Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to apply traffic limiters to IPSEC tunnel?

    General pfSense Questions
    3
    6
    591
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauro.tridici
      last edited by

      Dear Users,

      an IPSEC tunnel is successfully running thanks to 2 pfsense v.2.6 endpoints.
      Let's say that all the hosts on 192.168.118.0/24 (LAN1 located in Site A) can reach hosts on 192.168.120.0/24 (LAN2 located in Site B).

      Now it is time to limit the bandwidth between the endpoints mentioned above.
      I know that I can do it using pfsense limiters.
      So, I created IPsecOutLImit (bw=300Mbit/s, mask=none) and IPsecInLimit (bw=300Mbit/s, mask=none) limits on one of the available endpoints.

      Now I need to assign the limits to the right interface and create a firewall rule.
      But I have some doubts:

      • where should I create the firewall rule? on the LAN1 and LAN2 interfaces or on the IPSEC interface?
      • how should I compose the firewall rule in order to set a bandwidth limit on both directions (IN/OUT) ?

      In a few words, I would like to set something like that:

      "limit the bandwidth for the traffic between LAN1 and LAN2"

      Thank you in advance,
      Mauro

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @mauro.tridici
        last edited by NollipfSense

        @mauro-tridici You will find this thread useful here

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        M 1 Reply Last reply Reply Quote 0
        • M
          mauro.tridici @NollipfSense
          last edited by

          @nollipfsense thank you for your reply.

          Unfortunately, I didn't find the answers to my questions...

          where should I create the firewall rule? on the LAN1 and LAN2 interfaces or on the IPSEC interface?
          how should I compose the firewall rule in order to set a bandwidth limit on both directions (IN/OUT) ?

          A new question added to the existing ones:

          Limiters can help me to reduce the bandwidth on IPSEC tunnel or I should use HFSC only?

          Thank you in advance,
          Mauro

          1 Reply Last reply Reply Quote 0
          • M
            mauro.tridici
            last edited by

            Hello @stephenw10 :)

            I hope you are doing well.
            I'm sorry to disturb you again, but I know that you are a pfSense guru and I would like to hear your opinion about my questions.

            I read the content of this link https://docs.netgate.com/pfsense/en/latest/trafficshaper/vpns.html#ipsec, but I didn't understand if traffic shaping on IPSEC can be done in some way or not at all.

            Thank you,
            Mauro

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              You need to apply the Limiters where the firewall state is opened.

              So if the traffic is hosts on LAN1 downloading files from LAN2 you would apply them to a rule on the LAN1 interface or on the IPSec interface at Site-B. Both interfaces have inbound states created in that situation.

              If you want to limit traffic from connections in both directions you would apply Limiters at both ends.

              Steve

              M 1 Reply Last reply Reply Quote 3
              • M
                mauro.tridici @stephenw10
                last edited by

                Thank you Steve, your explanation helped me to solve my issue.

                Now, everything is working as expected.

                Have a great day,
                Mauro

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post