Traffic Shaping using limiters…torrent unaffected

  • I have a WISP with about 100 clients.  Decided to go with pfsense 2.0 to run it.  I cannot figure out traffic shaping, other than by limiters.  I just don't get the rest of it.  I am trying to learn more but frying my brain right now…so....I need a little help.

    I have everyone's speeds limited by IP address.  This seems to work fine...except I have noticed that if someone is using a torrent program, they get all the bandwidth they want.  The limiter does nothing.  I have tried creating other rules or using the wizard but it just ends up confusing me and not helping.

    I have a limiters set for 768k/down and 128k/up.  I have created rules for every IP address that use the In/Out Advanced options to control Bandwidth.  The Protocol is set to any, the source is set to single host or alias, address is the IP address of the client.  This seems to to limit speeds just fine, except when someone is using a torrent app.  Any ideas?  Remember speak slowly, I just can't quite wrap my head around this shaping thing.

    Thank you.

  • There were some changes made to the traffic shaper wizard and you need to implement rules to catch traffic both ways now.  I believe that the torrent uploads are being shaped properly.  It is just the downstream that is the issue.

    To resolve this, add another set of matching rules under WAN or Floating tab with each client IP as the destination mask and set the limiter.

  • While that may have been perfectly clear to you, that did not make much sense to me.  Can you give me an example or instructions on that please.

  • Also, I still don't understand how anything is getting around the IP limits?  I have people limited by IP, I was just out a client's house, who was using a torrent saturday and getting 6.5Mbs, and i don't get over 2Mbs on a speed test.  How are the torrent programs getting past the hard IP limits?

  • What radios are you using. If they have built in QOS I would look into shaping traffic at the clients end in the radio it's self.

  • I am using a combination of Tranzeo and moving everyone to Ubiquiti.  The Ubiquito have a QoS built in and we are using it….but the tranzeos do my question still is anything getting past the limiter? it works for web traffic.  When I do a speed test it tests at the right speed ( or  But I know some people are using torrents and those are reaking havoc.  Any ideas?

  • The way I understand the limiters, you just need two limiters, an upload, say "limitUsersUP", with the mask set to "source addresses", then one for download, for example, "limitUsersDOWN", with the mask set to "destination addresses", and of course the limits that you want.  Then you just need one firewall rule, on the LAN tab, saying to pass any protocol, any destination, and the source address set to whatever users you want to limit… if you don't want to do the whole LAN subnet, then you could make an alias for all the individual IPs of your users, and use that alias for the source address.  Then in advanced In/Out, In would be the limitUsersUP, and out would be limitUsersDOWN.  Just one rule.  This works for me trying to limit UDP traffic for users, it seems to make sense and I think it should work for your situation.  If not maybe it is a bug or something we are not understanding.

    This setup should automatically create a queue for each source IP it sees coming in the LAN, and also for each destination it sees going out, as long as they match the IPs in the firewall rule.  Remember these connections are initiated from inside the LAN, so the firewall should take care of allowing the traffic coming back in from the internet, and direct it according to that one rule that allowed the traffic out.

    But also, now that I think of it, I believe the limiter does not actually make a queue for each address, instead it just makes a bunch of queues and then hashes the address to determine sort of randomly which queue it should go in.  It seems to me that for it to work properly there needs to be an individual queue for each address, and I'm not sure how it decides how many queues to make, because maybe it is a tradeoff between accurate limiting and processing power, or some reason not to make too many queues.  I think by default it makes 64 so you might want to set the "bucket size" of the limiters to 128, to make sure there are enough for all the users.  Of course I could be wrong about how the bucket size, or any of what I wrote, so anyone please correct me if I am wrong!

    If the limiters don't work, because they are broken or we just don't understand them, you could just manually create HFSC queues, one for each user, and set hard limits for them.  You need 2 queues for each user, one on WAN and one on LAN, named the same, and then one firewall rule on the LAN tab for each ip, with the queue set to the users queue.  This would take a while to make but it isn't too bad if you just make a few then download the traffic shaper or rules config, and edit the xml file it makes.  Also with 200 queues it's probably better to use pfTop to watch what they are doing rather than the webGUI!

  • HI ukiahwireless, can you please to upload some of the screenshots of how you create the limiters and firewalls rules ?

    I did try to limit my office users several times with out sucess and your answer may help me a lot.

    Thanks in advanced.


  • Thanks!! , I did a test with my system and works very ver well.

    Regards and thanks again

Log in to reply