Bandwidth limit per IP



  • Hi all

    I am new to Pfsense but I am trying to learn. I have a small network with an ADSL D-link router and a bandwidth of 4 mb ( 0.5 mb upload). We share this among 9 people. Some of them are downloading using Limewire or other P2P clients and for this reason I need to limit their bandwidth.
    I tried to use Pfsense before on this PC (Pentium 2, 350 MHz, 256 RAM, 10 GB HDD), but it didn't worked properly, some websites didn't worked, it was slow … anyway I guess I did something wrong.
    I am thinking to continue to use the D-Link router and to add the PC with pfsense  only for these users that are dowloading.
    So my question is kind of simple: is it posible ? The router has the 192.168.0.1/24 subnet and has a dinamyc public IP.
    I want to put the pfsense with a static IP on WAN , eg 192.168.1.100, and the LAN to give a different subnet ... Question is what subnet should I choose for the LAN to work properly ?
    On this LAN I would connect a switch with the problematic users. I want to assign a bandwidth limit for the LAN interface lets say 2000 Kbs down and 250 Kbs upload.
    And I was thinking to have a bandwidth limit per user/IP of 400 Kbs with 50 kbs upload using penalty IP shaping rule.
    And for the LAN how can I make sure that they are not using manual IP addresses ?
    I am thinking to use static IP address for each user and create an aliass from their range, and have the firewall to pass the traffic with the bandwidth limit rules. And block everything else in case they are changing manualy their IPs.

    Thank you all



  • no u can't, if u wanna it badly, maybe u can try mikrotik router os.



  • ok if this is not working, maybe you can advise me to something related to this, Mikrotik …. I dont' think it will work on this PC. What about monowall , can I limit the downloaders bandwidth with that ?


  • Banned

    No….



  • no u cant
    maybe clarkconnect u can try or mikrotik….



  • pfSense 2.0 or m0n0 can do this.



  • It has to be a way to do something. I tried to use the IP penalty and indeed is limiting the bandwidth. I set it to 400 kbs and then I tested with speedtest.net and it worked perfectly.
    The problem for the LAN is that in the IP penalty you can put only 1 IP or a range of Ip's with aliasses. If I choose aliasses (eg  10 IP's ) and I put 400 kb , it will limit the bandwidth for each IP or for all at the same time ?
    I also tried to make more queues and rules based on the qIPpenaltydown and qIPpenaltyup and change the IP address for each new rule.
    If I assign static IP addresses on LAN based on their MAC and limit these IP's from the firewall like I said above , is it going to work ?
    Thanks



  • @ermal:

    pfSense 2.0 or m0n0 can do this.

    where I can get pfsense 2.0 ?
    how monowall will do what I need ? I didn't see any IP penalty like feature, or something that will allow me to limit the bandwidth per IP or user
    I was thinking to add more NIC's and limit the bandwidth for each of them , and then connect each PC to one NIC. Is this going to do the trick ?

    Thanks



  • @nykollas:

    @ermal:

    pfSense 2.0 or m0n0 can do this.

    where I can get pfsense 2.0 ?

    get it here (assuming that u will use it for x86 platform)

    http://snapshots.pfsense.org/FreeBSD_RELENG_8_0/pfSense_HEAD/livecd_installer/

    how monowall will do what I need ? I didn't see any IP penalty like feature, or something that will allow me to limit the bandwidth per IP or user

    1. use monowall latest beta current is m0n0wall 1.3b18. get it here
    http://m0n0.ch/wall/beta.php
    after installation & basic setup use web interface to connect.
    2. In the traffic Shaping section create (some–--if u need different speed for different ip) pipes for ur bandwidth limitations defining bandwidth,packet loss rate,mask(destination for download limit& source for upload limit). (u dont need queue size & put a description as the name of the pipe). u need pair of pipes for upload & download.
    3.Now at rule section create some rules to limit bandwidth defining
    a. Target ------ ur created pipe(speed class) for shaping.
    b. Interface ---- LAN in ur case
    c. Protocol ---- choose if u want to limit according to services. If u want to limit for all services choose   
        "any".
    d. source-------to shape download limit use any.
    e. Source port range ------any for all port.
    f. Destination------ if u want to shape whole  network use network & put network ip & subnet.
      otherwise select "single ip" & the ip address
    g. Destination port range-------any for all port.
    h. Direction------------any.
    I. Leave other next field default or as u wish.
    j. give a name as description & hit save. dont forget to hit "apply changes"

    Note: remember u need another rule for upload otherwise only download limit will be shaped. for upload limit create another pipe with mask source & alter the "source" "destination" settings above.

    Hope it may help u.

    I was thinking to add more NIC's and limit the bandwidth for each of them , and then connect each PC to one NIC. Is this going to do the trick ?

    Thanks

    Very bad & desperate idea. dont even think about it.



  • 2.0 can do this.
    On 1.2.3 you can do this through CP if you can use it.



  • Put them in an alias, and then use the traffic shaper wizard to limit there available bandwidth accordingly, why did nobody think of that solution for this person?

    That will allow them to share the X bandwidth between the entire alias group.Though I do not know of any way to cap people off at a certain MB count using pf.



  • @nykollas:

    And for the LAN how can I make sure that they are not using manual IP addresses ?
    I am thinking to use static IP address for each user and create an aliass from their range, and have the firewall to pass the traffic with the bandwidth limit rules. And block everything else in case they are changing manualy their IPs.

    I hate those people also  :D
    you can use ipguard
    http://ipguard.deep.perm.ru/
    By

    pkg_add -r ipguard
    

    it can bind ip address to mac and prevent (as much as it can) others from changing there ip's by adding mac-ip pair in file like this

    00:11:22:33:44:55 192.168.1.2
    00:44:55:66:77:88 192.168.1.6

    actually idon't know why it hasn't been added to pfsense packages. if users can take any ip they want ,then all firewall configuration and traffic shaping is in vain.


Locked