[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall-dev Mailing List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  captive portal and shaping with pf and ALTQ
 Date:  Fri, 28 Oct 2005 00:05:36 -0400
Got some feedback on this from the pfsense devs (thanks Scott and Bill)

__Captive Portal__
On captive portal, Scott says "the only problem was I didn't want to
dive into the C code to extract the last time a captive portal rule
time was hit, etc.".

It was basically a "we have better things to worry about right now"
kind of thing.  Switching that to pf is planned for pfsense 1.1.

So that isn't a huge deal.

The shaping is a big deal.  It's a combination of a GUI issue and
limitations in pf.  You have to apply shaping to firewall rules, and
when you separate shaping and firewall rules into two screens, you now
have two screens with firewall rules that could conflict with each
other.  It wouldn't be a big deal if you integrated firewall rules
with shaping, but that'd get confusing very quickly for most users. 
Bill says the ideal solution would be the ability to use 'altq' on a
rule rather than 'pass' or 'block', etc.  No idea if that's in the

Another issue has been that you can only apply it in one direction per

There are other issues, but that's the just of it.  In pfsense 1.0,
shaping between only two interfaces will be supported (LAN/WAN only,
or OPT/WAN only, etc.).  The ability to add custom queues will be
eliminated due to issues it currently causes, due to the split between
the firewall and shaping GUI.

There are fixes to these things, but it's a lot of work, and Bill, who
has written most all of this, is in the process of moving.  So for the
sake of finding an end somewhere and getting pfsense 1.0 out the door,
the shaping won't be as flexible as it could be, and eventually will
be, as of 1.0 release.

I'm probably missing some details, dig into the pfsense shaping code
if you're interested in all the details.