Per IP traffic Shaping
-
Thank you ermal, your answer enlighten me the bit that i need to understand limiters a little better :) I'll try it tonight at home and post if i succeed or not with the implementation.
-
Work like a charm ;) thankyou again ermal.
-
Well, I managed to do this by defining 4 traffic shaping limiters per client ( or IP, group of IP's) . The scenario goes as this:
Always from the point of view of the router
Create 4 Limiters per client:
IncomingWan –->> Download (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)
OutgoingLan --- >> Download (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
IncomingLan ---->> Upload (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
OutgoingWan ---->>Upload ( (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)After creating the limiters you need to apply them on Firewall>>Rules ( I did it over my LAN Interface)
Create 2 rules by IP
You need to specify the IP or IP group as source in one rule and the other as destination.
On each rule , go to advanced and select IN/OUT limiters .
Example : IncomingWan --- OutgoingLAN ( when the IP is the destination) download
IncomingLAN --- OutgoingWAN ( when the IP is the source) uploadThis works for me . Hope I made myself clear.
Regards
Guys i'm using pfsense 2.01 RC3 64bits i did EXACTLY this but the only thing that seems to work is the download limiter the upload still not limiting to the speed i need, i really need some help this thing is killing me i need to get this up and running soon =X
-
Guys i'm using pfsense 2.01 RC3 64bits i did EXACTLY this but the only thing that seems to work is the download limiter the upload still not limiting to the speed i need, i really need some help this thing is killing me i need to get this up and running soon =X
Anyone?
-
Post a screenshot of your Limiters & your Rules
-
@ptt:
Post a screenshot of your Limiters & your Rules
Thanks a lot for the reply…
Link of the SS Image is way too large to use img bbcode
VPS003 is a VPS running behind nat, it's internal ip adress is 192.168.10.8, it is supposted to be getting 10mbps of Download and 1mbps of Upload, as of now its getting all the upload speed the link has and for some reason that i can't understand now i'm getting 1mbps of DOWNLOAD.
I know something is wrong i just can't figure out what it is..
I was using clearOS before i switched to pfsense because pfsense if WAY better as a firewall, all the issues i had with ClearOS i don't have with pfsense and there's a lot more i can do with pfsense now, but if theres something i could never complain about clearos is that i can setup a bandwidth rule in 15 seconds and hell it works.. i really dont wanna go back.
-
Check this: http://forum.pfsense.org/index.php/topic,46071.0.html
-
@ptt:
Check this: http://forum.pfsense.org/index.php/topic,46071.0.html
I've seen that thread before but it doesn't explain anything first theres source adress and destination adress it doesn't say anything about that, and now its only 2 limiters instead of 4 they say 2 work but nobody there said how to do it, the guy in this thread said 4 would work as well but as far as i can see nothing seems to work the way its supposed to, i think pfsense should make things more clear for the people that are implementing their software, it's simple all someone has to do is say if you want to limit the traffic for IP adress X you go there, do this apply that reset tables and your set but in a way that there's no way someone can get it wrong and before posting that he should test and see if it really works, i just don't get it why they make it so hard to setup something that should be so simple…
-
From where are you ? I don't see your "location"
Are you using pfSense in a comercial enviroment ?
If you are in a "hurry", have you considered the comercial support ?
Well, have said that, here we go, example with screenshots:
I have WAN with a 1mbps / 515 kbps ADSL connection ( speedtest_No_Limit.png)
Lets say i want to limit the DL to 256kbps and the UL to 128Kbps only for 1 host, in this case 192.168.1.10 (my LAN subnet is 192.168.1.0/24).
1º Create the 2 limiters
2º Create the LAN Rule with the Limiters
3º Test, thats all ;) (Speedtest.png)
-
Here the Speedtest without limiter & with limiter
-
@ptt:
Here the Speedtest without limiter & with limiter
I'm in brazil.
No its my home servers, i've got a fiber 100down 10U for my home servers, about the paid support you shoud never have to pay to get an answer of how to do something that should be well explained by pfsense in the first place, you can pay if you want them to do it for you but not because you don't have a choice, because you don't want to do it yourself that said every software should offer free support, tutorials.
But regardless of that, i did what you said and the same thing i'm still getting all my bandwidth in the upload, for the test i'm using a ftp server running running on that same vps, witch again has a local ip adress behind the nat with passive ports properly routed, tried to reset tables but still i'm getting all the bandwidth of the link, so downloading wise yes it's working but upload doesn't limit no matter what i do i'm always getting the full bandwidth, i did everything you said, triple checked to see if i did something wrong, no it's all right it's just not working…
Just remember EVERY port has to get the same speed, i'm not using this to browse the web or something i'm running servers.
And getting this right will help a lot of people, but thanks for your help i really appreciate it.. hope we can figure this out and get it to work
-
I have the same problem here. pfsense works as a transparant bridge and I am trying to set uptraffic shaping. I tried a standard setup on the lan and wan side but it doesn't work in either way. Does anybody have a bridged pfsense firewall running with traffic shaping enabled?
Some extra info:
I have 1 LAN and 1 WAN.
LAN has a /25 subnet.
version 2.01 -
I'm in brazil.
Hi Rodolfo,
I'm in Brazil too, if you want, take a look on portuguese forum too.
Comparing your screenshot with ptt, limiter info shows in/out, but you can see on video tutorials/screen shot that maybe in means outgoing traffic comming from lan and out is inbound traffic going to lan server/machineCan you try swapping your limiter info?
-
I'm in brazil.
Hi Rodolfo,
I'm in Brazil too, if you want, take a look on portuguese forum too.
Comparing your screenshot with ptt, limiter info shows in/out, but you can see on video tutorials/screen shot that maybe in means outgoing traffic comming from lan and out is inbound traffic going to lan server/machineCan you try swapping your limiter info?
Hey there, yes we should pass this info along in the portuguese forums but for now we need everyone's help on this matter so after we get a straight answer it's easy to make a tutorial and translate not only to portuguese.
Anyway i still can't setup my limiters it doesn't work, it limits the download but nothing happens to the upload to be frank i am considering going back to clearos because of this i really feel sad that pfsense won't help us with something so simple, and if going back to clearos is what i have to do to get my limiters setup so be it, maybe it was a mistake coming to pfsense.
-
Did you tried swapping info on rule limiter field.
Limiter works, there are many people using it.
Are you testing upload from a connection started at lan or trying to fetch files from wan to lan?
Pfsense is a statefull firewall, so all rules are created where traffic begins. Your rule is on lan, so only traffic started on lan will match this rule.
I saw you have a rule on wrong tab. Change the rule with destination=192.168.10.8 from lan to wan.
Apply changes and test again.
-
Did you tried swapping info on rule limiter field.
Limiter works, there are many people using it.
Are you testing upload from a connection started at lan or trying to fetch files from wan to lan?
Pfsense is a statefull firewall, so all rules are created where traffic begins. Your rule is on lan, so only traffic started on lan will match this rule.
I saw you have a rule on wrong tab. Change the rule with destination=192.168.10.8 from lan to wan.
Apply changes and test again.
FTP Server running on a VPS behind nat firewall, therefore wan to lan. But the limiter must work from both sides.
-
The limiter will work on traffic matched by rules applied to it.
Move that rule to wan and test again.
-
The limiter will work on traffic matched by rules applied to it.
Move that rule to wan and test again.
Changed the rule to WAN
any protocol
Internal IP as Destination
In/Out = DOWN/UP
No rule applied in the lan interface.
still doesn't work…
-
keep the lan rule with source ip=192.168.10.8 on lan tab
If you created the nat from external ip to 192.168.10.8, there maybe already a rule on wan with destination=192.168.10.8
change this rule to apply limiter and check if there is no rule before that allowing access to the same server with no limiter info.
Also check other protocol, ftp does not use port 21 for data transfer. Maybe pfsense built in ftp proxy is skipping your limiter rule.
in short:
one rule on lan for server outgoing access
one rule on wan for internet access to server -
keep the lan rule with source ip=192.168.10.8 on lan tab
If you created the nat from external ip to 192.168.10.8, there maybe already a rule on wan with destination=192.168.10.8
change this rule to apply limiter and check if there is no rule before that allowing access to the same server with no limiter info.
Also check other protocol, ftp does not use port 21 for data transfer. Maybe pfsense built in ftp proxy is skipping your limiter rule.
in short:
one rule on lan for server outgoing access
one rule on wan for internet access to serverFINALLY!
FINALLY!
FINALLY!YESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
EVERY nat rule must contain the In and Out information in order to get it working, in clearos you setup a single bandwidth rule pointing to a single ip and everything related to that same ip address is limited but it seems that pfsense is quite a lot different, setup the limiter in every nat rule, also one in lan and another in wan and it will work i'm not using destination and source address in limiters, well i regret trying to get help in the international forums now that i know that the answer was right here in our country.
in short:
setup limiters… LIKE A BOSS
make a lan rule... LIKE A BOSS
make another wan rule... LIKE A BOSS
tweak those nat rules... LIKE A BOSSSay we're awesome LIKE A BOSS!
Thanks! =D
