Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    'Default' Traffic Limiter with Overrides?

    Scheduled Pinned Locked Moved Traffic Shaping
    1 Posts 1 Posters 393 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • calebhC Offline
      calebh
      last edited by

      We provide internet for multiple tenants in our building, and we use Traffic Limiters to throttle their connections. Each tenant has their own interface on our pfSense firewall, and all of the tenant interfaces are part of a "Tenant" Interface Group. I've created two traffic limiters (for the uplink and downlink), both using the "Mask" option in the limiter config to make the throttle apply per-host.

      I'm trying to create a setup that would allow for an 'override' of the default throttle, should a tenant negotiate for higher speeds. My thought is to have a floating-type pass rule with the limiters and apply it to the Tenant Interface Group, and then create separate Traffic Limiters for a higher-speed tenant with firewall rules in their specific interface (which would theoretically override the floating rule as long as it's not a "quick" rule).

      I've run in to some interesting issues while trying this setup...

      First, I tried to set the floating rule to match all IPv4 traffic that's not private (using an alias for RFC 1918). This didn't seem to catch any traffic destined for the internet, and I couldn't find any other rules that would match that traffic. Right now the rule matches all IPv4 traffic, with a reject rule in the Tenant Interface Group that applies to all RFC 1918 traffic (preventing access to other tenants, or our own network).

      With that in place, I tried adding the additional traffic limiters and firewall rule as described above, but the stability of the connection was terrible! I couldn't hardly get any web site to completely load in a web browser (I was hoping to go to a speed test site to verify the correct throttle speed), and successful ping's or traceroute's were hit-and-miss.

      I ran out of time testing this after-hours yesterday, so I didn't get the chance to test and document it a whole bunch, but I figured I'd see if anyone here has any ideas why the results were so erratic, and how we might alter our setup to achieve the desired results?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.