that in mind, how should I configure the shaper to be effective with Squid?

I don't remember using any special configurations to make it work with squid , once you set it up it'll work with squid normally.

Refer to the traffic shaper documentation and tutorials on how to set it up, Squid uses the TCP protocol
and HTTP/S ports.
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
December 27, 2021, 01:54:41 PM #2
I have found it working as described in the documentation in the past, about two years ago, however, I have tried it again and can not get it working.

Having traffic management unticked, but limiter set to fair share amongst the LAN ip's.
When having Web Proxy using NAT redirect turned does not limit correctly?
Then tried with it ticked but bandwidth throttling set to zero.
I think the limiter thinks the traffic is coming from web proxy as a whole, and not from the source PC's?
- Perhaps something changed in the last two years in relation to these features? or am I doing something wrong?

I can of course use the per-host bandwidth throttling, and that does work.
But I would rather allow a single machine to use the maximum link size if no other users are using it at the same time, and it seems the limiter features are way above the web proxy throttling.
December 28, 2021, 08:43:35 AM #3
QuoteWhen having Web Proxy using NAT redirect turned does not limit correctly?
Make sure to set the Interface in Traffic shaper > Settings > Rules to LAN , Wouldn't work with WAN, and here's a lil explanation why:

  • Client sends a request to the firewall (On the LAN interface) to access a certain website (example.com)
  • According to Firewall NAT rules, FW forwards the request to Squid
  • Squid compares the website to its Whitelist/Blocklist (web filtering) and acts accordingly
  • Squid now acts as a client and requests the website from the firewall(WAN Interface)
Just Tested it and it works.
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
Print
Go Up Pages1
User actions