How to limit speed of client downloading a file from my internal server

linucksrox

This sounds the same as what I want to do, but I don't understand the answer. https://forum.pfsense.org/index.php?topic=107468.0

I run ownCloud connected through a reverse proxy server which is accessible over the internet. I want to limit the total download speed of a client connected to ownCloud, or limit the upload of the reverse proxy server going to the internet. I added a limiter for 2Mbps and have tried applying it to the reverse proxy server on the LAN side and on the WAN side, but it isn't limiting the speed. I only want the limit to apply between the server and the internet going in one direction.

This works for another internal machine:

traffic shaper - limiter- new limiter - LanUP - bandwidth 2Mbit/s (no schedule) no mask - Save
firewall rules - LAN - action pass - not disabled - interface LAN - TCP 4 - protocol Any - source single host 192.168.1.246 (xubuntu with GUI) - destination Any - advanced in/out LanUp/none

The above rule works as expected, speedtest.net from that machine shows full download speed, and 2Mbit/s upload speed as desired. However, when setting up the same firewall rule for my reverse proxy (192.168.1.247) it does not limit the download speed of a client downloading a file.

firewall rules - LAN - action pass - not disabled - interface LAN - TCP 4 - protocol Any - source single host 192.168.1.247 (nginx reverse proxy) - destination Any - advanced in/out LanUp/none

Ideally I would only limit the connection between nginx and the internet, leaving clients connected on the LAN connected at full speed. So I also tried applying that rule to the WAN rule I have set up for nginx, but that also did not make any difference.

firewall rules - WAN - action pass - not disabled - interface LAN - TCP 4 - protocol Any - source Any - destination single host 192.168.1.247 (nginx reverse proxy) range 443:443 - advanced in/out LanUp/none

Why doesn't this work?

Derelict

Not sure what's up with the WAN rule with interface LAN.

If you want to apply a limiter on downloads from an internal server when connected to from the outside, just put the limiter on the port forward rule on WAN. Downloads will be the OUT direction.

But that means you're using NAT so if something isn't working you're probably hitting this:

https://redmine.pfsense.org/issues/4326

That bug report says traffic stops. I have also seen limiters simply not apply on interfaces after enabling any NAT on them.

As long as you want to generally limit traffic from the internal server and not give a certain amount to each client, you can probably use HFSC shaping to accomplish your goals. See upperlimit.

Any limiting functionality in owncloud itself? That's where I'd start.

linucksrox

Hah, that explains my predicament (that bug report). Thanks for the quick reply. Originally I thought I should be applying the limiter to the Out side of the WAN rule, but it required me to also apply a limiter to the In side. And you can't use the same limiter. When I applied any limiter to both sides, I ran into the issue where I couldn't access ownCloud at all.

I think I'll have to go down the traffic shaper route, since I'd rather not put the limit on the server itself (because that also limits the speed within the LAN which I want to avoid if possible).

I don't understand the traffic shaper wizard though… I have the "option" of choosing a percentage penalty or a specific rate, but then it forces me to choose a percent. And I can only choose between 2% and 15%. 15% of what exactly? Not sure... the documentation doesn't say whether that's 15% of the total or 15% off of the total. My goal is to limit to 3Mbit/s out of approximately 4.3Mbit/s but I can't get anywhere near 70% or 30% to reach that goal. Why are these limits so arbitrary?

Anyway, that's my rant about the frustrating experience I had with the wizard, but I'm new to all of this so I understand there are probably good reasons for those boundaries.

So if my goal is to simply limit upload speeds from owncloud to external clients to 3Mbit/s out of 4.3Mbit/s, which wizard should I use and how can I configure the penalty for that?

Thanks again.

Derelict

@linucksrox:

Hah, that explains my predicament (that bug report). Thanks for the quick reply. Originally I thought I should be applying the limiter to the Out side of the WAN rule, but it required me to also apply a limiter to the In side. And you can't use the same limiter. When I applied any limiter to both sides, I ran into the issue where I couldn't access ownCloud at all.

I think I'll have to go down the traffic shaper route, since I'd rather not put the limit on the server itself (because that also limits the speed within the LAN which I want to avoid if possible).

I was thinking you could only apply it to connections from outside addresses. Never used it. No idea what the capabilities are.

I don't understand the traffic shaper wizard though… I have the "option" of choosing a percentage penalty or a specific rate, but then it forces me to choose a percent. And I can only choose between 2% and 15%. 15% of what exactly? Not sure... the documentation doesn't say whether that's 15% of the total or 15% off of the total. My goal is to limit to 3Mbit/s out of approximately 4.3Mbit/s but I can't get anywhere near 70% or 30% to reach that goal. Why are these limits so arbitrary?

Anyway, that's my rant about the frustrating experience I had with the wizard, but I'm new to all of this so I understand there are probably good reasons for those boundaries.

So if my goal is to simply limit upload speeds from owncloud to external clients to 3Mbit/s out of 4.3Mbit/s, which wizard should I use and how can I configure the penalty for that?

Thanks again.

The wizard gives you a starting point. Use the Multi-LAN/WAN with one interface each.

linucksrox

Looks like I'm in for some more research so I can better understand the traffic shaper. I get the impression that it's recommended over limiters, judging by the fact that you have never used them. I'm either waiting to learn how to use the traffic shaper effectively, or waiting for the version of pfsense which fixes that bug.

In the meantime, I'll revert back to using the limit_rate in my nginx config which applies to everything internally and externally. At least I still have a way to prevent hammering my internet connection with client downloads.

Derelict

What I have never used is ownCloud.

Limiters are pretty much broken in pfSense 2.2 and later.