A lot of users?

josephchrzempiec · Apr 23, 2025, 5:42 AM

Hello, First i hope this is in the right place. If not please help me to move to the right topic.

I want to start up an nonprofit wireless in my area. I give wireless to people who can't afford it. I have enough bandwidth to cover people Not sure how much yet into I can figure things out. My problem is two things. One is in pfsense Sense I'm still fairly new to it and need help with steps on doing this is how can I limit people from downloading to much bandwidth, What I mean is speed for downloading how can I show that down?

Also Is there a way to seperate every user to connect to to each other, What I mean is either pinging or able to access whatever they have on there system or devices? Theses are the two things I really need help me. Please someone help me to figure this out?

I'm sorry there is one other thing. Is there way that they can not access the router as well? Only if I'm at that location I can. Thank you

Joseph

Gertjan · Apr 23, 2025, 8:18 AM

@josephchrzempiec

Most 'serious' access points can handle bandwidth limiting for every wifi user, and, bonus, handle the client isolation for you, something the router you use, pfSense in this case, can't do.
On pfSense, keep the initial LAN access for yourself.
Create a second LAN type interface that you reserve for your Wifi visitors.
Use this firewall rule :

where "ThisFirewallPorts" is an alias you create, and add port numbers like 22, 80 and 443 to it.
and after this rule you put a general pass rule.
From now on, your visitors can access the entire internet, but not your pfSense, the admin access.

Btw : none of this is unique to pfSense - what I've said above is valid for any router firewall available out there : believe it (or not) : they are all the same.

elvisimprsntr · Apr 23, 2025, 9:35 AM

This post is deleted!

stephenw10 · Apr 23, 2025, 1:06 PM

Yup 'Client Isolation' should be handled in the Access Point(s).

You might also try dynamic limiters in pfSense to share the available bandwidth between connected users.

JKnott · Apr 23, 2025, 2:28 PM

@josephchrzempiec This might be a violation of your ISPs terms of service. Check out that before you do anything.

josephchrzempiec · Apr 23, 2025, 2:37 PM

@JKnott I'm not violating anything with my ISP. I have a Business class setup to do with whatever I like. Also I called my ISP and told them the story as long as I'm not reselling and profiting my bandwidth which I'm not i'm allow to give it away at no cost which I'm. and Also I went to my local branch ISP and talked to two management teams and they said it is prefectly fine. And any problems let them know. They even gave me pointers on how to be successful with this.

I'm all set on this subject.

josephchrzempiec · Apr 23, 2025, 2:42 PM

@stephenw10 Is there some examples or some steps I can do for this to be limiting between users?

josephchrzempiec · Apr 23, 2025, 2:47 PM

@Gertjan said in A lot of users?:

@josephchrzempiec

Most 'serious' access points can handle bandwidth limiting for every wifi user, >and, bonus, handle the client isolation for you, something the router you use, >pfSense in this case, can't do.

My access points can not do limiting for each user. It will have to be on the pfsense side to do this.

stephenw10 · Apr 23, 2025, 2:58 PM

I don't think we have a specific example doc but this covers it: https://www.provya.com/blog/pfsense-limit-maximum-bandwidth-per-users-with-limiters/

josephchrzempiec · Apr 23, 2025, 3:00 PM

@stephenw10 said in A lot of users?:

https://www.provya.com/blog/pfsense-limit-maximum-bandwidth-per-users-with-limiters/

Thank you I'm looking at it. The problem I have is the download speed is more then enough. Only thing I worry about if more and more people get on it that enough people wouldn't have enugh bandwidth to do anything.

upload speed is the same problem.

stephenw10 · Apr 23, 2025, 3:03 PM

Exactly, so you set the total bandwidth at, say, 500Mbps and it assigns pipes dynamically depending on how many source/destination IPs are connected. I.e. Only one connected user would get 500Mbps but with 10 connected each would get 50Mbps.

Now that can still be an issue if you have 500 connected IPs! But it prevents one user just sucking all the bandwidth.

josephchrzempiec · Apr 23, 2025, 3:05 PM

@stephenw10 Got you Thank you. Now i have to figure the whole not letting users see the router and each other. The bandwidth part I think figured it out.

stephenw10 · Apr 23, 2025, 3:07 PM

Users don't see each other > 'client isolation' in the APs.

Users don't see the firewall > firewall rules in pfSense.

josephchrzempiec · Apr 23, 2025, 3:13 PM

@stephenw10 Theses Ap are cheap chineses AP. they can see each other and no option to stop that as the firmware is limited. that is why they are cheap chinese AP.

As far as the not seeing the router I will look into that. Thank you.

stephenw10 · Apr 23, 2025, 3:16 PM

Hmm, I would double check that. It might be renamed something by their firmware but I've never seen an AP that didn't have that option. It's a low level hardware setting that is present in everything.

Or you might be able to flash them with a 3rd party firmware that does expose it like OpenWRT.

josephchrzempiec · Apr 23, 2025, 3:19 PM

@stephenw10 to be honest I'm not sure I will look through it again and look at the manual that was given as well.

stephenw10 · Apr 23, 2025, 3:26 PM

What APs are they specifically?

josephchrzempiec · Apr 23, 2025, 6:33 PM

@stephenw10 I didn’t buy them. They was giving to me by a friend of mine. They look like they have custom firmware on them. I looked them up and found them on made in china website. link text

stephenw10 · Apr 23, 2025, 9:50 PM

So actually Comfast CF-EW71 devices?

Looks like they have some central management. Do you have that?

If those are v2 hardware it looks like OpenWRT recently added support.

NollipfSense · Apr 24, 2025, 1:00 AM

May I suggest a Mikrotik AP device!