Traffic shaping limiters per port, upload limter doesent work
-
Hello!
On one of my port forward rules I want to limit the speed. Limit download works fine but not on upload. This seems to be an issue for more people then me when I looked around.I have created a limiter called "down" and one limiter called "up" under Firewall-Traffic shaper-Limiters and under Firewall-Rules-WAN I added the limiter on the rule that my port forward created ( In/Out pipe)
Why doesent the upload limiter work and the download limter works fine?
-
@vildsvin123 I would try creating floating rules. Make two rules, both on the WAN interface, one in the In direction and the other in the Out direction. The actions of the rules should be Match, and they should NOT be quick rules.
The rule for the In direction should set the In pipe to your download queue and the Out pipe to your upload queue.
The rule for the Out direction should set the In pipe to your upload queue and the Out pipe to your download queue.
Note that since these are only match rules, you'll still need an allow in rule on WAN as well.
-
@TheNarc Thansk for answer.
This is all new rule creating for me but just so I understand:
2 floating rules under Firewall-Rules-Floating
First one:
Action - Match
Quick uncheck
Interface WAN
Direction In
Source Any?
Destination - Only the ports or the Host ip and port?
Advance I use my in/out pipeSecond:
Action - Match
Quick uncheck
Interface WAN
Direction Out
Source Only the ports or the Host ip and port?
Destination - Any?
Advance I use my in/out pipeNote that since these are only match rules, you'll still need an allow in rule on WAN as well
My port forward is opend under firewall-rules and also here I got In/Out pipe set is that correct? -
@vildsvin123 In your floating rules you probably just want source and destination to be Any for both. Because keep in mind this is only a Match rule, so you're not allowing/passing anything with them, just associating limiters with the traffic. Also remember that non-quick floating rules are "last match" so keep that in mind if you have any other floating rules configured.
For the WAN rule that actually allows traffic from your port forward, there is no need to set the In/Out pipe since the floating rules are executed first and already have. I don't think that doing so in the WAN rule also will cause problems, but I'm not sure, so I'd probably test without and see if it works how you'd expect.
-
@TheNarc The floating rule works great on the whole interface but how to filter out specific traffic? In this case I want the limiter on port ***** where my cloud is and all other traffic should be unlimited bandwidth. Tried to put in my IP and ports in the floating rule but no differaance.
Also in advanced as you wrote "If creating a floating rule, if the direction is In then the same rules apply," :)
-
@vildsvin123 Is this a "local" cloud where you have clients on the Internet connecting to this machine on a specific port (i.e. you need to match on WAN in) or is it an Internet cloud where you need to match clients on your network connecting to it (i.e. WAN out)? Either way though, I would expect matching a port in the floating rules to work. Although it's not something I've tried myself because I want all traffic to go through the limiters.
When you say you put your IP in, that may be a problem if you're talking about an internal NATed IP. I believe that at the point the firewall rules on WAN interfaces are applied, NAT has not been performed yet. So you could match on, say, inbound destination port is 12345, but not inbound destination IP is 192.168.1.123.
-
@TheNarc Yes, local machine 192.168.1.123 witch runs the cloud and clients connecting from outside throu wan interface.
"When you say you put your IP in" : Seems very true, floating is before nat when you say it :P will try matching on port. But I ran into another question now, its using tls,Should not be a problem when match the port number?
-
@vildsvin123 Yeah that should be no problem, the traffic itself if encrypted but you can match on port.
If you really want or need to match on 192.168.1.123, you could try creating a match rule for LAN on the Out direction, because that should be post-NAT. However, I believe there have been reports of strange/unexpected behavior of trying to apply limiters in rules on LAN ports (and indeed the Netgate documentation for setting up limiters only mentions making floating rules for the WAN ports). But it would be something that should be relatively quick and easy to try to determine whether it gets you the behavior you want.
All that said, I think matching on port should be fine. Because you're only forwarding this port from WAN to 192.168.1.123. So matching on inbound WAN traffic with a destination port of X (the port you're forwarding) should basically be matching on a destination of 192.168.1.123 by proxy.
-
@TheNarc Soon I will give up this... Works on http traffic and speed tests, not on cloud traffic. Will look more at it next week, thanks so far for all help :)
-
@vildsvin123 said in Traffic shaping limiters per port, upload limter doesent work:
local machine 192.168.1.123 witch runs the cloud and clients connecting from outside throu wan interface
Matching can be tricky, I suggest looking at the open state for the connection. For example "downloading a file from a web server in my office" matches the inbound connection to the web server, not an outbound response. The outbound follows back out the inbound state.
As noted floating rules are outside NAT. One can match a floating rule to a source only by tagging it on the way in as the packet arrives on LAN, then a rule saying "any packet with tag X" on the way out on WAN. I've used that for prioritizing voice (upload from a phone device IP) but I don't think for a limiter.
If you haven't already, for testing, set the limiter to something low enough to be obvious in both directions, and a different number for in and out.