I am thinking about using the following :

table <wan1loggedusers>{ } table <wan2loggedusers>{ } ... As much as there are wans table <wannloggedusers>{ } pass in on <laninterface>from <wan1loggedusers>to any route-to { <wan1interface><wan1gateway>} keep state pass in on <laninterface>from <wan2loggedusers>to any route-to { <wan2interface><wan2gateway>} keep state ... As much as there are wans pass in on <laninterface>from <wannloggedusers>to any route-to { <wanninterface><wanngateway>} keep state</wanngateway></wanninterface></wannloggedusers></laninterface></wan2gateway></wan2interface></wan2loggedusers></laninterface></wan1gateway></wan1interface></wan1loggedusers></laninterface></wannloggedusers></wan2loggedusers></wan1loggedusers> does pf accept a table as "from" parameter ?

The idea is to have a combobox in the captive portal with the following options :
Choose for me
Wan1 - <wan service="" provider="" name="" and="" bandwidth="">Wan2 - <wan service="" provider="" name="" and="" bandwidth="">… as much as there are wans
WanN - <wan service="" provider="" name="" and="" bandwidth="">Then two things can happen :
if the user selects "Choose for me" the captive portal code selects one based on current number of users and the weight associated to this wan.
if the user selects a specific wan he his routed to the wan he selected.

the wan information will be another section in the xml config file and the current wan number of users is stored in a temporary file in the ram disk or the harddisk...

What you think about this ?

I had to print and read the whole pf faq and study some other literature to come up with this solution.

Edit : I have almost ready code (a pascal test-drive code) to check if this can work.
the code is able to :

Add an loggin user to the pf tables of an wan (binding his traffic to a WAN) Give to the user an ammount of bandwidth in this WAN (dinamic) based on a table (If the wan is overloaded, split bandwidth evenly between users) [This uses dummynet, so, i dont know if works on pfsense]

if this code works (Can be compiled to freebsd) we can do two things : Convert it to PHP or use it as is.

the code will be released under the same licence as pfSense (Whatever this means).

Edit2:
The code compiles and works, the binary uses the following parameters

routemein <userlogin>-login <wan>to log an user into a wan

routemein <userlogin>-logout

to logout an user from a wan

the following files are needed :

/tmp/routemein/users.table
format :
<id><active><login><ratedown><rateup><currentwan><ip>/tmp/routemein/wans.table
format :
<device><alias><ratedown><rateup><weight>in those files any line starting with a # followed by space will be discarded as comment

theres auxiliary files, /tmp/routemein/lock wich prevents two instances from colliding (needs a more complex lock mechanism, i will pursue it later), and the file /tmp/routemein/current-users.<device>.table (one for each wan) that is used to store info about the users bound to wich wan.

im trying now to allow the dummynet feature to be disable (leaving only the pf code) or vice-versa (only the dummynet code). I think this will allow this thing to run on both pfsense and monowall. But i dont know if the dev´s really thinks my code is usefull…</device></weight></rateup></ratedown></alias></device></ip></currentwan></rateup></ratedown></login></active></id></userlogin></wan></userlogin></wan></wan></wan>

@doush:

I dont know about pf but in m0n0 there is an option which u can set  a UL and DL rate for all the users in the CP. But everyone gets the same band (it also has problems about unsymetrical bandwidth asignements like 150 DL 128 UL, systems halts after a period of time and GUI doesnt respond ).

So basically pf team is not considering anything like it ? (we are using DHCP so not possbile to queue per IP)

If not, is there any freeradius server GUI where you can assign band per user from the GUI ?

Thanks

What version of m0n0 is that? I switch to PF because I found that it was easy to limit bandwidth on the wifi segment. If I can do that on m0n0wall, i'd love to know where but I've searched and never seen it.

Josh

EDIT found it. thnx

I have that issue to, seems like a widespread issue for the Beta release for 1.2-BETA-1.  But after copying those files works great :).  Thanks.

If you have encryption setup, I would guess it isn't decrypting right, that is where I would start.

I just installed todays snapshot May-25-2007 and i see that CP is broken:

File manager does not upload images (I placed images mannualy to CP main dir and they work ==> something wrong with upload procedure) Redirect page does not redirect for some reason

Thats it for now, I hope this gonna be fixed soon

UPDATE [May 29]: All fine on todays snap, also curently installed 1.2beta and all good there

there is no change to the code. I just manually put

<radiussession_timeout>1</radiussession_timeout>

under <captiveportal>in /cf/conf/conf.xml.

in m0n0wall there is a option (checkbox) in captive portal configuration. Not remember the exact word, but it something like 'use session_timeout returned by radius'. The checkbox option was taken out in pfsense last time coz the feature not working.

hope this help..</captiveportal>

Yes it is just for local users

Make sure you are using the latest snapshot, there has been some changes to CP when using multiwans.

his scripts are for a freeradius version that uses a mysql database
the pfsense freeradius version uses files for its user database
and the pfsense php don't have mysql suport

thats is why you get those errors

It's possible but was not a design goal for 1.2.

I am running pfSense as a multi WAN load balacing router with no firewall or any other feature.
Will this speed limiting per IP address work in this situation?

Just a note.  I had to run decent hardware to keep up with the stress of load balancing:
Athlon XP 2400+
512 MB DDR 333Mhz
4 x 100MBit NICs
40GB HD (just cus)

You using 1.2b1? If not, try it.

thanks bro

U need to email Jonathan DeGruve or Lee Sharp (Sorry is name spelled incorectly)
Just use the mono-dev list
I spoke to them before but they told me that DNS can be spoofed hacked etc, there fore it is not secure :-(

I like DNS for radius though

some domains like google, paypal, microsoft, yahoo (well big once) have more then 1 IP so u have to add them all in. For me ist big problem espesially pay pal with pool of 20 IPs that pereodicaly changing

Is there a reason you set the leases to only be two hours?  I would make them 8 at least, and just increase the number of addresses, that should solve your problem

the default lease is two hours, but if i make it to 8 hours wouldn't it still be a problem if it's caused by the dhcp server lease ?

Hi,

Didn't you set the HTTPS Captive portal page ? In this case, the URL is https://10.0.1.1:8001 and not 8000.

Just in case.

I think I spoke too soon.  In doing some testing again today, I have found that my mods build the lighttpd files correctly but the redirect no longer works, which is the same behavior I saw before.  Infinitely frustrating.  Back to the code I guess.