Traffic Shaper Limiter for specific ports
-
Greetings forum:
I am running 2.5.1-RELEASE (amd64) built on Mon Apr 12 07:50:14 EDT 2021 FreeBSD 12.2-STABLE.
I am attempting to implement a traffic shaper limiter for a set of specific ports. I have a working traffic shaper limiter for an alias of IP addresses working perfectly, but cannot seem to apply a limiter to an alias of ports. Here is how I created my attempt to speed-limit ports:
Create a traffic shaper limiter for upload
Firewall>Traffic Shaper>Limiters
- New Limiter
Enable: CHECK
Name: port_limiter-ul
Bandwidth: 2 Mbit/s
Mask: Destination addresses
Save
Apply Changes
Create a traffic shaper limiter for download
Firewall>Traffic Shaper>Limiters
- New Limiter
Enable: CHECK
Name: port_limiter-dl
Bandwidth: 2 Mbit/s
Mask: Source addresses
Save
Apply Changes
Create a port alias
Firewall>Aliases>Ports
- Add
Name: ports_limited
Port: 1194
Description: OpenVPN port
+ Add Port
Port: 65000:65001
Description: IP camera
Save
Apply Changes
Create a firewall rule
Firewall>Rules>Floating
Add (Add rule to the top of the list)
Action: Pass
Quick: CHECK
Interface: none selected
Direction: in
Protocol: TCP/UDP
Source
Source: Any
Display Advanced
Source Port Range
From: other
Custom: ports_limited (alias selected)
To: other
Custom: ports_limited (alias selected)
Destination
Source: Any
Display Advanced
Source Port Range
From: other
Custom: ports_limited (alias selected)
To: other
Custom: ports_limited (alias selected)
Extra Options:
Description: port_limiter
Display Advanced
In/Out pipe
port_limiter-ul (in first selection box)
port_limiter-dl (in second selection box)
Save
Apply ChangesAt this point, I was expecting any traffic to/from port 1194 or the range 65000:65001 from any IP/to any IP would be speed limited to 2 Mbits/s, but it does not appear to work. I used the same method to setup a traffic shaper limiter for an alias of IP addresses without issue.
Under Firewall>Rules>Floating>Interface I have tried none selected, all selected (including "OpenVPN"), just the LAN interfaces, and just the WAN interface with the same result - no speed limiting to ports 1194 or 65000:65001.
What am I doing wrong?
- New Limiter
-
@psilospiral It's hard to understand a text description of what you've done compared to screenshots. I don't use limiters but instead use priq to shape traffic from a low-priority vm that is connected to Mullvad using OpenVPN. I have a ports alias for that like you do. There are a few differences between what I'm doing and what you have. I leave the Quick option disabled and just order my rules properly. I leave the direction set to Any. For Source I have it set to Any and the Destination is Any and my Destination Port Range is my alias. Works like a charm. ALl OpenVPN traffic from that vm goes into my qLow queue.
Also you must reset your states for any clients that have open connections that a rule change now blocks. That may be what you're seeing. Clear your states for all affected clients after a rule change.
-
@kom - You have got to be kidding me: "reset your states..." After resetting my states I'm crawling at 2 Mbit/s over both the OpenVPN and streaming on the IP cam. Thank you for the dose of humility today! Everything is working as intended now.
I'll have to experiment with PRIQ in the future. The queues seem to be an easy way to prioritize traffic. Thanks for the tips!
-
@psilospiral A shaper is better than a limiter because the low-prio stuff can use full bandwidth if the network isn't busy. You don't have to guess how much bandwidth might be needed. When other stuff starts happening, the low-prio traffic gets dropped. You can also try the fq_codel shaper as it's reportedly easy to setup. There are good YouTube videos on how to configure it from Netgate and Lawrence Systems.