pfSense and Shaping Facebook – The Definitive Guide.

2

July 22, 2015 by aubreykloppers

Using pfSense to Shape/Limit Facebook traffic

Out with the old, in with the new!

There is a better way, but for the way I described below, that is, instead of thinking sites as High/Low priority or as Good/Bad, think more of the bandwidth you have available and how to manage the bandwidth.  the sites will quickly fall in place.  To do this, the following recipe have been tried and tested.  It works, works well and users do not get irate, bandwidth is managed and the overall experience smooth!

Now to the fun-stuff using pfSense

The idea is to create POOLS and assigning bandwidth to said POOL.  I create 3 pools, High/Medium/Low priority pools with bandwidth assigned of 1/1.8/2.8Mbit/s.

Pool Creation:

Low Upload Pool and Queue:

  • Enable
  • Name: LOWupPOOL
  • Bandwidth: 1000 Kbit/s
  • ADD NEW QUEUE:
    • Enable
    • Name: LOWupPRIByHost
    • Mask: Source addresses

Low Download Pool and Queue:

  • Enable
  • Name: LOWdownPOOL
  • Bandwidth: 1000 Kbit/s
  • ADD NEW QUEUE:
    • Enable
    • Name: LOWdownPRIByHost
    • Mask: Destination addresses

Then, repeat the above for MED/HI 1800/2800.

Firewall Rules:

Firewall: Rules: Edit

  • Edit Firewall Rule
    • Action: pass
    • Interface: LAN
    • Protocol: TCP
    • Source: Single host or alias
    • Address: LOW_PRI_ALIAS (Note: Create an alias with your Low Priority IP’s on your LAN)
    • Description: LOW-PRIORITY Traffic
  • Advanced features
    • In/Out: LOWupPRIByHost/LOWdownPRIByHost

Then, repeat the above for MED/HI Priority Traffic

Notes:

  • Facebook shape: You can use the same recipe with “Source: LAN Net” and “Destination: Facebook_Alias” in your Firewall Rule.
  • To find Facebook servers: http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
  • Personally I “grep and find” Facebook and related sites in my squid access.log.* files once a month and update my alias…

To manage Youtube

I use the “Custom ACLS (Before_auth)” in Squid with the following: (NOTE: I switch the option “Enable Logging: OFF”, else none of the “Custom ACLS” works.)

logfile_rotate 3650
debug_options rotate=3650
access_log /var/squid/log/access.log

# Limiting YOUTUBE at 8 * 128.000 Byte/s = 1.024.000 bit/s = 1 Mbit/s
delay_pools 2
delay_class 2 1
delay_parameters 2 128000/128000
acl YOUTUBE dstdomain .googlevideo.com
delay_access 2 allow YOUTUBE

The following is left as a note to users who do not want to use pools, but a DEAD Block instead…

 

The first thing you have to understand is that shaping/limiting Facebook traffic will have a huge impact on your business.  Not everything will be gained as any traffic to and from Facebook will be limited to a maximum network rate.  This could have an adverse effect on things like likes/shares/links on other pages using Facebook technologies.

That said, limiting Facebook traffic will also have a huge advantage to your overall network responses and will relieve bandwidth to vital technologies to your business.

Now to the fun-stuff using pfSense

Note: I will NOT use squid/squidGuard to BLOCK traffic, I will be using the firewall to Limit traffic.

Note1: This is a FLOATING RULE that you will apply on your WAN address.

Creating your aliases:

  • Click on Firewall/Aliases and create a new alias called “Facebook” with the following list of networks (Make sure you use NETWORK as your Type):

fbcdn-dragon-a.akamaihd.net
fbcdn-photos-b-a.akamaihd.net
fbcdn-profile-a.akamaihd.net
fbcdn-sphotos-a-a.akamaihd.net
fbcdn-sphotos-c-a.akamaihd.net
fbcdn-sphotos-d-a.akamaihd.net
fbcdn-sphotos-e-a.akamaihd.net
fbcdn-sphotos-f-a.akamaihd.net
fbcdn-sphotos-g-a.akamaihd.net
fbcdn-sphotos-h-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
fbcdn-vthumb-a.akamaihd.net
fbexternal-a.akamaihd.net
fbstatic-a.akamaihd.net
0-edge-chat.facebook.com
1-edge-chat.facebook.com
2-edge-chat.facebook.com
3-edge-chat.facebook.com
4-edge-chat.facebook.com
5-edge-chat.facebook.com
developers.facebook.com
edge-chat.facebook.com
facebook.com
pixel.facebook.com
s-static.ak.facebook.com
'www.facebook.com' - Without the quotes

  • Click on Firewall/Traffic Shaper/Limiter and create 2 limiters:

Name: FBupPRI
Bandwidth: 300 Kbit/s
Mask: Destination address

Name: FBdownPRI
Bandwidth: 300 Kbit/s
Mask: Destination address

    • Click Firewall/Rules/Floating and create (at the top) a Facebook Rule:

Action: Pass
Edit Firewall rule:
Direction: out
Protocol: any
Source: any
Destination Type: Single host or Alias
Destination Address: Facebook
Advanced Features:
Gateway: (Your WAN Gateway)
In/Out: FBupPRI/FBdownPRI

  • If you now look on your Diagnostics/Limiter Info you will see 2 limiters with the 300.000 Kbit/s limiters and anyone using Facebook (even your firewall) will be left using only 300 Kbit/s and your entire LAN experience will improve!

So, If your admin is running pfSense and you found this post, please do not scream at me, rather let your IT Engineer buy me a beer!

Advertisements

2 thoughts on “pfSense and Shaping Facebook – The Definitive Guide.

  1. techgs says:

    1. How you could get all the facebook host-names ? Is there any way to find all the host-names used by a particular site ?

    2. Appreciated your efforts. Can you also please write similar things on youtube.com

    Like

    • I am about to re-write the post with a better one! The way I did the shaping was successful in pissing my users of, so I re-wrote with the same thing in mind, but instead of thinking FaceBook bad Google good, shape EVERYONE (or in my new example, groups of IP’s)…

      Hoe you like the re-write!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: