Sharing limiters and child limiters between firewall rules



  • I understand how to create limiters and child limiters, but I have a question regarding sharing a limiter between different rules.

    My scenario:
    I have 3 tenants at my property, who during certain hours hammer my connection with VoIP and streaming usage.  I currently have a number of pre-defined limiters set to work with, in granular increments, however the two limiters I'm using are –

    • Up_3_Mbps (Source address)

      • qUp_3_Mbps (Source address)
    • Down_20_Mbps (Destination address)

      • qDown_20_Mbps (Destination address)

    Each limiter has a child limiter as described above.

    I've made 3 firewall pass rules, with the source being an alias for each tenant's devices.  The rules have their In/Out pipes defined to the child limiters described above (qUp_3_Mbs / aDown_20_Mbps).

    The desired effect is to have all 3 tenants share a 20/3 connection, not to give each a separate 20/3 connection.  Am I setting up the rules correctly?

    Kindest regards for your advice!



  • I understand my question may have been answered before, but I'm unable to find a similar thread explaining this, thus the new post.  If someone can off-hand recall a post that answers my question, please kindly link it here.

    Thanks!


  • Netgate

    No you would not mask on the parent limiters - just the children. masking on the parent will create a separate pipe for every source/dest IP address.



  • Thanks for your reply Derelict.

    So if I'm understanding you correctly, I should remove the source/destination address mask from the parent limiter (e.g. Up_3_Mbps), and instead set the mask to source on the child limiter (e.g. qUp_3_Mbps).  So in my case, if I use the child limiter qUp_3_Mbps on multiple firewall rules, all those rules share that pipe?  If I let's say create multiple child limiters under the parent (e.g. qUp_3_Mbps_1, qUp_3_Mbps_2, qUp_3_Mbps_3, etc. etc.) then they would all share a single 3 Mbps pipe?


  • Netgate

    That is my understanding, yes. You can put multiple interfaces into the same limiter and they will all share that bandwidth as long as they are not masked.



  • Thank you very much  Derelict for confirming.  I've now adjusted my firewall rules per your suggestion.