Technically, m0n0 can do what you need. You will need three interfaces,
WAN, LAN, and OPT1, and bridge the WAN and OPT1 together. To allow
everything to pass, just create your own rule that allows anything to
pass - no problem. Take note that when configuring shaping on a bridge
in m0n0wall, you can only shape the inbound traffic on each interface.
m0n0wall uses FreeBSD's dummynet and ipfw for shaping, and it works
really well. I took a m0n0wall, and set it up as a shaping bridge, and
took it to one of my sites where I had many users beating the heck out
of a 2xT1 link. Essentially, I classified traffic into 4 queues:
VoIP Test traffic
Traffic destined for main office (VPN, etc.)
I placed the m0n0wall between the Cisco router and the core switch.
There was an immediate improvement in VPN responsiveness and my network
monitor (located at the main office) went from having some ping times of
more than 1000ms to all less than 150ms. SSH sessions from the main
office showed a huge improvement. I thought everything was good to go
until we started running VoIP tests. I couldn't get much improvement on
the MOS scores. I even set up a dedicated 400kbit pipe for VoIP to use,
and that helped a little, but not enough.
My hunch is that the problem is due to either the WFQ scheduler, UDP
VoIP not having a backoff algorithm, or the fact that I can only shape
on inbound packets (or a combo of all 3). I am going to setup an
OpenBSD box using pf and ALTQ to see if I can get better results. If I
hadn't had a VoIP requirement, that box would have become a permanent
Anyways, to answer your question, m0n0wall should be able to do what you
want, and do it well -- especially if your critical interactive traffic
is TCP based. I recommend you set it up, configure bridging, then turn
on the Magic Shaper Wizard to get you started. If you want, I can send
you the config.xml from the site I mentioned above.
>I don't understand mailing lists, If I'm doing this wrong feel free to
>Someone suggested I explore monowall for a need I have. After reading and
>trying for a while I'd like to make sure m0n0wall will eventually do what I
>want before investing too much more time --
>I want a transparent bridge that passes all traffic. Within the bridge I
>want to identify "bulk" traffic streams and lower their priority so they
>don't hinder interactive streams. However, when interactive loads are
>light, I want bulk traffic to get all the leftover bandwidth. To be
>effective it needs to *quickly* (~ 1 second) throttle bulk connections when
>interactive connections show up. Otherwise users will feel the system being
>sluggish. Ideally I'd carve out a small protected minimum amount of
>bandwidth so the connections don't die outright when the system has heavy
>There is a documentation topic I found:
>"Configure a filtered bridge"
>which sorta suggests it might work. Issues I see are:
>1) My WRAP board has 3 Ethernet jacks, but m0n0wall only shows LAN and WAN
>on the GUI. Could this be done with a 2 port board, or is there a way to
>get monowall to see the 3rd port?
>2) The filter rules shown seem to assume everything not allowed is blocked.
>I want everything to pass, albeit some things slowly.
>3) Does m0n0wall have a way to detect "bulk" traffic? Possible approaches
>are connections that have moved more than X bytes, or connections that have
>averaged > Xbps over the last Y seconds. Possibly others?
>Am I on a rabbit trail, or can m0n0wall help me?