Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiter not working with transparent firewall [RESOLVED]

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 1 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FJSchrankJr
      last edited by

      Does anyone know if the limiter works with a transparent firewall? For some reason the limiter does not function for me. Not sure if it's because NAT is not being used. The only other thing I can think of is the LAN clients are using the Cisco router IP as the gateway vs. the IP of the firewall. Thanks for the help.

      FJS - Embedded Systems Engineer
      Pictures are worth a thousand words, but <u>posting config.xml backups are worth 10,000</u>.  Alter the IPs, change anything revealing but leave subnets intact. Use find and replace. Please try to keep it brief on the description.
      ALWAYS disable TSO  & LRO EXCEPT CHKSUM IF SUPPORTED. TSO/LRO breaks traffic, pf scrub and this goes for any passive device inline

      1 Reply Last reply Reply Quote 0
      • F
        FJSchrankJr
        last edited by

        Limiter not working on inbound or outbound with the transparent firewall. I will post thoughts or solutions as I research this one.

        If anyone has anything to add, please post away :-) Thank you all!

        Update:

        According to the pfSense documentation:

        Limiters on Bridges
        When using limiters on bridges, you need to assign the bridge interface and put the IP address for the bridge there, and place the limiters on the member interfaces.

        Can anyone clarify this?

        FJS - Embedded Systems Engineer
        Pictures are worth a thousand words, but <u>posting config.xml backups are worth 10,000</u>.  Alter the IPs, change anything revealing but leave subnets intact. Use find and replace. Please try to keep it brief on the description.
        ALWAYS disable TSO  & LRO EXCEPT CHKSUM IF SUPPORTED. TSO/LRO breaks traffic, pf scrub and this goes for any passive device inline

        1 Reply Last reply Reply Quote 0
        • F
          FJSchrankJr
          last edited by

          Ok, this one has been resolved after a bit of research and testing.

          1. Advanced -> System Tunables
            Set net.link.bridge.pfil_member = 1
            Set net.link.bridge.pfil_bridge = 0 (If set to 1, you will see routing issues and problems with passive FTP)

          2. Create your limiters (up/down) and apply them to the LAN or WAN rules. no need to use floating rules.

          If you will be using both WAN/LAN rules create 2 parent limiters and 2 childs for each such as:

          limiter1_downstream
          -> limiter1_downstream_wan
          -> limiter1_downstream_lan

          limiter1_upstream
          -> limiter1_upstream_wan
          -> limiter1_upstream_lan

          now, here is an example of how it's applied to the rules.

          WAN Rules
          wan -> lan  IN/OUT = limiter1_downstream_wan/limiter1_upstream_wan

          LAN Rules
          lan -> wan IN/OUT= limiter1_upstream_lan/limiter1_downstream_lan

          Notice 2 things:

          1. The limiters are using childs so they do not conflict with each others traffic but they still share the same total bandwidth for the parent.
          2. The direction is reverse on wan/lan, otherwise the wans upstream will share the lans downstream and vice versa, not very symmetrical.

          From my own testing, some FTP traffic on a NAT pfsense will not get limited. However, on the transparent firewall with the above setup FTP is being limited properly for both pasv/active (no FTP proxy in use).

          If some of your traffic is not being limited, make sure to check the wan/lan rule order.

          I can't tell you how much time, research, confusion and frustration went in to this but you get the idea… :-)

          Hope this helps.

          FJS - Embedded Systems Engineer
          Pictures are worth a thousand words, but <u>posting config.xml backups are worth 10,000</u>.  Alter the IPs, change anything revealing but leave subnets intact. Use find and replace. Please try to keep it brief on the description.
          ALWAYS disable TSO  & LRO EXCEPT CHKSUM IF SUPPORTED. TSO/LRO breaks traffic, pf scrub and this goes for any passive device inline

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.