1. Home
  2. pfSense® Software
  3. Traffic Shaping
  4. Limiters do not work with NAT

Limiters do not work with NAT

  • E

    Dear friends of the community:

    I have implemented the bandwidth limiter on my wifi network for upload / download and it works well. I have created the limiter, as a "source address" and mask / 32. Then I limit the bandwidth per host 2 mb.

    My problem arises when I have a web server. It has an ip alias pfsense is 201.217.xxx.xxx and I have a NAT rule that everything that comes to 201.217.xxx.xxx port 80, it redirects to 192.168.0.17.

    Then when someone down a file from the webserver, I consume all the bandwidth. I am applying limiters, but do not work. I have them on the LAN interface created in this way:

    Destination: 192.168.0.17 (webserver)
    TCP
    And limiters in / out.

    The strange thing is that if I do a speed test on the server, speed up and down is limited by the limiter to apply.

    In short, when I make a NAT limiter stops working.

    They would know that is?

    From now I appreciate any information about it.

    Greetings to the community.

    pd: im using pfsense 2.3.2

    0
  • MMapplebeck

    Have you set the limiter on the associated firewall rule that is created when a NAT entry is made?

    • M
    0
  • Derelict
    LAYER 8 Netgate

    That is because limiters are applied when a state is created, which is done on WAN, not on LAN. But due to a long-standing limitation, you cannot place limiters on the same interface as NAT rules.

    Try making a floating rule.

    Action: Match
    Interface: LAN
    Direction: Out
    Source: any
    Destination: 192.168.0.17
    Destination port: 80
    In/Out pipes: Your limiters
    Note than on a rule on an outbound interface the direction is reversed so In will be to the webserver and out will be from the web server. I think. It's confusing. If you get it backwards, flip them.

    Note that that will catch traffic in both directions on inbound connections to your port forwards. You do not need the rules on LAN. If you want connections made BY the web server, not TO the web server to not be limited, just remove the limiters on LAN.

    I do not know for sure if this will escape the NAT+Limiters bugs but I think so. Be sure to use interface LAN (or your web server's interface) direction out.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy