How to apply traffic limiters to IPSEC tunnel?

mauro.tridici

Dear Users,

an IPSEC tunnel is successfully running thanks to 2 pfsense v.2.6 endpoints.
Let's say that all the hosts on 192.168.118.0/24 (LAN1 located in Site A) can reach hosts on 192.168.120.0/24 (LAN2 located in Site B).

Now it is time to limit the bandwidth between the endpoints mentioned above.
I know that I can do it using pfsense limiters.
So, I created IPsecOutLImit (bw=300Mbit/s, mask=none) and IPsecInLimit (bw=300Mbit/s, mask=none) limits on one of the available endpoints.

Now I need to assign the limits to the right interface and create a firewall rule.
But I have some doubts:

• where should I create the firewall rule? on the LAN1 and LAN2 interfaces or on the IPSEC interface?
• how should I compose the firewall rule in order to set a bandwidth limit on both directions (IN/OUT) ?

In a few words, I would like to set something like that:

"limit the bandwidth for the traffic between LAN1 and LAN2"

Thank you in advance,
Mauro

NollipfSense

@mauro-tridici You will find this thread useful here

mauro.tridici

@nollipfsense thank you for your reply.

Unfortunately, I didn't find the answers to my questions...

where should I create the firewall rule? on the LAN1 and LAN2 interfaces or on the IPSEC interface?
how should I compose the firewall rule in order to set a bandwidth limit on both directions (IN/OUT) ?

A new question added to the existing ones:

Limiters can help me to reduce the bandwidth on IPSEC tunnel or I should use HFSC only?

Thank you in advance,
Mauro

mauro.tridici

Hello @stephenw10 :)

I hope you are doing well.
I'm sorry to disturb you again, but I know that you are a pfSense guru and I would like to hear your opinion about my questions.

I read the content of this link https://docs.netgate.com/pfsense/en/latest/trafficshaper/vpns.html#ipsec, but I didn't understand if traffic shaping on IPSEC can be done in some way or not at all.

Thank you,
Mauro

stephenw10

You need to apply the Limiters where the firewall state is opened.

So if the traffic is hosts on LAN1 downloading files from LAN2 you would apply them to a rule on the LAN1 interface or on the IPSec interface at Site-B. Both interfaces have inbound states created in that situation.

If you want to limit traffic from connections in both directions you would apply Limiters at both ends.

Steve

mauro.tridici

Thank you Steve, your explanation helped me to solve my issue.

Now, everything is working as expected.

Have a great day,
Mauro