Traffic Shaping on NATed Servers?

SteveITS

I've only used them occasionally, and on LAN or WAN rules. The docs do say "Limiters may be applied on normal interface rules, or on floating rules. On floating in the out direction, the In/Out selections are flipped conceptually."

AdrianX

@teamits So if I want to limit traffic coming from the outside to my pfsense using public IP 85.1.2.3, I should add floating rule on WAN, destination 85.1.2.3, and select the limiter in "In"? Or am I getting it wrong?

SteveITS

I've not used a limiter on a floating rule, and it's been a long time, since we changed our usage (rsync can limit its own bandwidth). Assuming there's a NAT rule I would have set the limiter for that NAT rule's firewall rule. Per https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html#assigning-and-using-limiters, Out would be leaving the LAN interface towards the web server.

AdrianX

@teamits I tried that, 1Mbp/s filter on Outbound, for a rule in LAN as follows:

I went into that machine and did a speed test, and got

Download: 617.32 Mbit/s

Which means that the limiter is not being applied. How should I do it? Thanks.

SteveITS

@adrianx For a NAT rule to apply (the original question of this thread...?) you'd have to be uploading from outside your network. Are you trying to get all traffic to/from that IP to be limited?

I'd also expect a speed test to be TCP not UDP...? If the rule is showing 0/0B after your test then it's not matching any traffic, so the limiter setting on the rule isn't being applied.

I dug up a location where we do have limiters set, not using NAT. We have them on a LAN rule...as I recall there used to be a problem with limiters on WAN rules not applying but it's been a while. The LAN rule has the limiter/queue set:

...therefore any requests going out are allowed by the rule and the response is handled by the state on the way back in. The LAN rule is set to allow from source [IP] to destination [any].

AdrianX

@teamits So that would limit the traffic going into that internal machine to 15Mbp/s, and the amount of traffic it can send to the outside world to 3Mbp/s, right?

SteveITS

correct

AdrianX

@teamits Thanks! And do you have any pointers on which algorithm to use, like Random Early Detection, etc... for a more fair share of the bandwith for incoming packets?

SteveITS

I do not. :) The docs don't mention that setting. Tail Drop is the default so that's what ours is using.

Limiters don't do anything about "fair" they just create a hard upper limit. Traffic shaping can handle prioritization.

AdrianX

@teamits But they try to fit new packets in the queue by dropping new ones (tail drop) or randomly (Random Early Detection), right? Or I got it wrong?