Bandwidth Shaping Using Squid Cache and WIPFW

It’s been a few times I’m trying to find free proxy server and firewall for windows server on my office, but I haven’t found any luck until 3 days ago.

I have been stressed by colleagues that running bittorrent download or downloading big files using download manager in the office hours. Both torrent and download manager sucks all the bandwidth and causing other user nearly can’t even browse the web.

What I want at first is the ability to cap the bandwidth for specific IP on the network. I want to cap the bandwidth for torrent and heavy downloader to as low as possible until they suffer because of the very slow connection (hell yeah, I want a revenge).

I found a good software on the internet called Bandwidth Controller. It does what I want to, but for using it I must pay hundreds of dollars, which I guess the company will not want to spend some money for expensive software. They have the free version but it has limitations that make it useless on my office network. So I just uninstall it.

Many people already know about Squid Cache, it is the best open source proxy server. I know about Squid but the problem is my server is using Windows 2003 and Squid as far as I know only run on Linux. Later I found out that Guido Serassio of Acme Consulting S.r.l. already ported Squid to Windows version called SquidNT.

So I download and install SquidNT on the server, configure the delay pool for bandwidth shaping and test it. SquidNT works like charm. The bandwidth shaping does work, although the bandwidth shaping is applied for the whole network. I don’t know yet about how to set the delay pool for each IP connection automatically. But for the time being the default delay pool configuration is suffice.

For guide on SquidNT installation please see my post: Installing Squid Cache for Windows

Next thing I must do is force all users to browse the internet through the proxy server. At first I want to setup a transparent proxy, so users doesn’t need to setup proxy configuration on their browser.

For setting up a transparent proxy, I need to forward all request to port 80 (http) to the port that Squid proxy server use. To do this I use WIPFW firewall which is a port from FreeBSD IPFW firewall. I got the information about WIPFW from my university administrator, Haryo. I applied the rules he gave me for port forwarding:

add fwd,<squid port> tcp from any to any 80 in
add allow tcp from to any <squid port> in via eth4

Note: eth4 is the NIC for local LAN on my office.

I applied it on WIPFW, but it seems that it doesn’t work. Users still connected directly to the internet and not via proxy server. So the easy solution is to ask all users to setup the proxy server configuration on their browser. The problem is how to force them to use it? They still can browse the internet without the proxy server any way. Telling them that the proxy server will help to speedy the internet browsing experience doesn’t interest them.

In that case I need to force the user to setup the proxy server on their browser or they can’t browser the internet. It easy, just block all request to port 80 and open connection to proxy server’s port. Nice dirty trick that work!

Note: for guide on installing WIPFW please see my post: WIPFW Free Firewall For Windows

The solution I write above actually not what I really want, as I can’t cap the bandwidth for torrent connection. But if a user start torrenting and use all the bandwidth, I’ll just block him using WIPFW so he can’t even connected to the internet.


9 thoughts on “Bandwidth Shaping Using Squid Cache and WIPFW”

  1. Hi Markus.
    I’d like to make a trivial port forwarding (i.e. @IP_1:port_1 to @IP_2:port_2) with WIPFW command line, on Windows XP. I suppose we can do that using the “fwd” action, as you mentioned in your article, do we can ?
    Problem : I don’t find any WIPFW official documentation concerning the “fwd” action. Could you please tell me more ?
    Thanks in advance.

  2. Hello Markus,
    I don’t know if you could install a new pc as your gateway or if you have only windows you could use vmware server witch is free and install a linux distro called ClarkConnect. You will be amazed with what you could do with it. It has a very easy web configuration and it will solve any problems regarding firewalling your internet connection, blocking p2p traffic or traffic shaping per ip and port, content filtering even mail-ftp-smb-vpn services with ldap backend. I think it has all the solutions for all the things you mentioned above and it will give you full control on your internet connection.
    There is a free Community edition that does all the above. If you know a little bit of linux you
    can do a lot lot more!!!

  3. Markus,
    I got an idea for you.. may be a little cheaper than using a virtual server.

    consider these:
    computer#1 : SRVR
    computer#2 : GW (your internet gateway)
    and the rest of your LAN computers

    Now here are the key steps to follow..

    1- your LAN users must be obtaining their IP’s through a DHCP server (google some free ones) and set it up on your SRVR.

    2- Add another IP address for your Windows machine
    make sure that you separate the subnets (e.g. and so that your WHOLE LAN pc’s are on one subnet, and your GW is on the other.
    Say, is for your GW and is for other LAN computers.
    hint: you can use this address _WITH_ as your SRVR address, and as your GW address
    (you need to access your GW to set it up with the new IP’s)

    3- For the DHCP server settings on your SRVR, you’ll only be concerned about these: (IP configuration given to clients)
    IP range: to (gives you 99 hosts that can use your LAN)
    gateway: your squid address (that is SRVR) not your GW.

    4- Turn off the DHCP server of your GW, so you can avoid race between two DHCPs.

    5- Make sure your GW does not have any other IP’s on the LAN.

    6- Configure your squid for allowed_ports and our_networks — Don’t forget to add all used networks above (you’re the man, thx for your other post of Squid config ;) )

    By now, your SRVR can ping both: the GW and LAN computers…

    Once the older DHCP leases expire (from the GW’s DHCP), your Windows DHCP server will now start acting!
    Hence, they’ll be given your squid address as the gateway address.

    If it doesn’t work, maybe you need to add a DNS to the DHCP server configuration. — I am not sure of that yet..
    Please tell me if it works for you!

    This won’t be really effective for some tough guy sniffing LAN traffic, he might bypass your squid by using static IP on the network.
    So you need to create firewall rules on your GW.. long story, I know !

  4. you’re welcome!
    try these directives on your squid:

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    acl lan src
    http_access allow localhost
    http_access allow lan


    * httpd_accel_host virtual: Squid as an httpd accelerator
    * httpd_accel_port 80: 80 is port you want to act as a proxy
    * httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
    * httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
    * acl lan src Access control list, only allow LAN computers to use squid
    * http_access allow localhost: Squid access to LAN and localhost ACL only
    * http_access allow lan: — same as above —

    Eth0: IP:
    Eth1: IP: (

    Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

    In addition to your WIPFW configuration.. this transparent config may help!

  5. I dunno if your still having the issue, or for the benefit of others who land here via a search like I did, try using a firewall like pfSense:

    Not only does pfSense offer Squid for proxy/caching, but it’s also a full blown firewall where you can easily control not only traffic from a purely on/off perspective, but also do bandwidth shaping/Quality of Service (QOS) so you can prioritize your email, web and other business traffic above all others. Also essential if you are using VOIP. The software is free, and any old computer will work for up to 10 or 20 Mbs – which is more than enough for most smaller business internet connections. SuperMicro makes some great Atom 1U servers that are routinely on sale at for under $300 that make perfect pfSense routers.

    If you mainly want to control the bandwith and don’t really care as much about conserving bandwidth with the caching that squid can do, a nice integrated solution are the RouterBoard series routers from Mikrotik.

    Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *