# ipfw and traffic shaper



## xer (Jul 5, 2009)

Hello to any1

I use a FreeBSD 6.4-STABLE, Squid and a ipfw rule to make a traffic shaper on proxy users.

I'm not a "guru" but i have a question about the performance.

Well, i use "nload" to check bandwidth incoming/outgoing, is very simple to use, i like too much.

Okay, let's explain, the box has two nics, obviously squid listening on LAN and on WAN we have a 512 k/bps connection, 512 k/bps on upload and 512 k/bps on download.

The ipfw rule that i use is:


```
mynet="192.168.33.0/24"
ethlan="192.168.33.1"
download="256Kbit/s"
upload="128Kbit/s"

ipfw add pipe 1 ip from ${ethlan} 3128 to ${mynet}
ipfw add pipe 2 ip from ${mynet} to ${ethlan} 3128

ipfw pipe 1 config bw ${download}
ipfw pipe 2 config bw ${upload}
```

Well, as you can see, i did cut to 256 k/bps the download bandwidth and cutted to 128 k/bps the upstream.
It seems to work, but with a check with nload on the WAN nic, i can see a lots of peaks about 500-512 in incoming graph, infact, that is the maximum bandwidth that the line can reach. This annoing peaks upset the regular bandwidth flow.
The download on clients, it is about 240-250 k/bps, but the bandwidth is non very linear.

See the image below about nload on wan interface with this setting:







Well, i thought that was a problem of my nics, nor, my provider, but i made a little change on pipe configuration, instead make a low bandwidth againts maximum from my ips, i raised the value as follow (see download and upload variables):


```
mynet="192.168.33.0/24"
ethlan="192.168.33.1"
download="800Kbit/s"
upload="800Kbit/s"

ipfw add pipe 1 ip from ${ethlan} 3128 to ${mynet}
ipfw add pipe 2 ip from ${mynet} to ${ethlan} 3128

ipfw pipe 1 config bw ${download}
ipfw pipe 2 config bw ${upload}
```

Well, with this setting, i provide full bandwidth to clients, but the flow is regular and linear, see image below:






Here we are with the question:

It is normal to have this peaks? Can i solve this matter to have bandwidth control and a regular flow?
I made an incorrect configuration about pipe?

Thanx in advance for your help.


----------



## aragon (Jul 6, 2009)

Judging on the way you are applying your pipes to traffic, that looks normal.  When you apply the download pipe to traffic, you're applying it to traffic from squid to the users.  When a user makes a request to squid, it will download as fast as your line will go because you are not applying any shaping to squid itself.  It spikes because squid can only download as fast as possible until its send buffer is full - when that happens the download rate will drop to the speed it is sending to the user(s).

Try this:


```
mynet="192.168.33.0/24"
ethlan="192.168.33.1"
download="256Kbit/s"
upload="128Kbit/s"

ipfw add pipe 1 ip from any 80 to me
ipfw add pipe 2 ip from ${mynet} to ${ethlan} 3128

ipfw pipe 1 config bw ${download}
ipfw pipe 2 config bw ${upload}
```

Test that ruleset with an http download and you shouldn't see spikes like before.


----------



## xer (Jul 7, 2009)

aragon said:
			
		

> Try this:
> 
> 
> mynet="192.168.33.0/24"
> ...





Hi
Thanx for your suggest, i made this way:

```
ipfw add pipe 1 ip from any 80 to wan_ip
ipfw add pipe 2 ip from ${mynet} to ${ethlan} 3128
```

Thank you i like the solution, it works very well, and i use it, but, if in the future if i want "skip" some clients from proxy, in this way, EVERY packets that come from outside on port nr 80, will be shaped, even a client without proxy.

So, for example, i need to provide more bandwidth to a client with or without proxy, as a wsus for downloading updates, i know i can set all pipes i need for every specified external WAN IP before the last download pipe (any) but i hope there will be another way..

Other suggestions?


----------



## xer (Jul 17, 2009)

Mumble....
It seems that anyone does not want share some useful suggestions... :\
Also my friend DutchDaemon let me to use code tags :e (joking dutch)

Well... anyway, 
Yes, it is possible to make a long (or short) rows with IP acl,s ip by ip for a clients pool inside your ipfw rules...

But, delay pool inside squid would be better, i never used it, my reality FbSD boxes are with a 40/50 users maximum... so ... 

But..now i am OT... i will post a new thread on the right area (squid) after mine experiments about delay pool

Thank You


----------

