How to limit specific IP's bandwidth with shaper



  • I found a way to limit bandwidth per ip, using the shaper and imitating the behavior of the penalty box.
    I was using pfsense for mi local wisp business, here in Honduras, and the bandwidth limiting per ip was a major concern for me, and i don't want to change from pfsense to another solution (i tried clarkconnect, monowall, smoothwall, mikrotik etc…)
    It was a great feeling to find a way that seems so easy, and it works perfectly tested in a production environment!
    i'm not a code expert, but this can help you to achieve this.

    I don put the explanation here because i dont know if anybody is still interested because the last posts are too old.
    if i see interested people i detail the process, is easy, and i'm be very happy to help!



  • By all means Deatail the process of your findings.

    That's what the forums are all about.



  • Hello!

    It will be great, if you explain it, because I has the same problem, without solution, yet…I have to limit some guys p2p traffic in the hostel...

    Thx



  • Yes please post your findings , Sharing useful information is what a forum is designed for. I have 1 user that seems to be hogging a lot. I would also like to limit the traffic to an xbox 360 say 1 or 2 hours a day then throttle it to dial up speed.



  • The process is to use the penalty box as a template for additional ip's,
    1- run the wizard for the traffic shaper, and select the penalty ip box , put any ip in there, select p2p control if you wish, and defaul protocols for averything.
    2-  you are going to see the queues created in firewall/traffic shaper/queues, almost all of them with 1% of bandwidht, just lanacks and wanacks with 25%
    this make me realize that is no critical that the sum of all the percentajes are 100%
    3- there are two queues, qpenaltydown and qpenaltyup, anter there like editing, and write down the bandwidht, priority, and scheduler options, is like this:
    1%, priority 2, Random Early Detection REC,Explicit Congestion Notification ECN, and the important part..Upperlimit XXXKb.
    4- go back to the queues page and add a new queue for each ip you want to restrict bandwidth, copying the data from the qpenaltydown queue only (if you only wish to control download speeds) otherwise you need to create two queues for each ip, and put a descriptive name in there Ex, ip35_256kb…
    each queue has the specified speed you want to give to certain ip, 1024kb, 256Kb, 4096Kb etc.
    5- the order in  the queue list is not important.
    go then to the rules page and add after the qpenaltydown rule a new rule (the order is important in here, the rules are procesed in order) beside if you click the add button right after the rule you want to copy, its only a matter of change the name and the speed, and the ip wanted to be restricted, you can also specify an initial speed, and final speed after ceartain a mount of seconds.
    this is useful, beacuse give you the chance of give different bandwidht for browsing and downloading, ex:
    Upperlimit m1- 4096Kb, d-30000 , m2-256Kb  this means that the bandwidth start at 4mb, and after 30 seconds (because the number is in milliseconds) drop to 256k, if you are browsing the web are very unlikely to wait more than 30 seconds to load a page, so the speeds is maintained at 4096Kb, because you never reach the 30 seconds continuous traffic limit, but if you download a huge file from rapidshare by example, after 30 second of continuous activity rapidly drops to 256Kb




  • this is the rest of the scrrens of my system, it works great, you can test it downloadin something in the ip address you want to restrict and enabling and disabling the traffic shaper with a check .

    the real finding is to see that you can have more than one penalty queue and rule, literally a lot of them, just make sure to put the rules after the deafult created by the wizard on queue and rule per ip








  • Awesome.



  • Just a hint .
    If you creat an alias and add all your limited host there is no need to creat all these rules you create it once.
    I have not tested but it should work.



  • the problem with using alias, is that you are going to use a same penalty queue for several ip´s, sharing the bandwidth asigned for that penalty queue between all of them.
    i tried that, and if i have 6mb total, and create a 1mb penalty queue, all the ips asigned to that queue share only 1mb between them, but i want 1 mb cap for each, therefore i need to do it the hard way, one penalty for each ip…



  • So Can  I make multiple queues  All the same just give each one a different name ?
    IE 5Mb for 2 minutes and 1Mb after for down  /name ip1down
    and 400Kb for 2 minutes and 100 Kb after  for Up  /name ip1up

    same as above name ip2down – ip2up



  • here the examples






  • yes, you only need to make sure and use each queue for a single IP/rule, single host or alias, and select the correct penalty queue,
    the images are from one of my working boxes..




  • One question .
    On the second Image from your last post is that A Down rule/ Queue ?
    I see you have the IP as the source! and the IN Interface is LAN out is WAN.

    After Pondering this till my nose bled I figured for Inbound , In interface is set to WAN Out is set to LAN , Protocol (any) The Source is left blank ,, Destination is set IP address .

    I'm setting for up loads as well and my outbound page looks like your second image.

    The way I have set it up works for downloads on my laptop , Haven't tested Uploads yet.

    What I really want to know is Can I use the same down queue and UP queue for more than 1 IP address/ user?
    For kicks I set a second user up on the same Queue's as my laptop , didn't get and filter errors on the reload. I'll wait and see if the phone starts ringing.



  • 1 rule I made seems to work




  • I just tried to set this up and it doesnt seem to be working. I have an alix board with wan, lan and opt1. I have set the opt1 interface to be the penaly box. Is this possible with 1.2.3?



  • No idea I would use a lan IP
    I also figured out that this don't work at all if you have squid running and proxy set on the browser. Too bad



  • Go to 2.0?!



  • @ermal:

    Go to 2.0?!

    thanks, so is it a fact that 1.2.3 cant shape both lan and opt at the same time?



  • Because the importance to limit downloads in my network is priority, i dont use upload limits, but i tested both ways several months ago and it worked really fine, and is so simple like the swap of the source and destination in the individual queue, to create  an upload queue ,and in the rules CHANGE THE TARGET from WANDEF (the default for upload) to your particular created queue, this way both queues work simultaneously for one IP, so you have upload and download limited to a single user.

    I´ll post images from a rule with upload and download limits for one ip.

    greeting from Honduras



  • @plazasigua:

    Because the importance to limit downloads in my network is priority, i dont use upload limits, but i tested both ways several months ago and it worked really fine, and is so simple like the swap of the source and destination in the individual queue, to create  an upload queue ,and in the rules CHANGE THE TARGET from WANDEF (the default for upload) to your particular created queue, this way both queues work simultaneously for one IP, so you have upload and download limited to a single user.

    I´ll post images from a rule with upload and download limits for one ip.

    greeting from Honduras

    yes please do, would like to see screenshots



  • @plazasigua:

    Because the importance to limit downloads in my network is priority, i dont use upload limits, but i tested both ways several months ago and it worked really fine, and is so simple like the swap of the source and destination in the individual queue, to create  an upload queue ,and in the rules CHANGE THE TARGET from WANDEF (the default for upload) to your particular created queue, this way both queues work simultaneously for one IP, so you have upload and download limited to a single user.

    I´ll post images from a rule with upload and download limits for one ip.

    greeting from Honduras

    I have messed with this for hours.
    I made a down queue and an UP load queue.
    The download queue Rule is attached . And works fine. And I also have Lusca cache running with Firefox set to AUTO detect and a video from live leak seemed to cache and played from the cache on my test machine I watched the queues page at the same time and saw the bar and Mb count rise for my test queue to 3.5 Mb down. While the traffic graph showed 0 to 3 Kb . Oh and the video loaded in 10 seconds on the Test machine and took  4 minutes on my desktop the first time. And it loaded from the cache at the speed set by the queue for download.  I have tried this test several times , I first watch /load a video on my desktop , Graph shows 1.x too 2.x Mb Inbound . Send the link Now to 2 other machines on the lan with a DL queue and a dl rule set to 5 Mb for 1 minute . When either test machine clicks the link traffic stays at next to 0 as normal , So it reads it from the cache , The queues page shows the queue speed tapping out at 5 mb then stops because the video loaded in under 1 minute.

    But I cannot make an UP load queue that the filter doesn't have a fit over or works if the filter reloads fine.

    Looking for any help at all . Thanks




  • Ahhh, I think i figured out my problem, the traffic I was trying to shape was on the OPT1 interface, I forgot to change it to OPT1>WAN, WAN>OPT1 instead of the default LAN>WAN, WAN>LAN in the traffic shaping rules



  • I followed this guideline and made 7 queues and 7 rules 1 for each. I can sit at the PC for the last rule I made and hog the net all I want while watching the queues page I see no traffic being passed. This system doesn't have squid running.
    While the first few queues are working and dropping the speed to the set Kbps after the set time limit.
    Any Ideas ?



  • Thanks for the info. Please keep us updated.


Locked