Can PFSense 2 do this?



  • Hi All
    I've been looking around but can't find much traffic shaping docs so here goes. I want to configure pfsense so that if anyone downloads say 10MB in 5 mins, they automatically go to a penalty box for a specified period of time. Is this possible with Pf-2.0?



  • @petros:

    Hi All
    I've been looking around but can't find much traffic shaping docs so here goes. I want to configure pfsense so that if anyone downloads say 10MB in 5 mins, they automatically go to a penalty box for a specified period of time. Is this possible with Pf-2.0?

    This is called traffic quota in some other firewalls. As far as I know it is not possible in pfsense 2.0.



  • You can make an hfsc queue for each user and put a upperlimit service curve, for example,  100%, 300000(5min), 20%, which will let each user download full speed for 5 min, then get limited to 20% for as long as they continue downloading.  If they stop and wait 5 min, then they will get the full 100% for 5 min again.  If they stop for 5 seconds, then they will only get 5 seconds of full speed.  At least that is how it seems to work from my experiments.

    I know this isn't the same as a traffic quota, but I would say better in some ways.  You could even make schedules so that this is only in effect at certain times.  You might look at a recent post of mine to see an example how to set up the queues and rules.

    This seems to work well because normal bursty web browsing should never hit the penalty, but continuous downloading will get limited.



  • Hi,

    i am interested to slow down power users over the captive portal. Is there a chance to get a screenshot from your settings?

    Regards, Valle



  • Actually, I am realizing that this doesn't work quite the way it seemed to, it's a bit more complicated.  Take my example above: upperlimit m1=100%, d=5min, m2=20%… well, the 5 min seems to depend on how much of the 100% the user is actually getting, it will be longer than 5 min if the user is only able to use say, 50% of the bandwidth because he is sharing with another user, not really understanding exactly how the timer works in fact.  Maybe someone will explain it but seems like very few people really understand hfsc queues.  Anyway, in this scenario, the users may never get throttled when there are lots of users "fighting" over the available bandwidth, instead they get throttled when no one is using it, which is the opposite of what I would hope for.  Looks like back to studying and experimenting for me, rather than posting in the forum!


Log in to reply