Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiting a single LAN IP's WAN traffic [Solved]

    Traffic Shaping
    2
    8
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JacktheSmack
      last edited by

      I am trying to limit one IP address on the network to 1 Mbit/s inbound, but the setup I have made after reading some guides doesn't work. I test using www.speedtest.net, and the results always say 3.8Mbit/s.


      ![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
      ![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)
      limiter.PNG
      limiter.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Get rid of all the rules for this that you've put on WAN.

        Put a rule above your normal pass rule on LAN with a source address of Upstairs and your limiter as the out queue and it'll work.  You'll also need an In queue. I think in this circumstance you can just set In/Out to Upstairs/Upstairs if you want 1Mbit in each direction.  Might be better and more straightforward to make an UpstairsIn and UpstairsOut.

        The limiter is applied to the firewall state when it is created.  I know it's counter-intuitive to put a rule on LAN input to limit LAN output but that's the way it works.

        By the time your WAN port is receiving traffic for the Upstairs destination, the state is already created.

        Another way to do it would be to set the limiters in a floating match rule on WAN out with a source address of Upstairs.  In this case you would put UpstairsOut as the In queue and UpstairsIn as the out queue (Actually since we're changing from In to Out and changing interfaces too, it might be In/Out as UpstairsIn/UpstairsOut on WAN out.  I'd have to test it).  This has the benefit of ONLY setting the limiters and not passing traffic from Upstairs on LAN in a security context.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          JacktheSmack
          last edited by

          I tried to set a floating rule but it's still not working. I followed your instructions as exactly as I could:

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Change the type to Match, leave the interface on WAN and set the direction to Out.

            The rule will only apply to new connections.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              JacktheSmack
              last edited by

              @Derelict:

              Change the type to Match, leave the interface on WAN and set the direction to Out.

              The rule will only apply to new connections.

              OK So I applied this rule, then I reloaded speedtest.net and still got a 3.8Mbit/s download. I checked the IP address and it is correct. BTW: Thanks for your help so far.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I just put this on mine and it didn't work for me on WAN out so I might have misled you.

                Change the interface to LAN, the direction to In, and the gateway to None.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  JacktheSmack
                  last edited by

                  @Derelict:

                  I just put this on mine and it didn't work for me on WAN out so I might have misled you.

                  Change the interface to LAN, the direction to In, and the gateway to None.

                  Awesome! This worked.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Sorry for the error.  Glad it's working.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.