[SOLVED] bandwith management and fiters: what to use firewall or proxy

[astana]

I would like to have 30k bandwidth for all machines connected to zentyal . The rest of the machines would have social networking and video streaming available only 12 PM to 1PM and from 7 PM to the following 8 AM

Ok, I know you've got all the answers to your questions as the guys answering are technically very good, but I'd like to ask WHY?
So for example you have 10 possible machines (for example) you're wanting to limit to 30kb/s each, so you're 'allocating' or 'reserving' 300kb/s bandwidth. Now what happens when Mr.X arrives early, is he 'allowed' all 300kb/s as no-one else is there? Your solution tells me no, he'll be offered 30k/s.
Then you mention streaming, at 30kb/s.

I'm really down on this idea as I tried to implement exactly the same thing and it was total fail. The results are easy to imagine: Permanently slow internet access and never using the full capacity of the pipe.

Trying to manage bandwidth with squid is like using only a hammer to build a house, slow, painful, job ain't pretty in the end and you'll not make any friends.

No matter which way you slice it, squid hasn't got the tools to manage bandwidth allocation in an intelligent way.

I ended up dropping squid management of bandwidth and using a better gateway to divide usage. Result: No more complaints about slow internet, usage almost doubled.

[BrettonWoods]

In response to question4. I am more able to answer now.

Firstly yes its a speed thing as you will be connecting on through a wifi router port which is most likely 100mbs.

It all depends on the switch that you plugged into the router. If you have 1gig going into a 100mbs port then you are only going to get 100mbs.

I wouldn't say its ideal, it will work.

You should be able to connect the wan port of the wifi router and turn off the internal dns and dhcp and just have it as an access point.

Its all specific to the hardware but most should work in this manner.

You might also want to provide another nic and have your wifi on this port so that you can have different rules for wifi and wired lan.

[highjo]

Hello Astana  can you please elaborate on the solution you used for bandwidth management?
Thank you verymuch

[astana]

All I did was get rid our of old gateway (a windows server box with kerio winroute) and replace it with a pfSense box. pfSense at least is intelligent enough to spread the bandwidth equally and do the job well.
So in the example above Mr X would get 100% bandwidth until someone else starts using it, and at that point they will share 100% of the pipe.

In our school we had 5Mbit/s shared amongst 60 odd computers. With squid doing the bandwidth management is was really really bad (youtube wouldn't ever stream, downloads crawled etc). With pfSense doing the job it felt like our connection was 10x as big.

In our new school with a 15Mbit/s pipe we can sit there maxxing it out and I've not had 1 complaint that our internet is slow!

I'm sure other routers would deal with this as well as pfSense but I don't know them to say.

btw.. This is with a pfSense box basic configuration, just firewall and routing, basic intrusion detection etc, running on a low spec desktop.
 

[christian]

I'm glad to notice you have solved your problem. That's the main good point.
This said, and although I do share that current Zentyal implementation in term of proxy might be slow, you are comparing stuff that you should ot compare because features are different.

As I wrote previously, filtering and bandwidth management are different stuff.

If you run pfSense without filtering proxy but only QOS, this is obviously faster.
And what yo describe doesn't tell much in term of bandwidth. You state it in term of performance only. Is internet fast or slow?

Bandwidth management is something different, potentially linked with QOS.

The idea behind QOS is to say:
- lets manage priority in case multiple clients want to share same resource (here internet access) that is limited.
- priority can be managed in term of protocol or in term of client
- when there is no conflict (e.g. one single user or device), then 100% of bandwidth can be allocated. doesn't mean you internet access will be fast BTW: if you apply content filtering, it might be quite slow bt if you store result in cache, it will be faster for next user requesting same page (I make the assumption we discuss about HTTP)

I hope I've clarified what I mean 
Bottom line: QOS or bandwidth management "out-of-the-box" doesn't really exist except if implemented with default values like "HTTP will get higher priority" but in such case rules have to be exposed so that you know what happens.

Last but not least, what I understand from what you wrote is, aside this "QOS, bandwidth management" debate, "pfSense is faster than Zentyal"
I do not challenge this but would appreciate some technical feedback 

[astana]

Christian,

I wasn't even saying pfSense if faster than Zentyal. I was saying squid does not have the tools to do bandwidth management.
It really is that simple. Squid can limit to a known value which is a totally blunt instrument for managing capacity.

Unfortunately in Zentyal proxy has a bandwidth management tab which I think leads people astray to thinking it will help solve problems like 1 user taking all bandwidth and everyone else being starved. The end result of using this tab (ie using squid to control capacity) is a failed internet policy.

I've never used Zentyal as a gateway so I can't comment on it's QOS, nor did I imply that Zentyal was inferior.

Hope that makes my position clear.

[BrettonWoods]

Astana, what do you suggest instead and this is out of interest and not a criticism.

Its good that you have an opinion on this.

I always thought the Zentyal implimentation is a little blunt as it is supposed to be simple to use.

There are other methods of squid, but do you believe there are better ways to proxy manage?

http://www.enterprisenetworkingplanet.com/netos/article.php/3352971/Rein-In-Your-Bandwidth-Hogs-with-Squid-Proxying.htm

http://knowlinux.blogspot.co.uk/2006/04/bandwidth-throttling-using-squid.html

http://www.tldp.org/HOWTO/pdf/Bandwidth-Limiting-HOWTO.pdf

I do find it a bit worrying that if anybody has a differing opinion or offers a critique they are not seen as healthy discussion.

So I am up for a bit of squid bashing purely because I am unsure of other methods.

Its good that we have opinion as I use Zentyal as my gateway of choice because I find other features lacking in other packages.

[astana]

Hi Mr Woods

This isn't really about squid bashing or bashing anything. It's a simple discussion about what each software component offers on a technical basis.
Squids only method of bandwidth throttling is delay pools.
Once you read up and understand the basic principle of delay pools and then apply it to normal scenario network usage you realise it is really an incredibly blunt tool. It is impossible to spread the bandwidth fully and evenly amongst a variable number of users in time.
The only thing it can do is divide bandwidth and allocate that to each user. This might have niche and important uses, but for a lot of network setups (sb/home etc) it doesn't do your pipe any justice.

All the different ways of configuring squid delay pools boil down to the same technology (see above).

Lets work with a (possible typical) example: Company Office, 3 Departments: Admin/Dev/Sales

Proxy limiter: 1MB/s to each office.

Results when Dev are in crunch time and it's 8pm and they have to upload a 4GB Image, limited to 1MB/s for no good reason. Devs now hate Network administrator for life (they know you have a 3MB/s pipe).

Results without Limiting:
10am and Devs have to reupload their image (they found a bug at midnight). They use all available bandwidth until sales start skyping with clients, then bandwidth is automatically shared with voip getting priority. Result is everyone is happy (except for sleepless devs, but there's nothing you can do about that).

during this time admin are playing solitaire so don't enter into the equation (small joke).

----------------------------

My original comments weren't designed to hype an alternative solution or to bash Zentyal, just I was seeing someone who thought these zentyal options would give him the solution he required.

I have no experience of how Zentyal deals with traffic when acting as a gateway. Can someone enlighten me if it works like pfSense (fairly allocating all bandwidth through the pipe with highly configurable QoS etc)?

So as a conclusion I'd just like to say I'm really hard pushed to find any reason at all to using squid to manage bandwidth.

edit 2:
Maybe I also didn't make myself clear in my setup: I use Zentyal is proxy/filtering through an explicit proxy with authentication but do not use Zentyal as a gateway (this is obviously handled by pfSense).

[christian]

Astana:

I previously read your post too fast (again) an though you were running either pfSense or Zentyal. That's clear now.

What you are looking for is QOS (Quality of Service): you want to define priority with rules that are applied only when you reach resource capacity. This results in traffic shaping. This does exist at routing level for protocols, meaning this is perhaps managed at pfSense level) but it doesn't exist at proxy level. Furthermore, your design choice introduces extra complexity (from this QOS standpoint) as you have split HTTP proxy and internet gateway, meaning even if it was possible, from psFsense, all requests come from proxy, with one single shaping rule.
On the other hand, I believe your design has some added value for you, I'm not challenging your design.

As you do understand, pool delaying is not QOS but a way to limit bandwidth once user reaches is "quota", which is very different.
QOS classifier (in pfSense like for almost all QOS implementations) is based on queuing and hierarchy per service (service here meaning protocol).
This is done at iptables level where the "account" concept is unknown.

Even if you were working at layer 7 level, this would not work with proxy because you don't know, when request is performed by proxy, if content if for one user or another.

What you could perhaps do is to duplicate proxies. One proxy for dev. One proxy for other users. at gateway level, allocate lower priority to Dev's proxy. When there is no congestion, they will get all the available bandwidth but will be limited in case there is some congestion. Still I don't know if pfSense permits this.
Side effect of such approach is that unless you set-up complex proxy network were each proxy can share its cache with other proxies, you impact proxy cache efficiency as same page might be stored twice in different proxy.

Does it make sense ?
 

[astana]

Astana:

I previously read your post too fast (again) an though you were running either pfSense or Zentyal. That's clear now.

What you are looking for is QOS (Quality of Service): you want to define priority with rules that are applied only when you reach resource capacity. This results in traffic shaping. This does exist at routing level for protocols, meaning this is perhaps managed at pfSense level) but it doesn't exist at proxy level. agreed. QOS is for saying for example voip has higher priority over http which has higher priority over bittorrent.Furthermore, your design choice introduces extra complexity (from this QOS standpoint) as you have split HTTP proxy and internet gateway, meaning even if it was possible, from psFsense, all requests come from proxy, with one single shaping rule.However pfSense is intelligent enough to notice that the requests are coming from different clients ports and can automatically balance all HTTP traffic from the one zentyal proxy server (i.e. all clients are fairly balanced)!
On the other hand, I believe your design has some added value for you, I'm not challenging your design. This is the only design I found that allowed full use of the bandwidth for all users without throttling. As I said I already had a gateway so I have no idea if Zentyal performing as a gateway solves this problem

As you do understand, pool delaying is not QOS but a way to limit bandwidth once user reaches is "quota", which is very different.
QOS classifier (in pfSense like for almost all QOS implementations) is based on queuing and hierarchy per service (service here meaning protocol).
This is done at iptables level where the "account" concept is unknown.Correct, QOS is about different types of packet having different priorities, and nothing to do with throttling

Even if you were working at layer 7 level, this would not work with proxy because you don't know, when request is performed by proxy, if content if for one user or another. Actually this is false as each client connects on a random port to the proxy and has a different destination IP address, so yes you can differentiate that different users are connected to the one proxy host

What you could perhaps do is to duplicate proxies. One proxy for dev. One proxy for other users. at gateway level, allocate lower priority to Dev's proxy. When there is no congestion, they will get all the available bandwidth but will be limited in case there is some congestion. Still I don't know if pfSense permits this. pfSense allows the use of a proxy, but pretty much the same configuration as Zentyal.
Side effect of such approach is that unless you set-up complex proxy network were each proxy can share its cache with other proxies, you impact proxy cache efficiency as same page might be stored twice in different proxy.This is what cache digest is for. You can configure squid to check with it's neighbours to see if they already have the item in the cache.

Does it make sense ? It all makes sense, but I'm thinking you're still missing the point I'm trying to make.

Replies in red

Really the crux of the matter is: When Zentyal isn't acting as a gateway, how do you fairly distribute bandwidth to all users of the proxy without using squid throttling (which I'm sure you'll agree is a really bad tool for the aim of sharing a fixed pipe fairly).

[christian]

Really the crux of the matter is: When Zentyal isn't acting as a gateway, how do you fairly distribute bandwidth to all users of the proxy without using squid throttling (which I'm sure you'll agree is a really bad tool for the aim of sharing a fixed pipe fairly).

As far as I understand technology, you can't. But I don't know everything and perhaps (for sure  ) someone else has better knowledge or idea.

Regarding layer 7 QOS: this is not matter of source but matter of content  and back to proxy: real question (well, the one that really matters for you) with proxy is not who is connected and requesting (page might be stored in cache and results in no bandwidth usage) but how proxy, as network client, will consume bandwidth. That's why Squid "quote" makes some sense: limiting on external interface is extremely difficult, let's limit at the source side. But again this is not real QOS and priority management.

So, no I don't understand your point: either you know some technology that would permit to reach what you describe and then you could make a proposal for implementation or you are only looking to solution to your problem (which as a problem, is clear enough) and my answer is: too bad, AFAIK, it doesn't exist. Do you wonder why even pfSense doesn't provide something different from Zentyal ?

Regarding proxies sharing cache: I do know it can be done. This is not something I just invented for the beauty of providing additional entry to this thread    What I meant is that although it exists, you will not get it out of the box, AFAIK, with Zentyal. but I might be wrong as I'm not running 3.x

[astana]

Simply put, I have no problem because my gateway handles the problem of starvation and sharing for me!
What I perceive as a problem for others, having already gone down that path and finding it totally lacking, is using squid to allocate bandwidth.
I'll repeat again, I don't use Zentyal as a gateway, so I have no knowledge if Zentyal performs the same way as pfSense of equally sharing the bandwidth across all clients (even if there is one client that is the zentyal proxy serves 100 users).
If Zentyal as a gateway doesn't do that, then I can propose a solution that does, but it does take another box.
Please note that on my gateway I'm not actively doing any layer 7 QoS, as all connections are queued correctly out of the box.

edits for correct grammar.

[BrettonWoods]

You make some really interesting points. I had never really thought about it as I am happy with the results I get. I have a habit of being generous in the bandwdith allocation.

This seems to work and it does balance traffic and I get the feeling and from memory pfsense doesn't do anything clever in fact it just doesn't do anything. Its just your router handing out packets evenly.

I get your argument though as why tie people down to specific limits if higher is available.

A lot of this is how and in what manner a sysadmin is going to control netwok access and bandwidth throttling. I guess its if needed, enable, if not then don't.

My personal opinion is that I would like more control and currently the zentyal proxy throttling could probably do with more control over the bucket system.
Most will just not enable the throttling and I am probably one of those. If I had a bit more control then I would probably enable it more often.

A lot of the Zentyal throttling is based on making essesntial services guaranteed.

[astana]

You make some really interesting points. I had never really thought about it as I am happy with the results I get. I have a habit of being generous in the bandwdith allocation.Being happy is good, your users being happy is even better!

This seems to work and it does balance traffic and I get the feeling and from memory pfsense doesn't do anything clever in fact it just doesn't do anything. Its just your router handing out packets evenly. Saying it's doing nothing is disingenuous. It's actually doing a fantastic job transparently

I get your argument though as why tie people down to specific limits if higher is available.

A lot of this is how and in what manner a sysadmin is going to control netwok access and bandwidth throttling. I guess its if needed, enable, if not then don't. Absolutely, but nice to be aware what it will do and what it won't do

My personal opinion is that I would like more control and currently the zentyal proxy throttling could probably do with more control over the bucket system.
Most will just not enable the throttling and I am probably one of those. If I had a bit more control then I would probably enable it more often. The trouble is it's squids only method of control, so little more can be done with it.

A lot of the Zentyal throttling is based on making essesntial services guaranteed. This isn't good as it does confuse throttling with QoS, which as Christian rightly says are 2 very different beasts.

[christian]

Astana,

I'm sorry but the more we discuss and the more I'm lost. Reading one post, I feel like "OK, I understand now what he means" and the next post makes me feel something different.

To summarize my current understanding of what you mean, as this discussion very confusing for me:
- you don't face any problem and you are very happy with pfSense as gateway and Zentyal as HTTP proxy
- you think Zentyal should propose something else than proxy only in order to provide QoS.

Am I correct ?

Assuming I am (although at this stage I'm totally lost), debate is somewhat truncated:
- Zentyal does provide QoS service that is not linked to proxy. Such service obviously works only when Zentyal is used as gateway because it works, as I explained previously, like other QoS implementations, at protocol level.
- I don't know any implementation of "QoS per user"
- I don't understand what you want to achieve (more) with Squid and I don't think we can have efficient discussion if we endlessly mix up everything