Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sharing limiters and child limiters between firewall rules

    Scheduled Pinned Locked Moved Traffic Shaping
    6 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grdk
      last edited by

      I understand how to create limiters and child limiters, but I have a question regarding sharing a limiter between different rules.

      My scenario:
      I have 3 tenants at my property, who during certain hours hammer my connection with VoIP and streaming usage.  I currently have a number of pre-defined limiters set to work with, in granular increments, however the two limiters I'm using are –

      • Up_3_Mbps (Source address)

        • qUp_3_Mbps (Source address)

      • Down_20_Mbps (Destination address)

        • qDown_20_Mbps (Destination address)

      Each limiter has a child limiter as described above.

      I've made 3 firewall pass rules, with the source being an alias for each tenant's devices.  The rules have their In/Out pipes defined to the child limiters described above (qUp_3_Mbs / aDown_20_Mbps).

      The desired effect is to have all 3 tenants share a 20/3 connection, not to give each a separate 20/3 connection.  Am I setting up the rules correctly?

      Kindest regards for your advice!

      1 Reply Last reply Reply Quote 0
      • G
        grdk
        last edited by

        I understand my question may have been answered before, but I'm unable to find a similar thread explaining this, thus the new post.  If someone can off-hand recall a post that answers my question, please kindly link it here.

        Thanks!

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          No you would not mask on the parent limiters - just the children. masking on the parent will create a separate pipe for every source/dest IP address.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            grdk
            last edited by

            Thanks for your reply Derelict.

            So if I'm understanding you correctly, I should remove the source/destination address mask from the parent limiter (e.g. Up_3_Mbps), and instead set the mask to source on the child limiter (e.g. qUp_3_Mbps).  So in my case, if I use the child limiter qUp_3_Mbps on multiple firewall rules, all those rules share that pipe?  If I let's say create multiple child limiters under the parent (e.g. qUp_3_Mbps_1, qUp_3_Mbps_2, qUp_3_Mbps_3, etc. etc.) then they would all share a single 3 Mbps pipe?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              That is my understanding, yes. You can put multiple interfaces into the same limiter and they will all share that bandwidth as long as they are not masked.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • G
                grdk
                last edited by

                Thank you very much  Derelict for confirming.  I've now adjusted my firewall rules per your suggestion.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.