Request for Feedback: Application/Web Category based Traffic Shaping

[mb]

Dear OPNsense users,

I'm happy to bring you the news that we're very close to providing Application & Web Category based Traffic Shaping and Prioritization to the beloved OPNsense firewall.

Initial tests with the engine implementation looks very promising. We are able to prioritize and/or set bandwidth caps on select traffic according to L7 criteria like Application/Application Category/Web Category.

Next step is the User Interface.

Here, we're trying to decide whether we should provide different policies for filtering and shaping or we should handle them in a single policy. I guess we need to hear your use cases and opinions.

Your feedback will be much appreciated.

[ChrisBues]

I’d say separate would provide the most flexibility.


Sent from my iPhone using Tapatalk

[binaryanomaly]

What are the implications and limitations of choosing one over the other?

[mb]

@ChrisBues, thanks for the feedback.

@binaryanomaly,

With a single policy, you have the convenience of managing both shaping and filtering with a single policy.
This might be handy if you do not enforce different shaping / filtering policies for the same group of devices.

But if you do enforce different shaping / filtering rules for the same group, it might be helpful to have dedicated policies for both of the functions.

We're more inclined to have seperate policies for Shaping/Filtering (and also TLS inspection) for now.

[binaryanomaly]

Ok, understood.

For home users such as myself efficiency and simplicity of configuration is certainly of importance in addition to flexibility.

I'm not even sure if I'll need traffic shaping and prioritization in my setup at all as bandwidth and latency have never been an issue so far.

[xpendable]

I agree with keeping the policies separate for more management flexibility, however the policy license limit may need to be revisited... Home version only has Up to 3 policies (Default + 2). If someone already has 2 policy + the default, then they will be out of luck I assume.

Out of curiosity, how would this behave with the default firewall shaper? would those rules need to be disabled?

Currently I am using DSCP in OPNsense and at the switch level which works for applications that properly tag the packets. Would Sensei QoS work in conjunction with this setup?

[dinguz]

An use case for me would be to deprioritize bulk downloads (i.e. p2p/torrent), so they don't block other traffic.

Out of curiosity, how would this work together with the system default shaper?

[fearz]

Is this done?

[pradip.marathon]

I'm happy to hear that OPNsense is working on application and web category-based traffic shaping and prioritization. I would suggest creating different policies for filtering and shaping, as this would be convenient for business users to apply based on the requirements of different groups or departments.

As mentioned by @mb, there is indeed a need for TLS inspection now, which will greatly benefit business users.