PfSense - 2.0 – traffic shapping

stefanero

Hi,

well what I need would be traffic shapping to work for a network which gets routed to the pfSense box. pfSense is the snapshot download from Aug.31

Let me discribe the setup a little

GW<–->pfSense<--->Router<---> Network1
                                        <---> Network2
                                        <---> Network3

pfSense LanSide 172.10.11.0/24
Network1 172.31.0.0/26
Network2 172.31.0.64/26

and so on
So each network ends at the Router and gets routed to the pfSense box. Of course each network has its on Subnet Range, but is not in the same Range as the Lan side.

Each Network 1/2/3 have its own limited Bandwidth to the pfSense Box, and this is the traffic I would like to limit. So say Network1 has a bandwidth of 1mbit, I would like to only give 512kbit to it, and so on. I dont need any other qos.

What I have tried so far, but was not really successfull, is to create 3 Shaper Rules. One for Lan interface , one for Wan interface and a qInternet attached to each of them. All 3 rules have 512kbit set as bandwidth limit.

Next step was to create a firewall rule with

Protocol any
Source any
Port any
Destination Network1
Port any
gateway any
Queue qInternet/lan

and the same thing with source "Network1" and destination any. So both directions are coverd.

Well thing is I can still up/download at full speed from a client in Network1.

I also tried the option "Limiter" and setup 2 rules one with mask "destination address" and one with mask "source address". This did not seam to work either for me.

Can anybody help me out here?

jimp

Limiters are what you want, to impose hard bandwidth limits.

If they didn't work, then perhaps either the limiter creation or the firewall rules set to use the limiters were not correct.

ttlinna

@jimp:

Limiters are what you want, to impose hard bandwidth limits.

If they didn't work, then perhaps either the limiter creation or the firewall rules set to use the limiters were not correct.

I've tried with limiters and they work fine to some extent. Be very precise with the directions!

I use Alix boards and the max download speed with limiter is 1400 Kb. If I enter bigger value to limiter, the speed is capped to that limit. Is this a feature or a bug. I've tested with multiple snapshots from January to August.

eri--

Can you provide ipfw pipe show when this happens.

cmb

@ttlinna:

I use Alix boards and the max download speed with limiter is 1400 Kb. If I enter bigger value to limiter, the speed is capped to that limit. Is this a feature or a bug. I've tested with multiple snapshots from January to August.

Neither that I've seen. We've deployed several ALIX systems in production on ISP networks with various limiters ranging from 256 Kb to 10 Mb and they all work as configured. It is possible to configure things as such that you're limiting all traffic through with a limiter, or possible the limiter isn't getting updated correctly somehow though that's been extensively tested. Post what Ermal requested.

xbipin

i use limiters, never faced any such limit

stefanero

well thanks for the replys, so I will try with the limiters.

-do I have to create a limiter for each sepertate Network?
Or can I create one limiter and have that assignt to each network sepperatly in the firewall rules?

-How to I create the limiter correctly? Say I want to limit up and download seperatly like an a-dsl connection.

I would create one rule with bandwidth for upload , and as mask select source addresses right?
and then one rule with bandwidth for download, and as mask select destination addresses.

[u]delay-upload[/u]
bandwidth 500
mask source-address
[u]delay-download[/u]
bandwidth 500
mask destination-address

as next step I go to firewall rules, now I guess here commes the tricky part.

On the Wan Interface rules I did not change anything.

On Lan I created 2 rules

[u]Rule1[/u]
proto * 
source Network1 
Port * 
Destination * 
Port * 
Gateway * 
In-Queue delay-upload 
Out-Queue nothing 

[u]Rule2[/u]
proto * 
source * 
Port * 
Destination Network1 
Port * 
Gateway * 
In-Queue delay-download 
Out-Queue nothing 

Well if I am wrong please correct me here :)

*edit: well upload limit works, but dowload not :( so there is some little config mistake then I guess…

eri--

You just need one rule with both upload/download limits specified together!

Please next time ask if you do not know how to configure one thing rather than report something non working.

stefanero

thnx for the help,

I never said pfsense was not working, all I said that I cant get it to work.
thats why I initially posted it in the traffic shapping section because I simple needed help with this.

I will try what you suggested and post back here I guess ;-)

stefanero

well

this is tricky.

I guess new rules dont get applied to alredy established connections.

closing winscp , reopen and start upload this now works. also download now working

thnx a lot

eri--

this is tricky.

That is normal for a stateful firewall.