Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall with limiter problem

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      genesislubrigas
      last edited by

      action proto               source port           dest         port         gateway queue description
      pass         *                 *           *           LAN Address 80/22     *         none Anti-Lockout Rule
      block IPv6 *                 *           *                 *         *             *         none Block IPV6 traffic
      pass IPv4 *                 LAN net   *                 *         *             *         none IMPORTANT: DEFAULT RULE
      pass IPv4 TCP/UDP         alias_A   *                 *         *             *         none limiter  500Kbit/50Kbit
      pass IPv4 TCP/UDP         alias_B   *                 *         *             *         none limiter  100Kbit/100Kbit
      pass IPv4 TCP/UDP         alias_A   *                 *         *             *         none layer7-games
      pass IPv4 TCP/UDP         alias_B   *                 *         *             *         none layer7-p2p

      I have the above firewall rule.  My problem is that when I placed the firewall rule with limiter above the DEFAULT RULE, then I have no internet connection but the limiter works.  If I put the rule below the DEFAULT RULE, then I have internet connection but the limiter does not work thus
      users traffic will over pass their limits.

      What should I do here?

      1 Reply Last reply Reply Quote 0
      • G
        genesislubrigas
        last edited by

        does this mean that I cannot create another pass rule for the same alias ?  does that mean if I have to create one pass rule for one alias, it should have include the limiter and layer7 applicable ?

        1 Reply Last reply Reply Quote 0
        • G
          genesislubrigas
          last edited by

          Is this thread getting no any reply from the forum members ?

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            1.  Your firewall rules are not easy to read.  Either post an image of them, or use a non-proportional font (like Courier or Teletype) to keep the alignment

            2.  Most of the regulars are from North America.  You posted at 4am with a follow-up at 5am and 8am.  We're barely out of bed by then!

            Firewall rule order is important.  Since you're showing rules that control the LAN interface, you can set your source to ***** instead of LAN net.  While both should work, I've seen weird things sometimes when not using the wildcard.  Also, the layer-7 stuff doesn't work very well and consumes a lot of CPU in the process so I would avoid using it.

            You didn't mention which version of pfSense you are using.

            https://doc.pfsense.org/index.php/Firewall_Rule_Basics

            https://doc.pfsense.org/index.php/Example_basic_configuration

            https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

            1 Reply Last reply Reply Quote 0
            • G
              genesislubrigas
              last edited by

              This is the image of my firewall rule, aligned.

              I need to use the limiter to apply per alias (group of users).

              Untitled.png
              Untitled.png_thumb

              1 Reply Last reply Reply Quote 0
              • G
                genesislubrigas
                last edited by

                Then for testing purposes, I created new rule.

                The last rule only includes the limiter.  But with limiter included, said IP address will have no internet connection.  But if I remove the limiter from the firewall rule, then there will be internet connection.  It is saying "This site can’t be reached 'website_name' took too long to respond. ERR_CONNECTION_TIMED_OUT"

                Well I am pursuing this limiter because I need it to limit traffic rate per alias and I have seen in youtube https://www.youtube.com/watch?v=j4CiWvFjMBk successfully done this.

                Untitled.png
                Untitled.png_thumb

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  I don't have a lot of experience with limiters.  You might get more eyeballs if you post this issue in the Traffic Shaping forum, and post details of your defined limiter which is not shown here.  If your rule is the same but only the limiter is added and only then it doesn't work means there must be a problem with the limiter you defined.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.