Enable limiter mask on Source/Destination PORT

  • We are planning to use pfsense to protect an IM/Voip application using sip over udp. We want to throttle the traffic coming from IM/Voip clients from the Internet to the app servers. Maybe this can only be effective on a per source port traffic limiter. Is there any way to enable this?

    If not, any suggestion on how to do this without changing the app servers?


  • Rebel Alliance Developer Netgate

    There isn't currently a way to mask my port, only by source or destination address.

    Are multiple users behind the same NAT router really enough of a problem that throttling by source address wouldn't be sufficient?

  • Thanks for the reply Jimp!
    Throttling based on source/destination IP can work but may not be very effective.

    Here's a rough overview diagram:

    [voip client/s]–->[NAT Router]–->[INTERNET]–->[PFSENSE]–->[VOIP Application]

    It's tricky to set a good bandwidth value on the limiter that control abuse for extreme scenarios:
    1. one client behind a NAT (home)
    2. 10 or more clients behind a NAT (small office)
    3. 50 or more clients behind a NAT (medium office or MALL)

    We may end up with either bandwidth being too big for one user in one IP;  but too small for many users in a shared IP.

    We can have better control by limiting bandwidth on a per source port. We're OK for one user to get crappy connection if he's sending above the throttle limit of his port as long as it's not affecting the rest of the users.

    I hope this makes more sense.

  • Can this feature be available from commercial support?

Log in to reply