Can pfsense Limit lan users on lan port not to use all wan internet speed but not effecting lan users?

jason001 · Apr 6, 2019, 2:04 PM

Good day. iv setup my pfsense Firewall/Traffic shaper to limit lan 2 users from using all internet speed its limited to 3mb dl /1mb ul.

(My hardware have 4 physical onboard lan and 1 usb lan.)

lan port 1: Wan1
lan port 2: Lan
lan port 3: Lan2
lan port 4: Lan for VPN traffic 1
usb lan : Lan for VPN traffic 2

So lan1 and lan2 are bridge to a AP for wireless.
iv limted the wireless "Lan2" to 3mb/1mb limiter works. but its limiting internal network as well!? how can i limit "ONLY THE WAN NETWORK" and "NOT THE INTERNAL LAN"?

Any ideas?

Thanks..

Derelict · Apr 6, 2019, 7:07 PM

Pass the traffic from those hosts to the LAN network(s) without setting a limiter.

Then pass traffic to any (the internet) and set the limiter.

jason001 · Apr 10, 2019, 5:38 PM

Can you guide?
What im looking for is to pass all internal lan traffic to have no limiter.
but only ( Lan2 Wifi ) to have a limit to internet connection but not local lan.

whats happening now is there is a " traffic shaper " on ( lan2 Wifi ) and any traffic on that port is limited. where i only want the connection to internet to be limited cause the users use their phones to connect to DVR and if one ,two users are on the DVR the connection for user 3 is slow cause of the traffic shaper on that network port.. so i want the port to be limited for internet but not the local lan connection..
the ( Lan 2 is bridged ) with ( Lan1 main port to network switch )

thanks..

Derelict · Apr 10, 2019, 5:45 PM

So place a rule above the rule with the limiter on it that passes traffic from LAN2 net to the DVRs and don't set a limiter on it.

Else I will need many more specifics. Can't operate with text descriptions of things (like "lan2 wifi" or "DVR") without knowing their addresses, where they are on the network, and what rules are in place.

jason001 · Apr 10, 2019, 11:15 PM

Hope this gives more detail..droplist.png

My lan rules: lan rules.png
Lan 2 "the lan port i use with a AP for WIFI" ![wifilan.png](/assets/uploads/files /1554938018267-wifilan.png)

Derelict · Apr 10, 2019, 11:39 PM

What matters are the firewall rules that are either putting the traffic through shaping or not.

jason001 · Apr 10, 2019, 11:45 PM

Ok.
im not much familiar with pfsense rules or traffic shaper..
So should there be a rule added?
cause iv tried that and didn't work.. or maybe i did it wrong..?
I dont want the internal network to be affected but only traffic from the wan router side to the wireless..

tman222 · Apr 12, 2019, 9:20 PM

Hi @jason001 - Under your LAN2 firewall rules you need to add one or more traffic pass rules ABOVE the shaped traffic pass rule (i.e. that allows traffic out to the internet).

For instance, to allow traffic to flow at full line speed between LAN2 and LAN1, add a pass rule with source being LAN 2 Net and destination being LAN 1 Net and make sure this rule is placed above your current rule which is limiting LAN 2 traffic to the internet to 3Mbit/1Mbit. Remember, firewall rules are evaluated from the top down so any traffic bound from LAN 2 to LAN1 will hit your (unshaped) LAN2 to LAN1 pass rule first and can then flow at full speed.

Hope this helps.

chrcoluk · Apr 13, 2019, 8:16 AM

I think if you limit via ALTQ its not possible, because if you ommit the queue, it will use the default queue which still will have a limit set. Everything on the interface is forced through the root queue.

But using the limiter (dummynet), you can choose to route per rule which is far more flexible as Derelict said.