Limiters do not work with NAT



  • Dear friends of the community:

    I have implemented the bandwidth limiter on my wifi network for upload / download and it works well. I have created the limiter, as a "source address" and mask / 32. Then I limit the bandwidth per host 2 mb.

    My problem arises when I have a web server. It has an ip alias pfsense is 201.217.xxx.xxx and I have a NAT rule that everything that comes to 201.217.xxx.xxx port 80, it redirects to 192.168.0.17.

    Then when someone down a file from the webserver, I consume all the bandwidth. I am applying limiters, but do not work. I have them on the LAN interface created in this way:

    Destination: 192.168.0.17 (webserver)
    TCP
    And limiters in / out.

    The strange thing is that if I do a speed test on the server, speed up and down is limited by the limiter to apply.

    In short, when I make a NAT limiter stops working.

    They would know that is?

    From now I appreciate any information about it.

    Greetings to the community.

    pd: im using pfsense 2.3.2



  • Have you set the limiter on the associated firewall rule that is created when a NAT entry is made?

    • M

  • LAYER 8 Netgate

    That is because limiters are applied when a state is created, which is done on WAN, not on LAN. But due to a long-standing limitation, you cannot place limiters on the same interface as NAT rules.

    Try making a floating rule.

    Action: Match
    Interface: LAN
    Direction: Out
    Source: any
    Destination: 192.168.0.17
    Destination port: 80
    In/Out pipes: Your limiters
    Note than on a rule on an outbound interface the direction is reversed so In will be to the webserver and out will be from the web server. I think. It's confusing. If you get it backwards, flip them.

    Note that that will catch traffic in both directions on inbound connections to your port forwards. You do not need the rules on LAN. If you want connections made BY the web server, not TO the web server to not be limited, just remove the limiters on LAN.

    I do not know for sure if this will escape the NAT+Limiters bugs but I think so. Be sure to use interface LAN (or your web server's interface) direction out.


Log in to reply