Subscribe via feed.

Force Pandora Traffic out of a specific interface with pfsense

Posted by Michael on August 12, 2010 – 7:19 pm

Something that has started using TONS of our bandwidth at work is online radio. Currently the most popular on our network is Pandora. It counts for nearly 1/3 of the daily traffic we pull as a company though our squid proxy server.

A little bit about us:

Our company currently has about 100 employees, and only 12 people are using online radio, and of the 12 only 2 of them are not using Pandora. Their traffic accounts for 1/3 of all the traffic we have. That is a lot of resources for such a small group of people to be using for something that you can argue has nothing to do with work. Our office is also not just in 1 place. These people are spread across Texas in Dallas, San Antonio, and Houston. San Antonio is the central location and is where our IT operations take place. The way our network is designed all locations come to San Antonio then we filter the content and pass it back along to them. Our Houston office is in a location where we could not get fiber in the building so we have to deal with T-1 lines for connectivity. Our Dallas office is connected to us with a 4M direct connection. Each location also has its own local internet in case of failure they will be able to VPN into San Antonio and keep working..

The problem as I see it

This setup can cause one hell of a problem if everyone who works in Houston decides its time to listen to online radio. That office currently has close to 20 people in it and if each of them open Pandora we do not have the bandwidth to give them the radio and the applications from the app servers located in San Antonio. I doubt that will ever happen, but if even 1/2 decide to it is a lot of traffic all the sudden. Dallas causes less of a problem because that office only has 10 or 12 people and we have plenty of bandwidth to serve them with apps and music, but not in high quality, and apps over the network may get a bit slow if one of us in IT needs to log on to a Dallas desktop to support them. In the past we have had a no online radio policy that was only enforced if things got to moving slow and people would complain. We would look through logs figure out who was causing it, and call them and tell them to stop it. Now we are trying to find ways to work with the users to allow them access to this service. The main reason for this is that radios do not always get a good reception in buildings, and lets face it.. when people have more freedoms they tend to be more happy, so one could conclude more productive… Some people even pay for the Pandora service (I know this isnt our problem) so they want to utilize it as often as possible, and I dont blame them.. Pandora is pretty awesome. I use it my self.

Our solution

At least for now our solution is to force all Pandora traffic out each locations local internet. Since the connections just sit there doing nothing all day why not use them when we don’t need to use them? We decided to put a Wireless router in each location that is hooked to the local internet, and not part of our network. This worked great for folks who had laptops and wanted to bring them and surf during lunch and not be blocked by our squid server. I got to thinking why not force all the online radio from our network out of these unused connections too.. So we tried it and it seems to be working great.

How we did it

Since we have a pfsense firewall in place at all of our locations making this all happen was a snap. I went in after finding Pandoras netblock and added a few quick rules. First we have a rule in place so that only the proxy server can access the internet on http and https ports. This makes sure our users cant by pass the proxy by turning off the proxy settings in the browser. Next I had to make a rule so that traffic heading to Pandora would go out the local internet instead of over the network and out our gateway, but also needed to condition it so that it only allowed the squid server to access it. This way we can still keep tabs on who is using it and how much they use it. From the user side of it nothing changed at all. They still have to log into squid and go to a web site. Its just now when they do it WE force the traffic out of an unused for the most part connection, and lowered network traffic. It did mean the inclusion of a squid server in each location to avoid the LAN traffic still since our primary squid was only in San Antonio, but this will also be a good testing ground for forcing all internet traffic out each locations local pipe.

Tags: ,
This post is under “Systems Administration” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply