How to limit specific IP's bandwidth with shaper

plazasigua · Mar 2, 2010, 3:38 AM

I found a way to limit bandwidth per ip, using the shaper and imitating the behavior of the penalty box.
I was using pfsense for mi local wisp business, here in Honduras, and the bandwidth limiting per ip was a major concern for me, and i don't want to change from pfsense to another solution (i tried clarkconnect, monowall, smoothwall, mikrotik etc…)
It was a great feeling to find a way that seems so easy, and it works perfectly tested in a production environment!
i'm not a code expert, but this can help you to achieve this.

I don put the explanation here because i dont know if anybody is still interested because the last posts are too old.
if i see interested people i detail the process, is easy, and i'm be very happy to help!

tommyboy180 · Mar 2, 2010, 3:59 AM

By all means Deatail the process of your findings.

That's what the forums are all about.

CheeseE · Mar 4, 2010, 5:10 PM

Hello!

It will be great, if you explain it, because I has the same problem, without solution, yet…I have to limit some guys p2p traffic in the hostel...

Thx

Alan87i · Mar 5, 2010, 10:28 AM

Yes please post your findings , Sharing useful information is what a forum is designed for. I have 1 user that seems to be hogging a lot. I would also like to limit the traffic to an xbox 360 say 1 or 2 hours a day then throttle it to dial up speed.

plazasigua · Mar 9, 2010, 8:17 PM

The process is to use the penalty box as a template for additional ip's,
1- run the wizard for the traffic shaper, and select the penalty ip box , put any ip in there, select p2p control if you wish, and defaul protocols for averything.
2- you are going to see the queues created in firewall/traffic shaper/queues, almost all of them with 1% of bandwidht, just lanacks and wanacks with 25%
this make me realize that is no critical that the sum of all the percentajes are 100%
3- there are two queues, qpenaltydown and qpenaltyup, anter there like editing, and write down the bandwidht, priority, and scheduler options, is like this:
1%, priority 2, Random Early Detection REC,Explicit Congestion Notification ECN, and the important part..Upperlimit XXXKb.
4- go back to the queues page and add a new queue for each ip you want to restrict bandwidth, copying the data from the qpenaltydown queue only (if you only wish to control download speeds) otherwise you need to create two queues for each ip, and put a descriptive name in there Ex, ip35_256kb…
each queue has the specified speed you want to give to certain ip, 1024kb, 256Kb, 4096Kb etc.
5- the order in the queue list is not important.
go then to the rules page and add after the qpenaltydown rule a new rule (the order is important in here, the rules are procesed in order) beside if you click the add button right after the rule you want to copy, its only a matter of change the name and the speed, and the ip wanted to be restricted, you can also specify an initial speed, and final speed after ceartain a mount of seconds.
this is useful, beacuse give you the chance of give different bandwidht for browsing and downloading, ex:
Upperlimit m1- 4096Kb, d-30000 , m2-256Kb this means that the bandwidth start at 4mb, and after 30 seconds (because the number is in milliseconds) drop to 256k, if you are browsing the web are very unlikely to wait more than 30 seconds to load a page, so the speeds is maintained at 4096Kb, because you never reach the 30 seconds continuous traffic limit, but if you download a huge file from rapidshare by example, after 30 second of continuous activity rapidly drops to 256Kb

plazasigua · Mar 9, 2010, 8:31 PM

this is the rest of the scrrens of my system, it works great, you can test it downloadin something in the ip address you want to restrict and enabling and disabling the traffic shaper with a check .

the real finding is to see that you can have more than one penalty queue and rule, literally a lot of them, just make sure to put the rules after the deafult created by the wizard on queue and rule per ip

tommyboy180 · Mar 9, 2010, 11:57 PM

Awesome.

rt_rex · Mar 28, 2010, 2:43 PM

Just a hint .
If you creat an alias and add all your limited host there is no need to creat all these rules you create it once.
I have not tested but it should work.

plazasigua · Apr 13, 2010, 4:28 PM

the problem with using alias, is that you are going to use a same penalty queue for several ip´s, sharing the bandwidth asigned for that penalty queue between all of them.
i tried that, and if i have 6mb total, and create a 1mb penalty queue, all the ips asigned to that queue share only 1mb between them, but i want 1 mb cap for each, therefore i need to do it the hard way, one penalty for each ip…

Alan87i · May 12, 2010, 1:30 AM

So Can I make multiple queues All the same just give each one a different name ?
IE 5Mb for 2 minutes and 1Mb after for down /name ip1down
and 400Kb for 2 minutes and 100 Kb after for Up /name ip1up

same as above name ip2down – ip2up

plazasigua · May 13, 2010, 6:59 AM

here the examples

plazasigua · May 13, 2010, 7:07 AM

yes, you only need to make sure and use each queue for a single IP/rule, single host or alias, and select the correct penalty queue,
the images are from one of my working boxes..

Alan87i · May 13, 2010, 9:45 AM

One question .
On the second Image from your last post is that A Down rule/ Queue ?
I see you have the IP as the source! and the IN Interface is LAN out is WAN.

After Pondering this till my nose bled I figured for Inbound , In interface is set to WAN Out is set to LAN , Protocol (any) The Source is left blank ,, Destination is set IP address .

I'm setting for up loads as well and my outbound page looks like your second image.

The way I have set it up works for downloads on my laptop , Haven't tested Uploads yet.

What I really want to know is Can I use the same down queue and UP queue for more than 1 IP address/ user?
For kicks I set a second user up on the same Queue's as my laptop , didn't get and filter errors on the reload. I'll wait and see if the phone starts ringing.

Alan87i · May 13, 2010, 9:49 AM

1 rule I made seems to work

jhabers · May 13, 2010, 4:52 PM

I just tried to set this up and it doesnt seem to be working. I have an alix board with wan, lan and opt1. I have set the opt1 interface to be the penaly box. Is this possible with 1.2.3?

Alan87i · May 14, 2010, 12:41 PM

No idea I would use a lan IP
I also figured out that this don't work at all if you have squid running and proxy set on the browser. Too bad

eri-- · May 14, 2010, 2:49 PM

Go to 2.0?!

jhabers · May 14, 2010, 2:51 PM

@ermal:

Go to 2.0?!

thanks, so is it a fact that 1.2.3 cant shape both lan and opt at the same time?

plazasigua · May 14, 2010, 5:15 PM

Because the importance to limit downloads in my network is priority, i dont use upload limits, but i tested both ways several months ago and it worked really fine, and is so simple like the swap of the source and destination in the individual queue, to create an upload queue ,and in the rules CHANGE THE TARGET from WANDEF (the default for upload) to your particular created queue, this way both queues work simultaneously for one IP, so you have upload and download limited to a single user.

I´ll post images from a rule with upload and download limits for one ip.

greeting from Honduras

jhabers · May 14, 2010, 5:24 PM

@plazasigua:

Because the importance to limit downloads in my network is priority, i dont use upload limits, but i tested both ways several months ago and it worked really fine, and is so simple like the swap of the source and destination in the individual queue, to create an upload queue ,and in the rules CHANGE THE TARGET from WANDEF (the default for upload) to your particular created queue, this way both queues work simultaneously for one IP, so you have upload and download limited to a single user.

I´ll post images from a rule with upload and download limits for one ip.

greeting from Honduras

yes please do, would like to see screenshots