freeradius limit speed per user

ed-tech

Hi there, i am trying to setup speed limit per user with freeradius, i did put the limit to Traffic and Bandwidth but it does not work, users still get full speed. Is there any specific configuration that i need to make ?

Gertjan

Hi,

Limits me to 5 Mbits up, and 5 Mbits down. A speed test confirmed these numbers.
And 4096 Mbytes traffic (up and down combined) per day (not related here but believe me, after 4 G bytes I'm thrown off the portal).

Check : my device uses IP 192.168.2.75 :

ipfw table all list
......
--- table(cpzone1_auth_up), set(0) ---
192.168.2.75/32 02:81:5f:85:a4:a0 2018 7397 10202718 1606236310
.......
--- table(cpzone1_auth_down), set(0) ---
192.168.2.75/32 2019 4776 490820 1606236245
.......

Rule numbers are 2018 and 2019.

Back in the GUI :

ed-tech

I know that it works with captive portal but i dont want to use captive portal, i just want to use freeradius and my client to connect with pppoe

stephenw10

So you are using the PPPoE server in pfSense authenticating against Freeadius also in pfSense?

Anything logged that shows it might be trying to use the values?

Steve

ed-tech

yes i have enable pppoe server that redirects client to freeradius in pfsense. Here are the information from clients config :
/usr/local/etc/raddb/users

"test" Cleartext-Password := "test"

WISPr-Bandwidth-Max-Up := 1000000,
WISPr-Bandwidth-Max-Down := 1000000,
WISPr-Redirection-URL := http://www.google.com,
pfSense-Max-Total-Octets := 5242880000,

Exec-Program-Wait = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh test monthly"

Gertjan

@edmond said in freeradius limit speed per user:

WISPr-Bandwidth-Max-Up := 1000000,
WISPr-Bandwidth-Max-Down := 1000000,

That's what the Freeradius package from pfSense, the GUI, uses as it's config file. What you see on screen is used to build a users.conf file.
Do what I did : look at a firewall level, see if you can find how authorized users are able to pass through. Is pppoe using firewall rules for this ? Is it using limiters or something like that ? Etc.

ed-tech

in the firewall rule PPPoe Server tab i have pppoe client as Source, i dont have any limiter, no idea how to make it work

Gertjan

As far as I know, the pfSense Freeradius package is build to support some option that are made available to the captive portal part of pfSense.
The captive portal makes us of a second firewall, ipfw, in extension to the default pf firewall, the one you can manipulate using the GUI.

(Free)Radius can only do one thing : depending on its input parameters, it can say yes or no. Often used as "access" or "no access". Glue code is needed to open a door, or maintain a firewall rule and a rate a limiter.
It's very possible that the rate limiting you look for isn't implemented in the pppoe server when access is granted using the freeradius package.

I hope some one can proof me wrong. I'm not using the pppoe server myself.

ed-tech

i just want to control the speed of my client based on username so the only way to do that i think its with pppoe

ed-tech

this is how i made it to work for now: In captive protal add mac address for that user and speed limit (not sure why it only works with mac adress), in free radius Users the Amount of Download and Upload Traffic works but the speed limit is not working. So the speed limit works with captive protal and the amount of traffic works in freeradius Users

Gertjan

If you do not have many users, and every user has it's own access firewall rule, you could add - manually - to each rule a 'pipe' that controls the speed of that user.

stephenw10

mpd5 should do the rate limiting here as long as it's passed the correct attributes by radius.
For example: https://forum.netgate.com/topic/141034/rate-limit-on-radius-reply-attributes-for-pppoe-connections-not-working

I was pretty sure I had tested this at some point but looking back I may only have tested radius accounting.

Steve

ed-tech

Its interesting because when i add a mac address from freeradius for a user with speed limit here is what is see on the LIMITER INFO: Limiters: No limiters were found on this system. But when i add a mac address on the captive portal with speed limit here is what i see on the LIMITER INFO: Limiters:
02002: 1.700 Mbit/s 0 ms burst 0
q133074 100 sl. 0 flows (1 buckets) sched 67538 weight 0 lmax 0 pri 0 droptail
sched 67538 type FIFO flags 0x0 16 buckets 0 active
02003: 1.700 Mbit/s 0 ms burst 0
q133075 100 sl. 0 flows (1 buckets) sched 67539 weight 0 lmax 0 pri 0 droptail
sched 67539 type FIFO flags 0x0 16 buckets 0 active
I dont know why it works with captive portal and not with freeradius

ed-tech

@stephenw10 so it looks like it needs some modification to work, now its working with those modifications

stephenw10

You have tested that and it's working for you?

Seems like we would only need that dictionary file added to Freeradius.

Steve

ed-tech

Yes its working for me

stephenw10

Ah good to hear!

stephenw10

Opened a feature request: https://redmine.pfsense.org/issues/11102

Add a comments there if more is needed.

Steve