Control Users Bandwidth in CP

mohkhalifa · Dec 14, 2019, 5:26 PM

Dear All,
Really I'm in-love with pfSense so much but there is some missing options making my crazy. one of my problems, that I have CP in for zone (x) and in this zone there are some types of users and devices. for example: employees, Managers, Printers ..... etc
So, the problem I need to limit the download and upload for all mentioned above, the only option I found that I can user bandwidth for the ALL zone members without exceptions. I will be more than happy if someone here try to find a solution for me to manage internet bandwidth for the users as a groups or as individuals. on my old firewall there is an option to choose the username from the firewall rule to add a QoS for specific user or device ... etc but in pfSense the filewall rules sources are very limited to Alias, Network, Address and no more options. Also if there is an idea to use any external user or device authentication Server please help.
Thanks

free4 · Dec 14, 2019, 6:18 PM

well,

there is two options that could fulfill your needs:

you could use limiters (codel), which are firewall QOS rules
you could use a radius server to define per-user bandwidth control. this is an avanced feature..please see the documentation for details : https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-configuration.html#authenticating-captive-portal-users-using-a-radius-server

mohkhalifa · Dec 14, 2019, 6:42 PM

Dear @free4
Thanks for your reply. What do u mean by "Codel'and for the freeradius, the documentation not covered it totally in details. if you have a better documentation or videos it will be better. also I need to integrate it with LDAP windows AD

Gertjan · Dec 16, 2019, 7:39 AM

@mohkhalifa said in Control Users Bandwidth in CP:

What do u mean by "Codel'

It starts here Firewall > Traffic Shaper > By Interface

Read https://forum.netgate.com/category/26/traffic-shaping and related Netgate videos. he subject is huge.

Btw : I use myself the captive portal and combination with FreeRadius, so I can attribute speeds for each user.

mohkhalifa · Dec 16, 2019, 10:48 AM

Dear @Gertjan,
Thanks for your reply. How can I integrate my Active Directory "LDAP"with FreeRadius to control user bandwidth ?
it will be appreciated if you send me some detailed documentation.
Thanks

Gertjan · Dec 16, 2019, 11:12 AM

I don't know what this is :

@mohkhalifa said in Control Users Bandwidth in CP:

Active Directory "LDAP"

Some Microsoft functionality ?

I'm using FreeRadius with some sort of MySQL (MariaDB) database back end.

free4 · Dec 16, 2019, 3:22 PM

@mohkhalifa https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

mohkhalifa · Dec 16, 2019, 8:36 PM

@free4 thanks but it's not for pfSense, it's general

free4 · Dec 16, 2019, 10:54 PM

@mohkhalifa yeah...im not talking About pfsense here

if you are looking for having per-user bandwidth, then you will have to use a Radius server. pfsense does not allow you to perform per-user bandwidth control when using LDAP authentication method

my recommendation : install a freeradius on a separate server/virtual machine. this radius server would use your LDAP server as source, and would define other rules for per user bandwidth

this Radius server would then be used by your pfsense for authenticating users

for information, It is technically possible to install freeradius directly on pfsense(using freeradius3 package)...but I would not recommend it to you: this package is mostly unmaintained, and suffers from bugs. if you are still interested, you should have a look to this forum post

mohkhalifa · Dec 17, 2019, 12:57 AM

@Gertjan "I don't know what this is :" I want to authenticate using the Windows Server Active Directory users. also, to add bandwidth limit for each one. that's it

Gertjan · Dec 17, 2019, 10:32 AM

@mohkhalifa said in Control Users Bandwidth in CP:

"I don't know what this is :"

I was kidding ^^

What I know is : pfSense can interface with the package FreeRadius, and for that matter with any Radius server.
You'll be needing the latter.

mohkhalifa · Dec 17, 2019, 11:29 AM

@free4 said in Control Users Bandwidth in CP:

my recommendation : install a freeradius on a separate server/virtual machine. this radius server would use your LDAP server as source, and would define other rules for per user bandwidth

Dear @free4 really Thanks for your kind help. If you please can you send me a links for a documentation or video tutorials to do that task.

alpax8 · Sep 11, 2020, 7:40 AM

@Gertjan can you point me to a video tutorial or any tutorial on how to this. i have CP and also using SQUID proxy transparent, the only lacking is to connect freeradius so i could also limit bandwidth per user in a single lan. thanks.

mohkhalifa · Sep 12, 2020, 1:58 PM

@alpax8 said in Control Users Bandwidth in CP:

@Gertjan can you point me to a video tutorial or any tutorial on how to this. i have CP and also using SQUID proxy transparent, the only lacking is to connect freeradius so i could also limit bandwidth per user in a single lan. thanks.

Dear @alpax8,
Please note that I'm NOT using FreeRADIUS, I'm using pfSense with Windows RADIUS Server and everything is working amazing.

alpax8 · Sep 17, 2020, 8:19 AM

@mohkhalifa oh ok. thanks.

yanqian · Sep 26, 2020, 2:28 PM

@mohkhalifa
Well, I found 2 threads about Microsoft NPS posted by you in CaptivePortal category, and I am glad that you figured out how to use Microsoft NPS as radius server for pfSense authentication.

It's better that you can take some time to share your experience in your own thread, It will help me and others who may got the same issue.