2
0
mirror of https://github.com/opnsense/docs synced 2024-11-15 06:12:58 +00:00
opensense-docs/source/manual/how-tos/shaper.rst

650 lines
30 KiB
ReStructuredText

=====================
Setup Traffic Shaping
=====================
For this how-to we will look into these scenarios:
#. Reserve dedicated bandwidth for a realtime traffic such as (hosted) Voice Over IP (VOIP) server.
#. Share internet bandwidth amongst users evenly
#. Limit maximum internet bandwidth users can consume
#. Prioritize Applications (Weighted) using Queues
#. Multi Interface shaping for a GuestNet
---------------------------
Reserve dedicated bandwidth
---------------------------
In this scenario we will create a pipe dedicated for traffic going to and coming
from our realtime application. For the sample we presume a SIP trunk or hosted
Voice Over IP (VOIP) server.
For this example we presume a requirement of 4 uncompressed voice channels of 64 kbps,
resulting in a total bandwidth of 256 kbps. The internet connection in this example
has 10 Mbps Download and 1 Mbps Upload.
.. nwdiag::
:scale: 100%
:caption: Shaping hosted VOIP / SIP trunk sample
nwdiag {
span_width = 90;
node_width = 180;
Internet [shape = "cisco.cloud"];
ip_phone [label="IP Phone",shape="cisco.ip_phone"];
ip_phone -- switchlan;
network LAN {
switchlan [label="",shape = "cisco.workgroup_switch"];
label = "LAN OPNsense";
address ="192.168.1.x/24";
fw1 [label="OPNsense",address="192.168.1.1/24"];
}
network WAN {
label = ".WAN OPNsense";
fw1 [label="OPNsense", shape = "cisco.firewall", address="172.10.1.1/32"];
Internet;
}
network SIPHOST {
label = ".WAN SIP PROVIDER";
Internet;
sip_server [label="SIP/VOIP Server",shape="cisco.sip_proxy_werver", address="172.10.2.1/32"];
}
}
To start go to :menuselection:`Firewall --> Shaper --> Settings`.
Step 1 - Create Upload and Download Pipes
-----------------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Upload (To our VOIP Server)
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 256 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeUp-256kbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Upload (Other Traffic = 1024 kbps - 256 kbps = 768 kbps)
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 768 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeUp-768kbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Download (From our VOIP Server)
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 256 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeDown-256kbps *Free field, enter something descriptive*
====================== ================== ================================================
Create Pipe For Download (Other Traffic = 10240 kbps - 256 kbps = 9984 kbps )
====================== =================== ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 9984 *Numeric value of the desired bandwidth*
**bandwidth Metric** Kbit/s *Metric to use with the numeric value*
**mask** (Empty) *Used for auto queueing, empty for our sample*
**description** PipeDown-9984kbps *Free field, enter something descriptive*
====================== =================== ================================================
Step 2 - Create Rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Create a rule for traffic directed towards the VOIP Server (Upload).
====================== ================= =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source IP to shape, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 172.10.2.1 *The IP address of our VOIP server*
**dst-port** any *Use any of the destination port if static*
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
**description** ShapeVOIPUpload *Enter a descriptive name*
====================== ================= =====================================================
Create a rule for traffic coming from the VOIP Server (Download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** 172.10.2.1 *The IP address of our VOIP server*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
**description** ShapeVOIPDown *Enter a descriptive name*
====================== ================= =====================================================
Create a rule for all other internet upload traffic
====================== ================= =====================================================
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *the destination address, leave in any*
**dst-port** any *Use any of the destination port if static*
**target** PipeUp-768kbps *Select the Upload 768 kbps Pipe*
**description** ShapeUpload *Enter a descriptive name*
====================== ================= =====================================================
Create a rule for all other internet download traffic
====================== =================== =====================================================
**sequence** 41 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source IP to shape, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown-9984kbps *Select the Download 256Kbps Pipe*
**description** ShapeDown *Enter a descriptive name*
====================== =================== =====================================================
.. Note::
Be aware of the sequence! It is important to make sure the right traffic
is passed to the right pipe.
Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s1.png
:width: 100%
.. |apply| image:: images/applybtn.png
----------------------
Share bandwidth evenly
----------------------
For this example we presume an internet connection of 10 Mbps Download and 1 Mbps
Upload that we want to share evenly between all users.
.. nwdiag::
:scale: 100%
:caption: Shaping hosted VOIP / SIP trunk sample
nwdiag {
span_width = 90;
node_width = 180;
Internet [shape = "cisco.cloud"];
pc [label="Connected PC's",shape="cisco.pc"];
pc -- switchlan;
network LAN {
switchlan [label="",shape = "cisco.workgroup_switch"];
label = "LAN OPNsense";
address ="192.168.1.x/24";
fw1 [label="OPNsense",address="192.168.1.1/24"];
}
network WAN {
label = ".WAN OPNsense";
fw1 [label="OPNsense", shape = "cisco.firewall", address="172.10.1.1/32"];
Internet;
}
}
To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Step 1 - Create Upload and Download Pipes
-----------------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Upload
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 1 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** empty *Select destination to share the bandwidth*
**description** PipeUp-1Mbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Download
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 10 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** empty *Select destination to share the bandwidth*
**description** PipeDown-10Mbps *Free field, enter something descriptive*
====================== ================== ================================================
Step 2 - Create a Queues
------------------------
On the **Queues** tab click the **+** button in the lower right corner.
An empty **Edit queue** screen will popup.
Create Queue for Upload
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**pipe** PipeUp-1Mbps *Select our Pipe*
**weight** 100 *Weight to use with the numeric value*
**mask** source *Every source creates a match*
**description** QueueUp-1Mbps *Free field, enter something descriptive*
====================== ================== ================================================
Create Queue for Download
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**pipe** PipeDown-10Mbps *Select our Pipe*
**weight** 100 *Weight to use with the numeric value*
**mask** destination *Every source creates a match*
**description** QueueDown-10Mbps *Free field, enter something descriptive*
====================== ================== ================================================
Step 3 - Create Rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Create a rule for traffic directed towards the internet (Upload).
====================== ================= =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** 192.168.1.0/24 *The source IP to shape, select the LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination to shape, leave on any*
**dst-port** any *Use any of the destination port if static*
**target** QueueUp-1Mbps *Select the Upload 1Mbps Queue*
**description** ShapeUpload *Enter a descriptive name*
====================== ================= =====================================================
Create a rule for traffic coming from the internet (Download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s2.png
:width: 100%
------------------------
Limit bandwidth per user
------------------------
For this example we will divide the internet Download traffic between the connected
users in such manner that each user will receive up to a maximum of 1 Mbps.
.. nwdiag::
:scale: 100%
:caption: Simple network diagram
nwdiag {
span_width = 90;
node_width = 180;
Internet [shape = "cisco.cloud"];
pc [label="Connected PC's",shape="cisco.pc"];
pc -- switchlan;
network LAN {
switchlan [label="",shape = "cisco.workgroup_switch"];
label = "LAN OPNsense";
address ="192.168.1.x/24";
fw1 [label="OPNsense",address="192.168.1.1/24"];
}
network WAN {
label = ".WAN OPNsense";
fw1 [label="OPNsense", shape = "cisco.firewall", address="172.10.1.1/32"];
Internet;
}
}
To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Step 1 - Create Upload and Download Pipes
-----------------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Download
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 1 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** destination *Select source to limit bandwidth per client*
**description** PipeDown-1Mbps *Free field, enter something descriptive*
====================== ================ ================================================
Step 2 - Create Rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Create a rule for traffic coming from the internet (Download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
.. Note::
If you want to limit traffic for a single IP then just enter the IP address
in the destination field instead of the full LAN network range.
Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s3.png
:width: 100%
-----------------------
Prioritize using Queues
-----------------------
By utilizing queues we can influence the bandwidth within a pipe and give certain
applications more bandwidth than others based on a weighted algorithm.
The idea is simple:
Let presume we have a pipe of 10 Mbps and 2 applications for instance smtp (email)
and http(s). The http(s) traffic will get a weight of 1 and the smtp traffic a
weight of 9, then when all capacity of our pipe is in use the email traffic will
get 9x more bandwidth than our http(s) traffic, resulting in 1 Mbps for http(s)
and 9 Mbps for smtp.
For our example we only look at download traffic, but the exact same can be done
for the upload traffic.
+----------------+--------+-------------------+
| Application | Weight | Minimum Bandwidth |
+================+========+===================+
| SMTP (port 25) | 9 | 9 Mbps |
+----------------+--------+-------------------+
| HTTP (80) | | |
+----------------+ 1 | 1 Mbps |
| HTTPS (443) | | |
+----------------+--------+-------------------+
To start go to :menuselection:`Firewall --> Traffic Shaper --> Settings`.
Step 1 - Create Download Pipe
------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Download (10 Mbps)
====================== ================= ===============================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 10 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** (empty) *Leave empty*
**description** PipeDown-10Mbps *Free field, enter something descriptive*
====================== ================= ===============================================
Step 2 - Create Queues
----------------------
On the **Queues** tab click the **+** button in the lower right corner.
An empty **Edit queue** screen will popup.
Create Queue for SMTP
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**pipe** PipeDown-10Mbps *Select our Pipe*
**weight** 9 *Weight to use with the numeric value*
**mask** (empty) *Leave empty*
**description** Queue-SMTP *Free field, enter something descriptive*
====================== ================== ================================================
Create Queue for HTTP
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**pipe** PipeDown-10Mbps *Select our Pipe*
**weight** 1 *Weight to use with the numeric value*
**mask** (empty) *Leave empty*
**description** Queue-HTTP *Free field, enter something descriptive*
====================== ================== ================================================
Step 3 - Create Rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Create a rule for smtp download traffic (email)
====================== =================== =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** smtp *The source port to shape, smtp or 25*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-SMTP *Select the SMTP queue*
**description** ShapeSMTPDownload *Enter a descriptive name*
====================== =================== =====================================================
Create a rule for HTTP download traffic
====================== =================== =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** http *The source port to shape, http or 80*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-HTTP *Select the HTTP queue*
**description** ShapeHTTPDownload *Enter a descriptive name*
====================== =================== =====================================================
Adding an extra rule for HTTPS traffic is simple as we can use the same HTTP queue if we like:
====================== ==================== =====================================================
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** https *The source port to shape, https or 443*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-HTTP *Select the HTTP queue*
**description** ShapeHTTPSDownload *Enter a descriptive name*
====================== ==================== =====================================================
This way HTTP and HTTPS traffic will be treated the same (total max of 1 Mbps).
Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s4.png
:width: 100%
--------------------------------------
Multi Interface shaping for a GuestNet
--------------------------------------
One of the options with OPNsense's traffic shaper is its ability to add shaping
rules based upon two interfaces. This option allows you to shape traffic
differently based on the direction the traffic is moving between interfaces.
For this example we will use this functionality to share a symmetric 10 Mbps internet
connection between a primary LAN network and a Guest Network.
The LAN network will not be limited, traffic from users on our Guest Network will
be limited to a total of 2 Mbps Download and 1 Mbps Upload.
.. nwdiag::
:scale: 100%
:caption: Simple network diagram
nwdiag {
span_width = 90;
node_width = 180;
Internet [shape = "cisco.cloud"];
Internet -- switchwan;
network WAN {
switchwan [label="",shape = "cisco.workgroup_switch"];
label = "WAN Interface em1";
fw1 [label="OPNsense", shape = "cisco.firewall", address="172.10.1.1/32"];
}
network LAN {
switchlan [label="",shape = "cisco.workgroup_switch"];
label = "LAN Interface em0";
address ="192.168.1.x/24";
fw1 [label="OPNsense",address="192.168.1.1/24"];
}
pc [label="LAN PC",shape="cisco.pc"];
pc -- switchlan;
network GuestNet {
switchguestnet [label="",shape = "cisco.workgroup_switch"];
label = "GuestNet Interface em2";
address ="192.168.2.x/24";
fw1 [label="OPNsense",address="192.168.2.1/24"];
}
laptop [label="Guest Laptop", shape="cisco.laptop"]
laptop -- switchguestnet;
}
Step 1 - Create Upload and Download Pipes
-----------------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Upload (GuestNet - em2)
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 1 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** (Empty) *Leave empty*
**description** PipeUp-1Mbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Download (GuestNet - em2)
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 2 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** (Empty) *Leave empty*
**description** PipeDown-2Mbps *Free field, enter something descriptive*
====================== ================== ================================================
Step 2 - Create Rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Important - Before you continue!
First change the mode to advanced, see the toggle in the left top corner of the
popup dialog. One click should shift it from red (disabled) to green (enabled).
Create a rule for the download traffic
====================== =================== =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**interface2** GuestNet *Select the interface that matches your GuestNet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**direction** in *Match incoming packages (download)*
**target** PipeDown-2Mbps *Select the Download pipe*
**description** GuestNetDownload *Enter a descriptive name*
====================== =================== =====================================================
Create a rule for the upload traffic
====================== =================== =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface that matches your GuestNet*
**interface2** GuestNet *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**direction** out *Match incoming packages (download)*
**target** PipeUp-1Mbps *Select the Download pipe*
**description** GuestNetUpload *Enter a descriptive name*
====================== =================== =====================================================
Now press |apply| to activate the traffic shaping rules.