'Default' Traffic Limiter with Overrides?
-
We provide internet for multiple tenants in our building, and we use Traffic Limiters to throttle their connections. Each tenant has their own interface on our pfSense firewall, and all of the tenant interfaces are part of a "Tenant" Interface Group. I've created two traffic limiters (for the uplink and downlink), both using the "Mask" option in the limiter config to make the throttle apply per-host.
I'm trying to create a setup that would allow for an 'override' of the default throttle, should a tenant negotiate for higher speeds. My thought is to have a floating-type pass rule with the limiters and apply it to the Tenant Interface Group, and then create separate Traffic Limiters for a higher-speed tenant with firewall rules in their specific interface (which would theoretically override the floating rule as long as it's not a "quick" rule).
I've run in to some interesting issues while trying this setup...
First, I tried to set the floating rule to match all IPv4 traffic that's not private (using an alias for RFC 1918). This didn't seem to catch any traffic destined for the internet, and I couldn't find any other rules that would match that traffic. Right now the rule matches all IPv4 traffic, with a reject rule in the Tenant Interface Group that applies to all RFC 1918 traffic (preventing access to other tenants, or our own network).
With that in place, I tried adding the additional traffic limiters and firewall rule as described above, but the stability of the connection was terrible! I couldn't hardly get any web site to completely load in a web browser (I was hoping to go to a speed test site to verify the correct throttle speed), and successful ping's or traceroute's were hit-and-miss.
I ran out of time testing this after-hours yesterday, so I didn't get the chance to test and document it a whole bunch, but I figured I'd see if anyone here has any ideas why the results were so erratic, and how we might alter our setup to achieve the desired results?
Thanks!