Bandwidth Limiter does not work when Specific Gateway defined under DHCP

sanketgroup

Hello,
I am trying to Limit the bandwidth for users on OPT1 interface.

I have attached screenshots of the settings.

1. Created limits under Firewall / Traffic Shaper / Limiters
2. Created Rule for OPT1 under Firewall / Rules / OPT1 and Selected Limiter under In / Out Pipe.
3. I have Enabled DHCP for OPT1, and have defined specific Gateway IP available on the network for the clients, so traffic goes from that router.

Issue is: If I remove Specific gateway from DHCP then Bandwidth limiter works well. But as soon as I ask DHCP to use another non-PFsense gateway, then it limiter does not work.

Let me know where I am going wrong.

Thanks

Ban

stephenw10

So what is 10.5.20.2?

If that isn't pfSense how does traffic from OPT1 clients ever hit that firewall rule?

The other router forwards it to pfSense? That would be asymmetric unless it's NATing.

If it just goes out to the internet via some other router then it never goes through pfSense. It cannot be limited in pfSense.

Steve

sanketgroup

I thought since DHCP Client gets IP from PFSense and so does gateway to PFSense (10.5.20.1 is PFSense IP on OPT1). So I thought Client goes to 10.5.20.1 PFSense and then PFSense transfer to 10.5.20.2 (Another router on network).

I thought PFSense forwards traffic to other router on OPT2 LAN subnet.
So I guess, I am wrong there.

stephenw10

Indeed that's not what happens. pfSense passes that gateway to the client via DHCP and then that client uses it directly. Traffic does not pass through pfSense unless that other router is sending it.

What is that other router? Why are you sending traffic to it?

You may be able to change how that is connected do traffic can be limited. By connecting that router on a separate pfSense interface for example.

Steve

sanketgroup

That other router is UTM and we do not have much access/control to it.
Since I cannot set anything for bandwidth control on that UTM Router, i thought lets transfer traffic thru PFSense.

If I set client gateway to PFSense, is it possible PFSense can forward those internet access traffic to UTM router?
Is it possible thru Rules?

stephenw10

Yes, but it would be better to have it in a separate subnet.

Does pfSense have a separate internet connection that is not through the UTM device?

sanketgroup

Yes, PFSense has separate external IP, and UTM has separate External IP.
Means, If UTM is down, PFSense does not have any issue. It has it's own Internet IP.

i.e
PFSense External IP: 202.xxx.xxx.180
UTM External IP: 202.xxx.xxx.181

stephenw10

Ok, so what do you actually need to happen here? Traffic must go via the UTM? Unless it goes down?

Do you really have no access to the UTM?

sanketgroup

No, I don't have full access to UTM, and even if I had it does not facilitate bandwidth control and some other features which only PFSense has.
So I prefer PFSense but for Internet for OPT1 subnet clients should go via UTM

What I want:

PFSense OPT1: Clients shall get internet access from UTM on same internal subnet (10.5.20.x)
PFSense LAN1: Clients shall get internet from PFSense it self (working well) (192.168.2.x)

johnpoz

Well the only way to route your traffic through pfsense and use utm for internet.. Would be to connect that UTM via a transit network on pfsense.

Then route it through, then you could do bandwidth limits..

sanketgroup

Can you pls guide me how to set transit network in PFSense ?
I have never done it.

Pls guide.

johnpoz

Its just another network that connects to the UTM that there are no hosts on.. It not different than any other network..

I take it you can not edit that 10.5.20 network on the UTM, or add another network on the UTM for your transit.. So use it as the transit

And move your devices currently on your opt1 interface to another network.

And that utm is prob not going to nat some other network? So just do natting to this network via pfsense. So utm sees all traffic as coming from pfsense IP in the 10.5.20 network.

sanketgroup

Is there any tutorial for Creating Transit Network on PFSense, I have never done it.
Conceptually I i understood your method but do not know how to program it in PFSense.

I am beginner when it comes to rules and transit network.

johnpoz

Did you create the network on opt1? Its no different..

Do you have another interface to use on pfsense, will you be using vlans via a switch?

sanketgroup

@johnpoz said in Bandwidth Limiter does not work when Specific Gateway defined under DHCP:

Do you have another interface to use on pfsense, will you be using vlans via a switch?

I don't have extra interface. I guess I have to create VLAN interface in that case, correct?

Lets say OPT2 with (192.168.0) and then create rule same as OPT1? Pass any source any destination any protocol?

So, IP of 3 interface would be
LAN1: 192.168.1.1/24
OPT1: 10.5.20.1/24
OPT2: 192.168.0.1/24

setup OPT2 DHCP and clients get IP with 192.168.0.1 gateway.

Then any rule or NAT to transfer OPT2 traffic to OPT1 UTM?

sanketgroup

@johnpoz
Can you pls guide for above?
Thanks

stephenw10

Yes. You will need to policy route that traffic to the UTM gateway though as well.

You could also use a failover gateway group so it client still have access if the UTM fails if needed:
https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html

Steve

johnpoz

@sanketgroup said in Bandwidth Limiter does not work when Specific Gateway defined under DHCP:

Then any rule or NAT to transfer OPT2 traffic to OPT1 UTM?

Policy route would be needed to send them out the utm, whoever you want to go there be it lan or opt1 network.

As to outbound natting the traffic - would depend if utm is going to nat them out to the internet, do you have access to utm to setup the return route. If not then yeah you would have to nat.

stephenw10

Yup it would be much nicer to NAT in the UTM so that it can see the internal client IPs and filter/log accordingly. But to do that you would need to add a static route to the UTM and if you have no access that's not an option.

Steve

sanketgroup

I tried to create rule as shown in screenshot below.
But still DHCP clients on OPT1 are getting internet from PFSense instead of UTM.

DHCP Clients and UTM are on subnet.

PFSense DHCP Clients: 10.5.20.50-100
UTM: 10.5.20.2 (And it does NAT)

i.e if I manual type in gateway as 10.5.20.2 (UTM IP) clients get Internet from UTM.
But PFSense DHCP clients get internet from PFSense even after rules shown in Scerenshot.

I might be wrong with rules. Pls guide.

Thanks