How to enable limiter rule after certain download limit has been reached
-
Hi all,
I'm setting up a network that will be used in a short term rental holiday home.We have limited Internet Data allowance ( 400Gb month ), and because we are in a rural area, my only option is 5G/4G modem ( which is thankfully great connection and very fast speeds ). This modem will pump it's connection into a dedicated Pfsense box, switch and Wireless Access points.
My intent is to use Captive Portal to set an overarching Upload & Download bandwidth limit ( i.e. something like 10Mbit/s down / 5Mbit/s Up ) for all users. I'll probably not be authenticating users, just need Captive Portal for the bandwidth limiting.
I've also set up two limiters in Traffic Shaping to throttle further to 1.5Mbit/s down / 256Kbps Up, and have a FW rule with an alias for the entire network range which can be switched on / off manually and all works fine.
What I'd like to do is automate this somehow so I can monitor Downloads over a specified period (Daily, or an arbitrary amount - i.e. the length of a guest's tenancy), and if the Downloads on WAN exceed an amount, enable the throttle rule.
I know FreeRadius does allow you to set an overarching Up/Down MB quota, but it just boots users after this is hit....whereas I just want to throttle.
I've installed the Status Traffic Totals package, so I can see the Rx GB per day/hour etc.
My thinking, and what I'd like some feedback on as to whether it's the best/only approach is that I'd create a Bash script that resides on the pfsense machine which will do the following every 1 minute via cron job:
- use vnstat ( returning json ) for the WAN interface and parse the output to get the current period GB received number
- If it's exceeded the quota for the period, use sed to edit the config.xml file directly to remove the <disabled></disabled> line from the appropriate firewall rule ( the one that uses the limiters to throttle to 1.5Mbps )
- call /etc/rc.filter_configure to reload the firewall rules
- check if we have entered a new period ( day, week etc ) and if so, reverse the above to disable the throttle and restore the Captive Portal set bandwidth ( 10Mbps ).
Would this approach work or is there a better/more correct way to get the same outcome?
i.e. instead of a Bash script using sed to edit config.xml is there another php script I can call to flip a firewall rule from Disabled to Enabled if I supply the tracker ID? This would probably be neater.
Open to feedback or suggestions.
Cheers, Seb.
-
I've partially discovered a solution more elegant than using Bash & SED to edit config.xml directly.
instead, I created files in /etc/phpshellsessions called 'throttleon' and 'throttleoff'. Contents:
require_once("config.inc"); require_once("filter.inc"); global $config; parse_config(true); $config['filter']['rule']['0']['disabled'] = false; write_config("throttleon");
throttleoff is exactly the same, but 'disabled' = true; instead.
I checked in the shell first to get the index of the rule i wanted to enable ( and it's rule '0', so that is why it's referenced in the code above ).
These can now be called via pfSsh.php playback throttleon ( or off ).
Interestingly, I tried to use the pfsense PHP shell record feature to do this, but it just created 0 byte files for some reason ( even though the commands in the session worked fine ).
It seems I don't need to call rc.filter_configure either, as playing back these files updates the rule enable/disable status ( maybe a feature of the shell? )