• Home
• News
• About FireBrick
• Products

• FireBrick FB2500
• FireBrick FB2700
• FireBrick FB6000

• Legacy Products

• Buy Firebrick
• Contact Us
• Support

• Reseller Area

• Press Information

FireBrick FB2700

Traffic shaping

Traffic shaping allows ingress and egress controls to be applied at various points within the FireBrick.

How it works

Several places in the configuration allow you to specify a graph. This causes traffic through that point (a firewall rule, or an interface, or whatever the attribute is attached to) to be recorded on a graph which you can see from the web pages. In addition to showing on a graph, you can also define that the graph has speed restrictions. These can be simple tx and rx speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls for the graph by adding a shaper config object.

In addition, in a few places, you can set a speed attribute directly. This is a short cut for where you want a speed limit applied to some specific interface, such as PPPoE. You can specify speed to control the tx speed on that interface directly. If you also specify a graph that also creates a graph. There is a warning if you try and make contradictory speed, graph and shaper settings in your config as a whole. Just setting speed creates a shaper without a name that relates just to that interface and so does not show a graph.

Shapers/graphs are controlled by the graph name you give them - putting several firewall rules or interfaces all on the same named shaper/graph causes the traffic as a whole to be shaped. If you want, for example, several independent 2M speed lanes then each will need a different name.

Shaping principle (technical)

It works by a leaky bucket principle as follows:-

• Based on the current rate, and the packet size, the transmission time for each packet is calculated
• If the previous packet would not have finished transmitting based on its transmission time, then the new packet's time is added to its end of transmission time
• If the previous packet would have finished sending then the new packet's time is added to the current time
• If this new end of transmission time is more ahead of now than the maximum latency allowed, then the packet is dropped and a counter of dropped packets updated
• Otherwise the packet is sent/received, and the new time recorded so it can be the base time for the next packet

The current rate can be configured for tx(transit) and rx(receive). The latency limit is larger for small packets (<1000 bytes) than for smaller packets.

Where can shaping be applied

Shaping is applied based on a named graph. The graph name can be set on various aspects of the system. The shaping rates are then defined in the <shaper/> definitions in the configuration. The rate can also be set dynamically using RADIUS for L2TP traffic. When the configuration is loaded this sets all named shapers listed. Shaping can be applied:-

• To physical interface traffic, where the full length of the packet applies including Ethernet headers but not CRC.
• To L2TP tunnels or groups of tunnels, where the full length of the packet applies including Ethernet headers but not CRC.
• To L2TP sessions where shaping only applies to IPv4 and IPv6 traffic based on the length of the IP packet only.
• To PPPoE sessions where the PPP packet size is used.
• To Static routes used to bond gateways.

The packet length and inclusion rules used for shaping is also used for producing the CQM graphs of usage.

Interaction with bonding

Where there is bonding of multiple paths in use the shaper is essential in working out which link to use. Ensure the tx speed for each link is correct. The current packet sending time for each link is used to decide which link has the shortest queue in the network and should be used. The way this works means that if links are all set to a high rate (e.g. gigabit) then the packets typically round robin between links.

Damping

An aggregate shaper can be applied in some cases, for example L2TP. In this case the aggregate shaper can hit limits independently of shapers applied to each session. When this happens a damping factor is applied. This is increased every time the aggregate shaper has a second when packets are discarded, and decreases every second when it does not. The damper has a range of 0 to 255 which introduces a damping effect on the individual session shapers. It reduces the throughput of the individual sessions. The idea is that rather than the aggregate shaper limiting traffic it is limited by the individual sessions.

It is possible to mark each session as low, normal or high priority which affects at what damping level the reduction in speed is applied to that session.

Speed line on graphs

The graph shows a speed line for TX speed only. This is calculated on an hourly basis and the line is the highest speed limit applied for that hour. This can be useful for historical graphs.

Where a long term shaper is used, this is useful to show that some reduction in speed has been applied if it lasts longer than the hour.

Where a shared shaper is used this shows the share of the overall speed that this FireBrick has.

Long term shaping policing

Long term policing is designed to be used where burstable services are provided and need policing to protect against abuse.

To set long term, shaping you define a shaper and include the min, max and interval settings. The way the long term shaper works is to try and ensure the target speed (e.g. tx or rx setting) is not exceeded on a long term average, but otherwise allowing usage up to the max speed.

• Each second the average usage is considered, and if that exceeds the target speed then the shaper is bursting.
• Each second while bursting the average since the shaper started bursting is considered, and if that is still over the target speed then the shaper is still bursting.
• If the shaper has been bursting for more that the min-burst time specified then steps are taken to reduce the speed.
• If a step is defined then this is how much the rate can be reduced per hour. Otherwise the rate is picked to try and bring the usage back within the average within a second.
• If the reduction to compensate for bursting is below the min rate defined then the min rate is used.

Share shapers

Shared shapers allow a named shaper to be shared over several connected FireBricks. You define the Ethernet interface over which the FireBricks are connected (which can be a dedicated VLAN for example) in the cqm settings. You can also set a shared secret that must be the same on all FireBricks that are sharing.

Any shaper can then for set to have share="true" and it will be shared via that interface with other FireBricks. This involves adjustments ever second to ensure the defined speed is shared fairly between all of the FireBricks.

Sharers are shared by name. You should set the same speed on all FireBricks for the same named shared shaper.