Per IP traffic Shaping

Woger · Feb 22, 2012, 1:02 PM

I have the same problem here. pfsense works as a transparant bridge and I am trying to set uptraffic shaping. I tried a standard setup on the lan and wan side but it doesn't work in either way. Does anybody have a bridged pfsense firewall running with traffic shaping enabled?
Some extra info:
I have 1 LAN and 1 WAN.
LAN has a /25 subnet.
version 2.01

marcelloc · Feb 22, 2012, 8:11 PM

@rodolfosevero007:

I'm in brazil.

Hi Rodolfo,

I'm in Brazil too, if you want, take a look on portuguese forum too.
Comparing your screenshot with ptt, limiter info shows in/out, but you can see on video tutorials/screen shot that maybe in means outgoing traffic comming from lan and out is inbound traffic going to lan server/machine

Can you try swapping your limiter info?

rodolfosevero007 · Feb 22, 2012, 9:53 PM

@marcelloc:

@rodolfosevero007:

I'm in brazil.

Hi Rodolfo,

I'm in Brazil too, if you want, take a look on portuguese forum too.
Comparing your screenshot with ptt, limiter info shows in/out, but you can see on video tutorials/screen shot that maybe in means outgoing traffic comming from lan and out is inbound traffic going to lan server/machine

Can you try swapping your limiter info?

Hey there, yes we should pass this info along in the portuguese forums but for now we need everyone's help on this matter so after we get a straight answer it's easy to make a tutorial and translate not only to portuguese.

Anyway i still can't setup my limiters it doesn't work, it limits the download but nothing happens to the upload to be frank i am considering going back to clearos because of this i really feel sad that pfsense won't help us with something so simple, and if going back to clearos is what i have to do to get my limiters setup so be it, maybe it was a mistake coming to pfsense.

marcelloc · Feb 22, 2012, 9:56 PM

Did you tried swapping info on rule limiter field.

Limiter works, there are many people using it.

Are you testing upload from a connection started at lan or trying to fetch files from wan to lan?

Pfsense is a statefull firewall, so all rules are created where traffic begins. Your rule is on lan, so only traffic started on lan will match this rule.

I saw you have a rule on wrong tab. Change the rule with destination=192.168.10.8 from lan to wan.

Apply changes and test again.

rodolfosevero007 · Feb 22, 2012, 10:13 PM

@marcelloc:

Did you tried swapping info on rule limiter field.

Limiter works, there are many people using it.

Are you testing upload from a connection started at lan or trying to fetch files from wan to lan?

Pfsense is a statefull firewall, so all rules are created where traffic begins. Your rule is on lan, so only traffic started on lan will match this rule.

I saw you have a rule on wrong tab. Change the rule with destination=192.168.10.8 from lan to wan.

Apply changes and test again.

FTP Server running on a VPS behind nat firewall, therefore wan to lan. But the limiter must work from both sides.

marcelloc · Feb 22, 2012, 10:16 PM

The limiter will work on traffic matched by rules applied to it.

Move that rule to wan and test again.

rodolfosevero007 · Feb 22, 2012, 10:22 PM

@marcelloc:

The limiter will work on traffic matched by rules applied to it.

Move that rule to wan and test again.

Changed the rule to WAN

any protocol

Internal IP as Destination

In/Out = DOWN/UP

No rule applied in the lan interface.

still doesn't work…

marcelloc · Feb 22, 2012, 10:29 PM

keep the lan rule with source ip=192.168.10.8 on lan tab

If you created the nat from external ip to 192.168.10.8, there maybe already a rule on wan with destination=192.168.10.8

change this rule to apply limiter and check if there is no rule before that allowing access to the same server with no limiter info.

Also check other protocol, ftp does not use port 21 for data transfer. Maybe pfsense built in ftp proxy is skipping your limiter rule.

in short:
one rule on lan for server outgoing access
one rule on wan for internet access to server

rodolfosevero007 · Feb 22, 2012, 10:44 PM

@marcelloc:

keep the lan rule with source ip=192.168.10.8 on lan tab

If you created the nat from external ip to 192.168.10.8, there maybe already a rule on wan with destination=192.168.10.8

change this rule to apply limiter and check if there is no rule before that allowing access to the same server with no limiter info.

Also check other protocol, ftp does not use port 21 for data transfer. Maybe pfsense built in ftp proxy is skipping your limiter rule.

in short:
one rule on lan for server outgoing access
one rule on wan for internet access to server

FINALLY!
FINALLY!
FINALLY!

YESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

EVERY nat rule must contain the In and Out information in order to get it working, in clearos you setup a single bandwidth rule pointing to a single ip and everything related to that same ip address is limited but it seems that pfsense is quite a lot different, setup the limiter in every nat rule, also one in lan and another in wan and it will work i'm not using destination and source address in limiters, well i regret trying to get help in the international forums now that i know that the answer was right here in our country.

in short:

setup limiters… LIKE A BOSS
make a lan rule... LIKE A BOSS
make another wan rule... LIKE A BOSS
tweak those nat rules... LIKE A BOSS

Say we're awesome LIKE A BOSS!

Thanks! =D

marcelloc · Feb 22, 2012, 10:55 PM

Nice :)

As you are moving from Clearos to pfsense, you may need to take a look on some tutorials to understand better differences between both.

doc.pfsense.org has a lot of tutorials

On portuguese forum there are some topics on top with a lot of information that will help you.

http://forum.pfsense.org/index.php/board,12.0.html