Firewall with limiter problem
-
action proto source port dest port gateway queue description
pass * * * LAN Address 80/22 * none Anti-Lockout Rule
block IPv6 * * * * * * none Block IPV6 traffic
pass IPv4 * LAN net * * * * none IMPORTANT: DEFAULT RULE
pass IPv4 TCP/UDP alias_A * * * * none limiter 500Kbit/50Kbit
pass IPv4 TCP/UDP alias_B * * * * none limiter 100Kbit/100Kbit
pass IPv4 TCP/UDP alias_A * * * * none layer7-games
pass IPv4 TCP/UDP alias_B * * * * none layer7-p2pI have the above firewall rule. My problem is that when I placed the firewall rule with limiter above the DEFAULT RULE, then I have no internet connection but the limiter works. If I put the rule below the DEFAULT RULE, then I have internet connection but the limiter does not work thus
users traffic will over pass their limits.What should I do here?
-
does this mean that I cannot create another pass rule for the same alias ? does that mean if I have to create one pass rule for one alias, it should have include the limiter and layer7 applicable ?
-
Is this thread getting no any reply from the forum members ?
-
1. Your firewall rules are not easy to read. Either post an image of them, or use a non-proportional font (like Courier or Teletype) to keep the alignment
2. Most of the regulars are from North America. You posted at 4am with a follow-up at 5am and 8am. We're barely out of bed by then!
Firewall rule order is important. Since you're showing rules that control the LAN interface, you can set your source to ***** instead of LAN net. While both should work, I've seen weird things sometimes when not using the wildcard. Also, the layer-7 stuff doesn't work very well and consumes a lot of CPU in the process so I would avoid using it.
You didn't mention which version of pfSense you are using.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Example_basic_configuration
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
This is the image of my firewall rule, aligned.
I need to use the limiter to apply per alias (group of users).
-
Then for testing purposes, I created new rule.
The last rule only includes the limiter. But with limiter included, said IP address will have no internet connection. But if I remove the limiter from the firewall rule, then there will be internet connection. It is saying "This site can’t be reached 'website_name' took too long to respond. ERR_CONNECTION_TIMED_OUT"
Well I am pursuing this limiter because I need it to limit traffic rate per alias and I have seen in youtube https://www.youtube.com/watch?v=j4CiWvFjMBk successfully done this.
-
I don't have a lot of experience with limiters. You might get more eyeballs if you post this issue in the Traffic Shaping forum, and post details of your defined limiter which is not shown here. If your rule is the same but only the limiter is added and only then it doesn't work means there must be a problem with the limiter you defined.
