Per IP traffic shaping–share bandwith evenly between IP addresses??

Derelict

Looks fine.

clacker

Justed wanted to say a big thankyou to foxale08!

I had setup the limiter pretty much as he had with the exception of the source mask…did that and perfectly even sharing on 2.3.4-RELEASE-p1 (amd64).

Almost brought a tear to my eye running speedtest on 3 devices and seeing the traffic graph stats so consistent between them.

belt9

https://forum.pfsense.org/index.php?topic=126637.0

Read this thread, pfSense 2.4 has fq_codel (via CLI / shellcmd) fur limiters.

What this means to you is that it will do exactly what you described in Monowall, but better. It will keep your latency low when when the network is slammed.

6bizkit9

@foxale08:

continued 3

Hi,

I am new to pfsense. Just wanted to have clarification regarding foxale08 config.

I have a 50 mbps internet connection single ISP. I created a limiter and rules to control the traffic to browsing ports (HTTP, HTTPS etc.) I set it up to 30 mbps for bandwidth pool.

I altered the default LAN rule based on foxale08 instruction which I created a limiter and rules to 50 mbps this is to maximize and share bandwidth evenly.

I didnt assign the remaining 20 mbps to limiter and left it as is, since gaming is not in browsing ports.

My expected result:

Browsing user1, user2, user3,…= share 30 mbps bandwidth
Gaming user1, user2, user3... = will share 20 mbps bandwidth
Total bandwidth used = 50 mbps. Using foxale08 config bandwidth will share evenly.

Now I just wanted to know if this set up is possible or which rules should go on top?

Derelict

Gaming will have access to all 50Mbit. If you want that behavior then you will have to make a 20Mbit limiter for the gaming traffic.

fsr

I wanted to thank foxale08 for the tutorial images he posted on the first page of this thread. Probably one of the most useful posts on the forum.

I configured this in 2.4.3-RELEASE (amd64), with 3 local adapters and one WAN adapter, and works perfectly.

Now, all the bandwidth is available to any computer, and if it hits the limit, it shares it in a very fair way. Heavy downloads can coexist with normal navigation without any problems, and the bandwidth is used very efficiently all the time.

rivasa

Would someone please help in resubmitting @foxale08's solution. It seems to have disappeared from the feed (or at least I cant see it).

Thanks

rnmkr

@rivasa said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

Would someone please help in resubmitting @foxale08's solution. It seems to have disappeared from the feed (or at least I cant see it).

Thanks

Oh yes please. Someone update @foxale08 's solution please.

@fsr said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

I wanted to thank foxale08 for the tutorial images he posted on the first page of this thread. Probably one of the most useful posts on the forum.

I configured this in 2.4.3-RELEASE (amd64), with 3 local adapters and one WAN adapter, and works perfectly.

Now, all the bandwidth is available to any computer, and if it hits the limit, it shares it in a very fair way. Heavy downloads can coexist with normal navigation without any problems, and the bandwidth is used very efficiently all the time.

Could you mind share your configuration?

fsr

My configuration is as follows:

You need to create two limiters. One for Download and one for Upload. The mask should be set to "none". The Bandwidth Limit of both should be set to the bandwidth of your connection.

Now, inside of the Download Limiter, you add a queue. The mask should be "Destination Address". The IPv4 mask bits will be 32 (i don't use IPv6, but it's set as 128 mask bits by default).

In my case, i had 3 internal adapters, so i added one queue for every adapter under the Download Limiter.

If you set this right, the screen will show the Download Limiter as a folder, and the queue(s) under it, something like this:

You then add queue(s) for the Upload Limiter. This is almost identical to the download queues, but you choose "Source Addresses" as the mask.

Finally, you need to add rules to link traffic to every queue. For example, my rule for the LAN adapter looks like this:

It's a floating rule.
Action: Match
Direction: in
Address Family: IPv4
Protocol: any
Source: LAN net
Destination: (NOT your internal networks)
In/Out Pipe: Lan Upload Queue / Lan Download Queue

For additional adapters, just add additional rules, with the corresponding Source.

That's it.
Regards.

kenpachizaraki

@fsr @foxale08 thanks for the guide i was able to fairly share bandwidth among users.
im reviving old thread. :)

just would like to know if what would be the correct setup if im using vlan.
sample would be below.

ISP1 --- 20Mbps
Vlan1 --- HR
Vlan2 --- Admin

I created the limiter below.
LAN_Upload -- 18Mpbs -- Mask = None
*** HR_Upload -- Mask = Source
*** Admin_Upoad --- Mask = Source

LAN_Download -- 18Mpbs -- Mask = None
*** HR_Download -- Mask = Destination
*** Admin_Download --- Mask = Destination

Firewall > Rules :
Vlan1 > In/Out = HR_Upload / HR_Download
Vlan2 > In/Out = Admin_Upload / Admin_Download

Or I can just use one queue for Vlan1 and Vlan2 since it only has one gateway?
Like one below :

LAN_Upload -- 18Mpbs -- Mask = None
*** Lan_Upload -- Mask = Source

LAN_Download -- 18Mpbs -- Mask = None
*** Lan_Download -- Mask = Destination

Firewall > Rules :
Vlan1 > In/Out = Lan_Upload / Lan_Download
Vlan2 > In/Out = Lan_Upload / Lan_Download

fsr

@kenpachizaraki said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@fsr @foxale08 thanks for the guide i was able to fairly share bandwidth among users.
[...]

Sorry, i never tried that. I just followed foxale08's instructions. But your idea looks like it could work, if you make rules to send traffic from every vlan to the same queue, or maybe even a single rule that will send traffic from all vlans to the same queue.

Just a note: i used the IN direction for the floating rules, because the in/out pipe says that "If creating a floating rule, if the direction is In then the same rules apply, if the direction is Out the selections are reversed, Out is for incoming and In is for outgoing". It seemed to me like it could cause trouble if i leaved the direction as "any". Not too sure how "source" and "destination" work if i leave the direction as "any" either. The pipes seem to work well in this way, however. Floating rules can be quite confusing

kenpachizaraki

@fsr thanks. Im not using floating rules.
Im applying the rules per vlan.
Ill try to send all traffic to one queue since it will send the traffic to one parent limiter only.

fsr

I tried to change the limiter's scheduler to FQ_CODEL, and that seems to completely break the child queues. Going to "limiter info" show the queues to be empty, instead of the normal lists filtered by IP.

Going back to the default scheduler restores normal queue functionality.

Is this a bug in FQ_CODEL ?

A Former User

@fsr said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

My configuration is as follows:

You need to create two limiters. One for Download and one for Upload. The mask should be set to "none". The Bandwidth Limit of both should be set to the bandwidth of your connection.

Now, inside of the Download Limiter, you add a queue. The mask should be "Destination Address". The IPv4 mask bits will be 32 (i don't use IPv6, but it's set as 128 mask bits by default).

In my case, i had 3 internal adapters, so i added one queue for every adapter under the Download Limiter.

If you set this right, the screen will show the Download Limiter as a folder, and the queue(s) under it, something like this:

You then add queue(s) for the Upload Limiter. This is almost identical to the download queues, but you choose "Source Addresses" as the mask.

Finally, you need to add rules to link traffic to every queue. For example, my rule for the LAN adapter looks like this:

It's a floating rule.
Action: Match
Direction: in
Address Family: IPv4
Protocol: any
Source: LAN net
Destination: (NOT your internal networks)
In/Out Pipe: Lan Upload Queue / Lan Download Queue

For additional adapters, just add additional rules, with the corresponding Source.

That's it.
Regards.

is this working in 2.4.4 p3 version?

Destination: (NOT your internal networks)

do you have screenshot for this for the settings? thanks!

fsr

@dyobetem sorry, i can't take a screenshot right now, and probably won't be of much help, but the explanation is easy: the destination for the floating rule that limits the traffic would be INTERNET, but as there is no built-in network in pfsense that means INTERNET, you have to define it some other way. If you only have the LAN as your internal network, you just select "LAN network" as the destination for this firewall rule, and then check the "not" checkbox next to it. So, the rule to limit traffic will be applied to all traffic from LAN and going outside the LAN (which will be the INTERNET in this case).
If you had multiple internal networks/adapters, you would create an alias with all your internal networks (lets name it INTERNAL), then instead of using NOT LAN as the destination, you use NOT INTERNAL. Whatever way you have of telling the router to apply the rule to traffic going to the internet.

This continues to work, if you create the limiters and keep the default schedulers.

I hope that helps.
Regards.

A Former User

@fsr

it seems my limiter is working now (shared bandwidth) for lan and wifi. i set my rules in (lan/wifi), (not in floating rules).
is this ok?

A Former User

@fsr said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

I tried to change the limiter's scheduler to FQ_CODEL, and that seems to completely break the child queues. Going to "limiter info" show the queues to be empty, instead of the normal lists filtered by IP.

Going back to the default scheduler restores normal queue functionality.

Is this a bug in FQ_CODEL ?

tried this scheduler also, same result as yours.

fsr

@dyobetem said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@fsr

it seems my limiter is working now (shared bandwidth) for lan and wifi. i set my rules in (lan/wifi), (not in floating rules).
is this ok?

If your wifi and lan both go out to the same wan connection, you should make only one download limiter and then add a queue under that limiter for lan and for wifi. Take a look at my image above. When modifiyng limiters, i suggest that you reboot the firewall.
The same for the upload limiter: one upload limiter, and two queues under it (one for lan, the other for wifi).
You can use either a floating rule, or rules in every internal adapter. The last method requires more rules to be created, but is easier to implement, as floating rules are more complex.

A Former User

@fsr said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@dyobetem said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@fsr

it seems my limiter is working now (shared bandwidth) for lan and wifi. i set my rules in (lan/wifi), (not in floating rules).
is this ok?

If your wifi and lan both go out to the same wan connection, you should make only one download limiter and then add a queue under that limiter for lan and for wifi. Take a look at my image above. When modifiyng limiters, i suggest that you reboot the firewall.
The same for the upload limiter: one upload limiter, and two queues under it (one for lan, the other for wifi).
You can use either a floating rule, or rules in every internal adapter. The last method requires more rules to be created, but is easier to implement, as floating rules are more complex.

i see, but how can i set a separate bandwidth limit for my wifi(captive portal)? i want to set a speed limit of 10mbps for download and 4mbps for upload for my lan network and another 10mbps for download and 4mbps also for upload for wifi(captive portal). I want every users in each interface to share the bandwidth I've set rather than setting a limit per IP.

My ISP's bandwidth is 25mbps for dowload and 10Mbps for upload.

thanks!

fsr

@dyobetem said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@fsr said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@dyobetem said in Per IP traffic shaping–share bandwith evenly between IP addresses??:

@fsr

it seems my limiter is working now (shared bandwidth) for lan and wifi. i set my rules in (lan/wifi), (not in floating rules).
is this ok?

If your wifi and lan both go out to the same wan connection, you should make only one download limiter and then add a queue under that limiter for lan and for wifi. Take a look at my image above. When modifiyng limiters, i suggest that you reboot the firewall.
The same for the upload limiter: one upload limiter, and two queues under it (one for lan, the other for wifi).
You can use either a floating rule, or rules in every internal adapter. The last method requires more rules to be created, but is easier to implement, as floating rules are more complex.

i see, but how can i set a separate bandwidth limit for my wifi(captive portal)? i want to set a speed limit of 10mbps for download and 4mbps for upload for my lan network and another 10mbps for download and 4mbps also for upload for wifi(captive portal). I want every users in each interface to share the bandwidth I've set rather than setting a limit per IP.

My ISP's bandwidth is 25mbps for dowload and 10Mbps for upload.

thanks!

As you need different limits for every adapter, then you would need to create a download and upload limiter for every interface. A limiter is just a way to limit the amount of BW of any traffic that you want to send thru it.

For example, you could create 4 limiters:

DL_lan (10 M)
UL_lan (4 M)
DL_wifi (10 M)
UL_wifi (4 M)

Then, you assign that limiters by using rules, and if done right, LAN will only download up to 10 Mbps, and upload up to 4 Mbps, and the same for WIFI. You need to create one queue inside each limiter and set masks on the queues, not on the limiters themselves. At least that's how i have it configured, and it works fine like that, at least with the default queue options (scheduler, etc). The mask on the download queues would be set as "Destination addresses", and 32 bits (so that every IP will be considered individually, and the traffic is shared fairly for every IP). The mask on the upload queues would be set as "Source addresses", and 32 bits also.

But why not just have only one download limiter and one upload limiter with 20 M / 8 M, and use them for both LAN and WIFI traffic? That way, every IP of either adapter could potentially access all available bandwith, instead of half of it.