Traffic shaping based on target IPs

Started by ThomasE, January 10, 2025, 11:29:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 10, 2025, 11:29:09 AM
Hello everyone,

is there a way to use traffic shaping to limit traffic based on target IPs?

We're managing literally thousands of Apple devices which are in need of updates that we roll out in regular intervals. Sadly, triggering those updates causes severe performance issues on our firewall which are discussed here, but that's not what I'm here for. ;-)

While it may not actually solve the problem, I thought we might mitigate it a bit by limiting all traffic originating from public Apple IPs - we already have an alias for those. Simply put, we want to limit the total traffic caused by thousands of clients downloading updates from a specific source. Can this be done using traffic shaping and if so, how?

We're already using caching servers and chances are, we will eventually find out that we want more of them or better hardware, but working on that will take much longer, which is why we're looking for a more short term and likely temporary solution to reduce pressure and buy us time. :)
January 10, 2025, 11:41:44 AM #1
Yes it can,

You can allocate a portion of the BW in a fixed value (separate pipe) or a ratio to specific set of IPs (One pipe with WFQ and proper Weight allocation per queue), or Subnets as the Shaper uses ruleset for matching the traffic based on 5-tuple. Aliases cant be used in the Shaper rules.

Check the official docs, there are examples for this.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
January 13, 2025, 08:15:11 AM #2
We've created an alias for all networks used by Apple. Am I correct in assuming that there's not to use that alias in a traffic shaping rule and that I have to copy the content of that alias? This would limit my options as I'm not able to use FQDNs within such a rule, though right now I don't think that'll be a problem.
January 13, 2025, 11:13:53 AM #3
Correct as mentioned > Aliases cant be used in the Shaper rules.
The Shaper rules are separate entity from the Rules used in Firewall > Rules

If you had a specific subnet for the Apple devices you could use that as Base. Otherwise sadly you need to copy all the content from Alias.

There is maybe as well another way. By using QoS DSCP marking, you can potentially classify MARK packets from Apple Devices with specific DSCP value and match it in the Shaper Rules. But I didn't try this out.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions