Using Limiters To Guarentee Per User Bandwidth Accross Multiple Devices



  • My network consists of 1 WAN connection supplying 100 Mega Bits download and 12 Mega Bits upload.

    At any given time I can have up to 8 users each using up to 5 devices (desktops, laptops, tablets, phones, game consoles) connected.

    I would like to use Traffic Shaping Limiters to guarantee that each user across all their devices can use no more than 10 Mega Bits of download and no more than 1 Mega Bit of upload. This will ensure that during peek usage all users will have equal access to the internet. The limiters need only effect traffic coming from Wan->Lan or Lan->Wan | Lan->Lan traffic should be unrestricted.

    About my specific hardware configuration, I have 3 Opt interfaces for the Lan side of things, these interfaces have been bridged, the actual 'bridge interface' is attached to 'Lan' with net.link.bridge.pfil_bridge = 1 and net.link.bridge.pfil_member = 0

    I've gone ahead and grouped each users devices using a unique Alias and created 2 limiters appropriately named LimitUp and LimitDown. They both use a mask of "Source Addresses" and have the correct bandwidth set.

    I'm confused as to how I'm supposed to set the firewall rules up to actually put the limiters in place..

    For example, I've created a floating rule for my alias as follows:
    Action: Match
    Interface: Lan
    Direction: In
    Protocol: Any
    Source: Single host or alias: Kyle_Devices
    In/Out Pipe: LimitDown/LimitUp

    I've copied this rule for each alias I have setup.

    My question is this the best way to configure and enable the limiters? Do I need to have 2 rules for each alias since when creating a floating rule with limiters it requires you to select a direction? That makes me think I need 2 rules, 1 for each direction? What is the optimal way to set these limiters up?

    After applying the rules users are no longer able to access any webpages, I saw other posts regarding squid in transparent proxy mode doing this, which I am also using.

    Thank you so much for your time, I really appreciate any help, thank you.



  • I don't use limiters, so I can't speak for them, but HFSC would allow you to guarantee minimum bandwidths while also allowing users to fairly share free bandwidth above their minimums. You can still place upper limits. Say a single user will have at least 1Mb of upload, but can use up to 5Mb if there is that much free. And the other cool thing is evenly divvied based on the ratio of their link-share(minimum).



  • I would love to use traffic shaping but my internet fluctuates too much for me to supply accurate upload and download speeds in the wizard.

    I know how much internet I'm guaranteed but being cable if my node is being relatively inactive I can get increased speeds out of nowhere. On top of that they do this boosting thing that increases speed for the first few seconds of a connection. With those two factors I range anywhere from 8-15mb. I want to use the 15mb when it's available! but I cant tell the wizard I've always got 15 cause that's only 35% of the time. you know?



  • There is no way around that. Traffic shaping requires knowing how much bandwidth you have and bandwidth is not meant to be dynamic.

    I have heard of some Linux firewall distros with scripts that ping a target of your choice, and as the ping goes up, the script modifies your assigned bandwidth to be lower, and as your ping goes back down, it increases your bandwidth up to your set max. This approach can be slow to react, but at least it reacts. The idea is that as available bandwidth goes down, bufferbloat causes pings to increase, giving feedback about load. In theory, it may be possible to do this with PFSense. I'm not sure how much it would like the assigned bandwidth moving all over the place. You also need a reliable target to ping.



  • i sure can feel the pain of variable bandwidth and to make it more fun have multiple sources of variable band width  one that seems to have induced latency  i am 5-7ms from first hop tech says from there there ping is 2ms to google yet my ping to google is 27-29ms, id just try for 90% of 90% but if its cable system they power boost then all bets are off till you figure the power boost curve out



  • And powerboost only applies to free bandwidth on the node. There is no way for you to know that.


Log in to reply