Aliases and limiters
I have a host on the network with 5 IPs. I want to limit that host to a maximum of 50mbit up/down. Regardless of how many megabits each IP on the host is consuming, the total should not exceed 50mbit in each direction.
Would this solution work:
- Create Alias with the 5 IPs.
- Create a limiter named 50mbit_up with a limit of 50mbit and mask the source address, 32 bits
- Create a limiter named 50mbit_down with a limit of 50mbit and mask the destination address, 32 bits.
- Create a new firewall rule on the LAN interface, Action: Pass, IPv4, Protocol: Any, Source address: the created earlier alias. In the advanced section set the limiters: 50mbit_up on "in" and 50mbit_down on "out".
- Apply the rule and reset the states of the associated IPs.
Would the above work? If not, what should I change?
@someusername If you have a mask it will create the limit per IP. I think you want that setup but without the mask applied. See https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html#creating-limiters
"When [mask is] set to none, the limiter does not perform any masking. The pipe bandwidth will be applied to all traffic as a whole."
@steveits Thank you so much! It works nicely!
I run into a slight problem. My environment is fully open. The firewall basically denies/filters some traffic mostly to itself for security purposes. Then on the WAN interface I have an allow everything with destination "VLANxxx net" - the hosts' network. VLANxxx has a rule allow everything everywhere. No NAT is used. All IPs are public.
From my experiments, the rule in my first post works for connections/traffic initiated from the targeted host.
But if the connection is initiated from a 3rd party the rule does not come into effect. For example if I initiate a file copy from my pc, which is on another network in another location.
If I run on my pc "scp username@hostIP:/FileName /home/" I effectively initiate a file transfer which is Upload for the host and download for me. If I reverse the command I initiate Download for the host and upload for me.
The solution I found is to create two rules. I have only two limiters in order to control the total download and upload of the host/alias(multiple IPs).This time I went with floating rules.
They look like this:
Rule: Floating, match
Source: Testy1 (alias with one IP currently)
In pipe: Upload-Testy1 (Upload)
Out Pipe: Download-Testy1 (Download)
Limiters mask: none
Rule: Floating, match
In pipe: Download-Testy1 (Download)
Out Pipe: Upload-Testy1 (Upload)
Limiters mask: none
My rudimentary testing shows that this works. I haven't tested yet with realistic workload.
Can this be done in a more elegant way, possibly with a single rule? - not really important, I am simply curious
Is there something that I can do to improve the above rules? Or, is there something that looks wrong?
@someusername It can depend on which side initiates the transaction because the initial state matches (or doesn't match) the rule and then the reply is against the same state. So both directions may be needed. I've found it helpful to review Diagnostics/States and search by IP when trying to set up limiters/shaping and things aren't working as expected.
@steveits thank you,
From my testing, if I establish a connection with the rules disabled and enable the rules, the existing connection is not affected. If I establish connection with the rules enabled and disable it during file transfer, the transfer remains limited. This seems like an expected behavior.
I tried the two limiters on a host with two IPs - I created an alias for them. Both rules are "quick" if that matters, the rest is like I wrote in my previous post. I do not have access to the host so I do not know what kind of traffic it has and how it generates it. I am monitoring the limited host on cacti in real time.
The host had traffic about 18mbps in each direction. Once I applied the two rules with limiters at 18mbps, the traffic dropped to about 2mpbs, then went up for a bit and dropped to max 2mbps for several minutes and did not go up. I disabled the two rules afterwards.
Do you have any idea what may cause this? Should I enable the rules and kill the states of the IPs affected? Or just powercycle the switch-port?