Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiters do not work with NAT

    Scheduled Pinned Locked Moved Traffic Shaping
    3 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erode
      last edited by

      Dear friends of the community:

      I have implemented the bandwidth limiter on my wifi network for upload / download and it works well. I have created the limiter, as a "source address" and mask / 32. Then I limit the bandwidth per host 2 mb.

      My problem arises when I have a web server. It has an ip alias pfsense is 201.217.xxx.xxx and I have a NAT rule that everything that comes to 201.217.xxx.xxx port 80, it redirects to 192.168.0.17.

      Then when someone down a file from the webserver, I consume all the bandwidth. I am applying limiters, but do not work. I have them on the LAN interface created in this way:

      Destination: 192.168.0.17 (webserver)
      TCP
      And limiters in / out.

      The strange thing is that if I do a speed test on the server, speed up and down is limited by the limiter to apply.

      In short, when I make a NAT limiter stops working.

      They would know that is?

      From now I appreciate any information about it.

      Greetings to the community.

      pd: im using pfsense 2.3.2

      1 Reply Last reply Reply Quote 0
      • MMapplebeckM
        MMapplebeck
        last edited by

        Have you set the limiter on the associated firewall rule that is created when a NAT entry is made?

        • M
        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          That is because limiters are applied when a state is created, which is done on WAN, not on LAN. But due to a long-standing limitation, you cannot place limiters on the same interface as NAT rules.

          Try making a floating rule.

          Action: Match
          Interface: LAN
          Direction: Out
          Source: any
          Destination: 192.168.0.17
          Destination port: 80
          In/Out pipes: Your limiters
          Note than on a rule on an outbound interface the direction is reversed so In will be to the webserver and out will be from the web server. I think. It's confusing. If you get it backwards, flip them.

          Note that that will catch traffic in both directions on inbound connections to your port forwards. You do not need the rules on LAN. If you want connections made BY the web server, not TO the web server to not be limited, just remove the limiters on LAN.

          I do not know for sure if this will escape the NAT+Limiters bugs but I think so. Be sure to use interface LAN (or your web server's interface) direction out.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.