Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic Shaping on NATed Servers?

    Scheduled Pinned Locked Moved Traffic Shaping
    15 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netsysad @SteveITS
      last edited by

      @teamits hi mate, apologies if my question is confusing, what I meant is I have a servers that are port-forwarded/NAT and being access by users from the internet. I am looking to limit using Limiters the inbound traffic of these servers accessed by clients and eventually not saturate my bandwidth.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @netsysad
        last edited by

        You can use a limiter (https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html) for this. Note it can only throttle after the traffic arrives at the pfSense though...if traffic from the Internet maxes out your Internet connection, the only way to throttle that is have your ISP do it before they send the packets to you, and that's normally not feasible.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        A 1 Reply Last reply Reply Quote 0
        • A
          AdrianX @SteveITS
          last edited by

          @teamits @netsysad For this, do you use the limiter in a Floating rule on the WAN with destination as the public IP? Or do you put it in the LAN with destination the private IP?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @AdrianX
            last edited by

            I've only used them occasionally, and on LAN or WAN rules. The docs do say "Limiters may be applied on normal interface rules, or on floating rules. On floating in the out direction, the In/Out selections are flipped conceptually."

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            A 1 Reply Last reply Reply Quote 0
            • A
              AdrianX @SteveITS
              last edited by

              @teamits So if I want to limit traffic coming from the outside to my pfsense using public IP 85.1.2.3, I should add floating rule on WAN, destination 85.1.2.3, and select the limiter in "In"? Or am I getting it wrong?

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @AdrianX
                last edited by

                I've not used a limiter on a floating rule, and it's been a long time, since we changed our usage (rsync can limit its own bandwidth). Assuming there's a NAT rule I would have set the limiter for that NAT rule's firewall rule. Per https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html#assigning-and-using-limiters, Out would be leaving the LAN interface towards the web server.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote ๐Ÿ‘ helpful posts!

                A 1 Reply Last reply Reply Quote 0
                • A
                  AdrianX @SteveITS
                  last edited by

                  @teamits I tried that, 1Mbp/s filter on Outbound, for a rule in LAN as follows:

                  d7785c987e072e8e86b9962396584a07.png

                  I went into that machine and did a speed test, and got

                  Download: 617.32 Mbit/s

                  Which means that the limiter is not being applied. How should I do it? Thanks.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @AdrianX
                    last edited by

                    @adrianx For a NAT rule to apply (the original question of this thread...?) you'd have to be uploading from outside your network. Are you trying to get all traffic to/from that IP to be limited?

                    I'd also expect a speed test to be TCP not UDP...? If the rule is showing 0/0B after your test then it's not matching any traffic, so the limiter setting on the rule isn't being applied.

                    I dug up a location where we do have limiters set, not using NAT. We have them on a LAN rule...as I recall there used to be a problem with limiters on WAN rules not applying but it's been a while. The LAN rule has the limiter/queue set:

                    8d68a037-e787-4045-b954-31a888966878-image.png
                    ...therefore any requests going out are allowed by the rule and the response is handled by the state on the way back in. The LAN rule is set to allow from source [IP] to destination [any].

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      AdrianX @SteveITS
                      last edited by

                      @teamits So that would limit the traffic going into that internal machine to 15Mbp/s, and the amount of traffic it can send to the outside world to 3Mbp/s, right?

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @AdrianX
                        last edited by

                        correct

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote ๐Ÿ‘ helpful posts!

                        A 1 Reply Last reply Reply Quote 1
                        • A
                          AdrianX @SteveITS
                          last edited by

                          @teamits Thanks! And do you have any pointers on which algorithm to use, like Random Early Detection, etc... for a more fair share of the bandwith for incoming packets?

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            SteveITS Galactic Empire @AdrianX
                            last edited by

                            I do not. :) The docs don't mention that setting. Tail Drop is the default so that's what ours is using.

                            Limiters don't do anything about "fair" they just create a hard upper limit. Traffic shaping can handle prioritization.

                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                            Upvote ๐Ÿ‘ helpful posts!

                            A 1 Reply Last reply Reply Quote 0
                            • A
                              AdrianX @SteveITS
                              last edited by

                              @teamits But they try to fit new packets in the queue by dropping new ones (tail drop) or randomly (Random Early Detection), right? Or I got it wrong?

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.