Limiter source mask now after NAT when using gateway groups - 2.8 change?
-
Basic overview of setup:
Multiple WAN connections in a load balance gateway group
LAN with private address range
Limiter with source mask (e.g. /32 for per device) configured for upload
LAN rule to apply limiter to uploadOld behavior - I would see limiter per /32 private address range range
New behavior - I'm getting a limiter for each WAN IPIf I remove the gateway group from the LAN rule and use default routing, it works as I'd expect.
So I think the source mask for the limiter is now determined after outbound NAT has been applied. Which means I can't have a limiter per device/subnet at the moment.
Download works fine (direction 'out' of the interface the rule is on)
-
Think I found someone reporting the same in a big, so I've appended my description there.
-
@Konan-0 , Hi friend , I have the same problem , When I use WAN 2, the input limiter does not use the private IP, the public IP as the source. This confirms that the limiter is applied post-NAT. The limiter used on the default gateway does work correctly.
Do you have any new information? I'm going to test with versions prior to 2.8, which I'm currently using.
-
I was testing versions 2.6.0, 2.7.0, 2.7.1, 2.7.2, and 2.8.0 on new virtual machine with the same network configuration of the image.
In version 2.6.0, the limiters worked fine when applied to any WAN. In versions 2.7.0, 2.7.1, 2.7.2, and 2.8.0, the limiters use the post-NAT IP address. This divides the bandwidth and doesn't limit each connection from the LAN to upload.
The rules were never modified between versions.
limiter on 2.6.0 not default gateway
limiter on 2.7.x to 2.8.0 not default gateway
It is not clear to me if the problem is the version of pfsense or freeBSD and the PF package
-
-
@gemg83 Hi,
I'm afraid I'm no further with it. Honestly, I'm starting to wonder about the state of PFSense. That or I've massively misunderstood how they deal with feedback and bugs (or the right place to go).
I added a description to this bug as it sounds to be the same thing:
https://redmine.pfsense.org/issues/15770
I've had a bug that's similar open (although much more niche, it's how the limiters apply when going through an OpenVPN based interface) for a year with no response.
If you look in the limiters section of their issue tracker, there's confirmed bugs 11 years old there and 'new' issues that are now 7 years old.
-
@gemg83 I see what you're saying - it could be the jump from 12.3 to 14 on the BSD side.
It really hampers the use of limiters in multi-WAN setups so it feels like an important bug (I call it a bug as it doesn't behave at all how the UI or documentation suggests, it's more like using them on a floating rule).