Firewall with limiter problem



  • action proto               source port           dest         port         gateway queue description
    pass         *                 *           *           LAN Address 80/22     *         none Anti-Lockout Rule
    block IPv6 *                 *           *                 *         *             *         none Block IPV6 traffic
    pass IPv4 *                 LAN net   *                 *         *             *         none IMPORTANT: DEFAULT RULE
    pass IPv4 TCP/UDP         alias_A   *                 *         *             *         none limiter  500Kbit/50Kbit
    pass IPv4 TCP/UDP         alias_B   *                 *         *             *         none limiter  100Kbit/100Kbit
    pass IPv4 TCP/UDP         alias_A   *                 *         *             *         none layer7-games
    pass IPv4 TCP/UDP         alias_B   *                 *         *             *         none layer7-p2p

    I have the above firewall rule.  My problem is that when I placed the firewall rule with limiter above the DEFAULT RULE, then I have no internet connection but the limiter works.  If I put the rule below the DEFAULT RULE, then I have internet connection but the limiter does not work thus
    users traffic will over pass their limits.

    What should I do here?



  • does this mean that I cannot create another pass rule for the same alias ?  does that mean if I have to create one pass rule for one alias, it should have include the limiter and layer7 applicable ?



  • Is this thread getting no any reply from the forum members ?



  • 1.  Your firewall rules are not easy to read.  Either post an image of them, or use a non-proportional font (like Courier or Teletype) to keep the alignment

    2.  Most of the regulars are from North America.  You posted at 4am with a follow-up at 5am and 8am.  We're barely out of bed by then!

    Firewall rule order is important.  Since you're showing rules that control the LAN interface, you can set your source to ***** instead of LAN net.  While both should work, I've seen weird things sometimes when not using the wildcard.  Also, the layer-7 stuff doesn't work very well and consumes a lot of CPU in the process so I would avoid using it.

    You didn't mention which version of pfSense you are using.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Example_basic_configuration

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • This is the image of my firewall rule, aligned.

    I need to use the limiter to apply per alias (group of users).




  • Then for testing purposes, I created new rule.

    The last rule only includes the limiter.  But with limiter included, said IP address will have no internet connection.  But if I remove the limiter from the firewall rule, then there will be internet connection.  It is saying "This site can’t be reached 'website_name' took too long to respond. ERR_CONNECTION_TIMED_OUT"

    Well I am pursuing this limiter because I need it to limit traffic rate per alias and I have seen in youtube https://www.youtube.com/watch?v=j4CiWvFjMBk successfully done this.




  • I don't have a lot of experience with limiters.  You might get more eyeballs if you post this issue in the Traffic Shaping forum, and post details of your defined limiter which is not shown here.  If your rule is the same but only the limiter is added and only then it doesn't work means there must be a problem with the limiter you defined.


Log in to reply