pfSense and Shaping Facebook – The Definitive Guide.
3July 22, 2015 by aubreykloppers
Using pfSense to Shape/Limit Facebook traffic
Out with the old, in with the new!
There is a better way, but for the way I described below, that is, instead of thinking sites as High/Low priority or as Good/Bad, think more of the bandwidth you have available and how to manage the bandwidth. the sites will quickly fall in place. To do this, the following recipe have been tried and tested. It works, works well and users do not get irate, bandwidth is managed and the overall experience smooth!
Now to the fun-stuff using pfSense
The idea is to create POOLS and assigning bandwidth to said POOL. I create 3 pools, High/Medium/Low priority pools with bandwidth assigned of 1/1.8/2.8Mbit/s.
Pool Creation:
Low Upload Pool and Queue:
- Enable
- Name: LOWupPOOL
- Bandwidth: 1000 Kbit/s
- ADD NEW QUEUE:
- Enable
- Name: LOWupPRIByHost
- Mask: Source addresses
Low Download Pool and Queue:
- Enable
- Name: LOWdownPOOL
- Bandwidth: 1000 Kbit/s
- ADD NEW QUEUE:
- Enable
- Name: LOWdownPRIByHost
- Mask: Destination addresses
Then, repeat the above for MED/HI 1800/2800.
Firewall Rules:
Firewall: Rules: Edit
- Edit Firewall Rule
- Action: pass
- Interface: LAN
- Protocol: TCP
- Source: Single host or alias
- Address: LOW_PRI_ALIAS (Note: Create an alias with your Low Priority IP’s on your LAN)
- Description: LOW-PRIORITY Traffic
- Advanced features
- In/Out: LOWupPRIByHost/LOWdownPRIByHost
Then, repeat the above for MED/HI Priority Traffic
Notes:
- Facebook shape: You can use the same recipe with “Source: LAN Net” and “Destination: Facebook_Alias” in your Firewall Rule.
- To find Facebook servers: http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
- Personally I “grep and find” Facebook and related sites in my squid access.log.* files once a month and update my alias…
To manage Youtube
I use the “Custom ACLS (Before_auth)” in Squid with the following: (NOTE: I switch the option “Enable Logging: OFF”, else none of the “Custom ACLS” works.)
logfile_rotate 3650
debug_options rotate=3650
access_log /var/squid/log/access.log
# Limiting YOUTUBE at 8 * 128.000 Byte/s = 1.024.000 bit/s = 1 Mbit/s
delay_pools 2
delay_class 2 1
delay_parameters 2 128000/128000
acl YOUTUBE dstdomain .googlevideo.com
delay_access 2 allow YOUTUBE
—
The following is left as a note to users who do not want to use pools, but a DEAD Block instead…
The first thing you have to understand is that shaping/limiting Facebook traffic will have a huge impact on your business. Not everything will be gained as any traffic to and from Facebook will be limited to a maximum network rate. This could have an adverse effect on things like likes/shares/links on other pages using Facebook technologies.
That said, limiting Facebook traffic will also have a huge advantage to your overall network responses and will relieve bandwidth to vital technologies to your business.
Now to the fun-stuff using pfSense
Note: I will NOT use squid/squidGuard to BLOCK traffic, I will be using the firewall to Limit traffic.
Note1: This is a FLOATING RULE that you will apply on your WAN address.
Creating your aliases:
Click on Firewall/Aliases and create a new alias called “Facebook” with the following list of networks (Make sure you use NETWORK as your Type):
fbcdn-dragon-a.akamaihd.net
fbcdn-photos-b-a.akamaihd.net
fbcdn-profile-a.akamaihd.net
fbcdn-sphotos-a-a.akamaihd.net
fbcdn-sphotos-c-a.akamaihd.net
fbcdn-sphotos-d-a.akamaihd.net
fbcdn-sphotos-e-a.akamaihd.net
fbcdn-sphotos-f-a.akamaihd.net
fbcdn-sphotos-g-a.akamaihd.net
fbcdn-sphotos-h-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
fbcdn-vthumb-a.akamaihd.net
fbexternal-a.akamaihd.net
fbstatic-a.akamaihd.net
0-edge-chat.facebook.com
1-edge-chat.facebook.com
2-edge-chat.facebook.com
3-edge-chat.facebook.com
4-edge-chat.facebook.com
5-edge-chat.facebook.com
developers.facebook.com
edge-chat.facebook.com
facebook.com
pixel.facebook.com
s-static.ak.facebook.com
'www.facebook.com' - Without the quotes
Click on Firewall/Traffic Shaper/Limiter and create 2 limiters:
Name: FBupPRI
Bandwidth: 300 Kbit/s
Mask: Destination address
Name: FBdownPRI
Bandwidth: 300 Kbit/s
Mask: Destination address
Click Firewall/Rules/Floating and create (at the top) a Facebook Rule:
Action: Pass
Edit Firewall rule:
Direction: out
Protocol: any
Source: any
Destination Type: Single host or Alias
Destination Address: Facebook
Advanced Features:
Gateway: (Your WAN Gateway)
In/Out: FBupPRI/FBdownPRI
If you now look on your Diagnostics/Limiter Info you will see 2 limiters with the 300.000 Kbit/s limiters and anyone using Facebook (even your firewall) will be left using only 300 Kbit/s and your entire LAN experience will improve!
So, If your admin is running pfSense and you found this post, please do not scream at me, rather let your IT Engineer buy me a beer!
cyber7 
1. How you could get all the facebook host-names ? Is there any way to find all the host-names used by a particular site ?
2. Appreciated your efforts. Can you also please write similar things on youtube.com
LikeLike
I am about to re-write the post with a better one! The way I did the shaping was successful in pissing my users of, so I re-wrote with the same thing in mind, but instead of thinking FaceBook bad Google good, shape EVERYONE (or in my new example, groups of IP’s)…
Hoe you like the re-write!
LikeLike
I know this is an old post, but it was somewhat informational. I am stuck in the dark ages with a DSL connection that is 12M/1… In what world does that exist??? Obviously where I live… So with such a poor bandwidth, how can I better use your example?
LikeLike