Traffic Shaping on NATed Servers?
-
Hi,
is the traffic shaping setup from LAN similar when I want to limit inbound/incoming to a webserver I've port-forwarded or NATed which is located in the WAN interface?
Appreciate if you can point me in to the right direction please. Thank you.
-
Not sure I understand the question...you can have a limiter or shaping on the traffic exiting the LAN interface towards the web server.
If you're trying to shape traffic leaving WAN (upload) you have to tag the traffic because the WAN is after NAT so you can't just match on the private IP: https://docs.netgate.com/pfsense/en/latest/trafficshaper/advanced.html#shaper-rule-matching-tips
-
@teamits hi mate, apologies if my question is confusing, what I meant is I have a servers that are port-forwarded/NAT and being access by users from the internet. I am looking to limit using Limiters the inbound traffic of these servers accessed by clients and eventually not saturate my bandwidth.
-
You can use a limiter (https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html) for this. Note it can only throttle after the traffic arrives at the pfSense though...if traffic from the Internet maxes out your Internet connection, the only way to throttle that is have your ISP do it before they send the packets to you, and that's normally not feasible.
-
@teamits @netsysad For this, do you use the limiter in a Floating rule on the WAN with destination as the public IP? Or do you put it in the LAN with destination the private IP?
-
I've only used them occasionally, and on LAN or WAN rules. The docs do say "Limiters may be applied on normal interface rules, or on floating rules. On floating in the out direction, the In/Out selections are flipped conceptually."
-
@teamits So if I want to limit traffic coming from the outside to my pfsense using public IP 85.1.2.3, I should add floating rule on WAN, destination 85.1.2.3, and select the limiter in "In"? Or am I getting it wrong?
-
I've not used a limiter on a floating rule, and it's been a long time, since we changed our usage (rsync can limit its own bandwidth). Assuming there's a NAT rule I would have set the limiter for that NAT rule's firewall rule. Per https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html#assigning-and-using-limiters, Out would be leaving the LAN interface towards the web server.
-
@teamits I tried that, 1Mbp/s filter on Outbound, for a rule in LAN as follows:
I went into that machine and did a speed test, and got
Download: 617.32 Mbit/s
Which means that the limiter is not being applied. How should I do it? Thanks.
-
@adrianx For a NAT rule to apply (the original question of this thread...?) you'd have to be uploading from outside your network. Are you trying to get all traffic to/from that IP to be limited?
I'd also expect a speed test to be TCP not UDP...? If the rule is showing 0/0B after your test then it's not matching any traffic, so the limiter setting on the rule isn't being applied.
I dug up a location where we do have limiters set, not using NAT. We have them on a LAN rule...as I recall there used to be a problem with limiters on WAN rules not applying but it's been a while. The LAN rule has the limiter/queue set:
...therefore any requests going out are allowed by the rule and the response is handled by the state on the way back in. The LAN rule is set to allow from source [IP] to destination [any]. -
@teamits So that would limit the traffic going into that internal machine to 15Mbp/s, and the amount of traffic it can send to the outside world to 3Mbp/s, right?
-
correct
-
@teamits Thanks! And do you have any pointers on which algorithm to use, like Random Early Detection, etc... for a more fair share of the bandwith for incoming packets?
-
I do not. :) The docs don't mention that setting. Tail Drop is the default so that's what ours is using.
Limiters don't do anything about "fair" they just create a hard upper limit. Traffic shaping can handle prioritization.
-
@teamits But they try to fit new packets in the queue by dropping new ones (tail drop) or randomly (Random Early Detection), right? Or I got it wrong?