I’d like to have a shaper for a fiber 1 gigabit symetric connection and my omnia can’t handle that much shaping throughput.
To preserve resources from the omnia for managing the wan side (honeypot/firewall and such) and to operate smoothly, I’d like to delegate the shaping to a Pi4 running openwrt.
Would it be a better strategy to have the Pi on the WAN or the LAN side ? I’m thinking of a transparent router that would just shape and maybe do some packet inspection/IDS.
In order to do packet shaping your Pi has to be a router and then when you put Omnia behind it you would have double nat. Unless you do all WAN and routing on RPi and configure Omnia as second AP. But then you loose honeypots and dynamic firewall/ids.
So its one or another. You cannot set up just packet shaping on RPi. Transparent router is not a router anymore its a switch/bridge. Unless you do really advanced routing on layer 3 switch.
That is not fully correct. You can put a Pi4B behind your omnia, but then only devices behind that Pi4B will actually experience the shaping. And if there is traffic coning from the omnia itself or from other devices connected to the omnia (either by LAN port or WiFi) this will not be seen by the traffic shaper at all (which can defeat the whole purpose of traffic shaping to control latency-under-load).
But for symmetric 1Gbps you will need to attach a second gigabit ethernet adapter to the pi, e.g. a TP-Link UE300 USB3 ethernet dongle or maybe using the dfrobot router board to get two ethernet ports…
Yes, in my testing, with bidirectionally saturating loads I only could get reliable shaping up to around 500/500 Mbps. Pretty impressive for a dual core arm A9, but certainly a far cry from bidirectionally saturating a 1Gbps link. That said, I saw reports of an omnia (not burdened with other CPU hungry stuff like pakon) allowing unidirectional 1 Gbps shaping.
@AreYouLoco I understand that constraint hence the hesitation in between the LAN and WAN side. @moeller0 Thanks for developing the LAN side idea, that’s the one I am leaning towards at the moment, with an extra eth adapter. I think I will then apply some QOS rules to give the shaped traffic a strong priority.
I will receive the hardware in the following days and update on my achievements.