Hi,
I’m a volunteer for a elementary school. We have a very simple network configuration (a DMZ and a couple of internal subnets) provided by a Windows Server (routing and remote access services).
We’d like to move to Nethserver because:
we’d like to avoid paying licenses (we are on a very short budget, it’s a non-profit school)
we’d like to set some basic traffic shaping rules
We have an average internet connections and are using only cloud services for collaboration (Office 365), so I’d like to set all of the traffic toward Office365 as High Priority and limit the rest.
So the plan is setting Nethserver as transparent proxy but how to obtain the desired traffic shaping? As long as I’ve seen, I can’t set rule based on the destination address.
Welcome to the nethserver community @tramamo. I hope you will not only find here a great project, but also a great community.
I have been involved with ict at a primary- and a secondary school. We have a few engaged educational orientated members in our community. Although my NS knowledge is still limited, i do have experience with several educational applications like Moodle, Chamilo, Xerte online Toolkits etc…
It would be awesome if we can create modules for educational applications. It could save you another BUNDLE on license fees.
Thank you so much Ale, it was getting kind of a flame…
To be true, I don’t think that I can achive my objective.
I hoped I could set rules like “set www.myprivilegedurl.com as high priority”.
With the traffic shaping feature I can set a priority according protocols or source IP (neither so usefull in my case).
@tramamo: this is exactly why the discussion was split off. Don’t feel personally attacked! That is by no means the intention.
Maybe the more experienced NS firewall guru’s can focus on your question and try to make your goal possible. @Nas@Ctek any brilliant ideas?
Hi Guys,
At the moment there is no option to prioritize the traffic depending on destination.
If you require this, you will probably need to have a box to do this QoS before NS red interface.
A small box with pfSense or OPNSense can do the trick.
Just brainstorming a bit out loud. The goal is to make sure the office365 environment gets enough bandwidth so the experience for the enduser is that it works smoothly. The idea @tramamo came up with is by prioritizing the connection to office365. Would that be the only option to get to the goal?
Is the traffic towards office365 strictly http or https? Or are other protocols used? Then the protocol could get prioritized instead of the destination address.
Another option could be to create a site-site VPN and prioritize the traffic that goes through the VPN connection.
Grazi @nas
I confess I have absolutely no clue about traffic shaping, but love to see and hear that others in this community do know what they are talking about.
I am the pragmatician in this: what I don’t know, I ask. And sometimes I don’t even know what I should ask for so start thinking out loud… maybe I come up with some clues that others can use to do the real work.
How I love brainstorm sessions…
1 Like
alefattorini
(Alessio Fattorini)
Split this topic
14
Now the discussion is getting awesome: lot of ideas and a problem solving attitude.
Sadly Office365 is strictly HTTP(S), so no luck with regards to prioritizing the TCP ports.
I hope some Shorewall black belt could shed some light.
Let me argument a little bit with regards to the O365 discussion: my full time job consists of managing a group of 15 sysadmins as IT Manager. I’m very experienced in Windows and most of Microsoft products but, since half of the colleagues I coordinate are Unix / Linux experts and all of our services run on heterogeneous systems, I appreciate both closed source with bold support policies and open source and community driven products.
I strive to pursue the correct balance between these two worlds avoiding fanboys prejudices and haters. My philosophy is “If you have more money than time, buy, if you have more time than money, make” and most of the open source solutions, to me, happen to fall in the latter category.
Just my two cents.
Maybe I’ve found something interesting.
The kind of shaping I’m looking for (URL based) is mostly a proxy feature and not a firewall feature.
I’ve read about Squid Delay Pools and the corresponding rules which may be based upon regex.
Here is an excerpt: URL, keyword based bandwidth restriction
This will limit the bandwidth for the following keywords video.domain.com mail cricket
acl group1 url_regex -i video.domain.com mail cricke
delay_pools 1
delay_class 1 1
delay_parameters 1 32000/128000
delay_access 1 allow group1
The idea is to limiti all the sites except O365 ones or limiting specific sites (i.e. update.microsoft.com).
At the moment I’m on holiday and I have no access to my virtual lab. As soon as I’ll be back home I’ll give it a try.
If in the meanwhile anyone can add any thought, very appreciated.
Managing these settings through NS interface would be great.
Mauro