Need help setting up a simple limiter
-
I agree, we need to shift this thread back on topic. The pfSense book has a good overview of limiters in the section on traffic shaping. Based on what I read, I think they are exactly the solution I'm looking for. I haven't seen any good examples here in the forums. I'm really just looking for specific advice on how to set them up. Thanks!
-
I agree, we need to shift this thread back on topic. The pfSense book has a good overview of limiters in the section on traffic shaping. Based on what I read, I think they are exactly the solution I'm looking for. I haven't seen any good examples here in the forums. I'm really just looking for specific advice on how to set them up. Thanks!
Limiters & queues are very similar, but the thing they both rely on is a firewall that catches the proper traffic.
For your puposes, queues & limiters function the same since you are only using only the simplest of features.Like I outlined, verify the firewall rule then verify the queue/limiter.
PS - If you have seen no good examples on the forums, then you have not searched. There are thousands of examples.
-
Unbelievable (see attached msg from Comcast).
![Comcast Overage.jpg](/public/imported_attachments/1/Comcast Overage.jpg)
![Comcast Overage.jpg_thumb](/public/imported_attachments/1/Comcast Overage.jpg_thumb) -
From the pfSense book:
"Enforce Bandwidth Limits
Using limiters you can apply a bandwidth limit to a group of people, such as all traffic on an interface, or you can set masking on the limiters to apply them on a per-IP basis. This way you can ensure that no one person can consume all available bandwidth.Limiters
Limiters are a new method of traffic shaping, introduced in pfSense 2.0 under Firewall Traffic Shaper on the Limiters tab. Limiters use dummynet(4) to enact bandwidth limits and perform other prioritization tasks, among other things. Limiters are currently the only way to achieve per-IP bandwidth limiting in pfSense.
Limiters have actually been in use for a lot longer on pfSense as part of the Captive Portal’s per-user bandwidth limits, but in 2.0 they have been hooked into pf so that they may be used on their own with normal firewall rules, outside of Captive Portal.Like HFSC and CBQ, Limiters may be nested with queues inside other queues. Root-level limiters (Also called Pipes), may have bandwidth limits and delays, while child limiters (Also called queues), may have priorities (Also called weights). Bandwidth limits can be optionally masked by either the source IP or the destination IP, so that the limits can be applied per-IP instead of as a group."
I don't quite know how to interpret that last paragraph. It pretty much says limiters and queues have different sets of functionality. If they were the same, we wouldn't need both would we? And the fact that Limiters may be nested also implies that it's also possible they might not be nested. Taking these together, I interpret this paragraph to mean:
a) If you want to use bandwidth limits, you set it in the root level limiter
b) Child limiters are also known as queues
c) If you need to set priorities on different classes of service or for different groups of IPs, you need to use a queue, which is nested under a Limiter.From these, I conclude that Limiters should work with or without queues, and that queues are only needed to support advanced features such as traffic prioritization.
I'll be the first to admit that I have ZERO experience with Limiters. I've done the research, used respectable sources, and applied my best deductive reasoning to figure out how to make them work. If I've made some invalid assumptions along the way or reached the wrong conclusion, I hope someone with more knowledge can steer me in the right direction. But the way I see it right now, queues are an unnecessary complication. If I'm wrong, don't just tell me I'm wrong, educate me so I can learn something. Got a working example? Show me. Thanks!
-
Your problem in your first post is Destination LAN net. That should be destination any. Everything else looks like it should work, though I would just use protocol any too. Oh and your Upload (LAN in) limiter should be masked on source address. Your Download (LAN out) limiter is fine with destination address. Note that this will create a separate pipe for each address. If you just want one limit shared by all devices, don't set a mask at all.
With limiters (dummynet) you can also do nifty things like induce random packet loss and delay. That might also help discourage use.
I'll leave whether this is wise policy to others. I have my own 16-year-old problem to deal with.
-
EUREKA!! I found the problem!
The short answer: I had created an alias that contained the fully qualified device names of the 3 devices my grandson uses. I've been using pfBlockerNG to block undesirable web sites. Apparently there's a conflict between the DNS Resolver and pfBlockerNG, so you are advised to turn OFF the feature in the Resolver that registers static DHCP mappings. Therefore… my firewall rules never recognized traffic to/from my grandson's devices, and all his traffic ended up hitting the default rule that allowed normal cllients to send/receive traffic. As soon as I changed the firewall rule from using an alias to using a hardwired IP address, the limiters started working.
For future reference, in case somebody else needs to set up something similar, here are the settings that I ended up with:
Under Firewall->Traffic Shaper->Limiter, create 2 Limiters:
Name: Limiter-A
Bandwidth: I used 1 Mbps
Description: Upload speed from the PC to WANName: Limiter-B
Bandwidth: I set it to 512 Kbits
Description: Download speed from WAN to PCAdded the following rule to the firewall:
Interface: LAN
Source: IP address of device I want to limit
Destination:! IP address of device I want to limitany
In/Out: Limiter-A/Limiter-BThis is about as simple a setup as possible. I plan to subnet my grandson's static IPs so I can use 1 rule to limit all his devices. I will also experiment with random packet loss and delay as Derelict suggested. That will require queues, but now that I have a working foundation, it should be a lot easier to get these features working.
Thanks to everyone who took the time to help!
-shull
-
Destination: ! IP address of device I want to limit
Just use any, amigo.
-
Destination: ! IP address of device I want to limit
Just use any, amigo.
Thanks, good observation.
-
I will also experiment with random packet loss and delay as Derelict suggested.
Just found this when reading about limiters in the pfSense book for another project I'm working on:
The dummynet(4) system was originally designed, according to its man page, as a means to test TCP congestion control, and it grew up from there. Due to this purpose, a unique feature of limiters is that they can be used to induce artificial packet loss and delay into network traffic. That is primarily used in troubleshooting and testing (or being evil and playing a prank on someone), and not often found in production.
-
Dialup PPP was about 48kbps with about 220ms delay at best. Toss in about 5% packet loss to mimic overbooked ISP T1 uplink for good measure. Next time some kid bitches about slow internet, show them what it was like in the good old days. Have fun. :) And get off my lawn.