Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Aliases and limiters

    Scheduled Pinned Locked Moved Traffic Shaping
    7 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      someusername
      last edited by

      Hi everyone!

      Case:
      I have a host on the network with 5 IPs. I want to limit that host to a maximum of 50mbit up/down. Regardless of how many megabits each IP on the host is consuming, the total should not exceed 50mbit in each direction.

      Would this solution work:

      1. Create Alias with the 5 IPs.
      2. Create a limiter named 50mbit_up with a limit of 50mbit and mask the source address, 32 bits
      3. Create a limiter named 50mbit_down with a limit of 50mbit and mask the destination address, 32 bits.
      4. Create a new firewall rule on the LAN interface, Action: Pass, IPv4, Protocol: Any, Source address: the created earlier alias. In the advanced section set the limiters: 50mbit_up on "in" and 50mbit_down on "out".
      5. Apply the rule and reset the states of the associated IPs.

      Would the above work? If not, what should I change?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @someusername
        last edited by

        @someusername If you have a mask it will create the limit per IP. I think you want that setup but without the mask applied. See https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html#creating-limiters
        "When [mask is] set to none, the limiter does not perform any masking. The pipe bandwidth will be applied to all traffic as a whole."

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        S 2 Replies Last reply Reply Quote 1
        • S
          someusername @SteveITS
          last edited by

          @steveits Thank you so much! It works nicely!

          1 Reply Last reply Reply Quote 0
          • S
            someusername @SteveITS
            last edited by

            @steveits
            Hi again!

            I run into a slight problem. My environment is fully open. The firewall basically denies/filters some traffic mostly to itself for security purposes. Then on the WAN interface I have an allow everything with destination "VLANxxx net" - the hosts' network. VLANxxx has a rule allow everything everywhere. No NAT is used. All IPs are public.

            From my experiments, the rule in my first post works for connections/traffic initiated from the targeted host.

            But if the connection is initiated from a 3rd party the rule does not come into effect. For example if I initiate a file copy from my pc, which is on another network in another location.
            If I run on my pc "scp username@hostIP:/FileName /home/" I effectively initiate a file transfer which is Upload for the host and download for me. If I reverse the command I initiate Download for the host and upload for me.

            The solution I found is to create two rules. I have only two limiters in order to control the total download and upload of the host/alias(multiple IPs).This time I went with floating rules.
            They look like this:

            Rule: Floating, match
            Interfaces: VLANxxx
            Direction: in
            Source: Testy1 (alias with one IP currently)
            Destination: any
            In pipe: Upload-Testy1 (Upload)
            Out Pipe: Download-Testy1 (Download)
            Limiters mask: none

            Rule: Floating, match
            Interfaces: WAN
            Direction: in
            Source: any
            Destination: Testy1
            In pipe: Download-Testy1 (Download)
            Out Pipe: Upload-Testy1 (Upload)
            Limiters mask: none

            My rudimentary testing shows that this works. I haven't tested yet with realistic workload.

            1. Can this be done in a more elegant way, possibly with a single rule? - not really important, I am simply curious

            2. Is there something that I can do to improve the above rules? Or, is there something that looks wrong?

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @someusername
              last edited by

              @someusername It can depend on which side initiates the transaction because the initial state matches (or doesn't match) the rule and then the reply is against the same state. So both directions may be needed. I've found it helpful to review Diagnostics/States and search by IP when trying to set up limiters/shaping and things aren't working as expected.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              S 1 Reply Last reply Reply Quote 1
              • S
                someusername @SteveITS
                last edited by

                @steveits thank you,

                From my testing, if I establish a connection with the rules disabled and enable the rules, the existing connection is not affected. If I establish connection with the rules enabled and disable it during file transfer, the transfer remains limited. This seems like an expected behavior.

                I tried the two limiters on a host with two IPs - I created an alias for them. Both rules are "quick" if that matters, the rest is like I wrote in my previous post. I do not have access to the host so I do not know what kind of traffic it has and how it generates it. I am monitoring the limited host on cacti in real time.

                The host had traffic about 18mbps in each direction. Once I applied the two rules with limiters at 18mbps, the traffic dropped to about 2mpbs, then went up for a bit and dropped to max 2mbps for several minutes and did not go up. I disabled the two rules afterwards.

                Do you have any idea what may cause this? Should I enable the rules and kill the states of the IPs affected? Or just powercycle the switch-port?

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @someusername
                  last edited by

                  @someusername said in Aliases and limiters:

                  Should I enable the rules and kill the states of the IPs affected?

                  The existing state is going to take precedence over the new rule so yes, kill the state and/or end the transfer when testing changes or any firewall rule.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.