Limiter not working with transparent firewall [RESOLVED]



  • Does anyone know if the limiter works with a transparent firewall? For some reason the limiter does not function for me. Not sure if it's because NAT is not being used. The only other thing I can think of is the LAN clients are using the Cisco router IP as the gateway vs. the IP of the firewall. Thanks for the help.



  • Limiter not working on inbound or outbound with the transparent firewall. I will post thoughts or solutions as I research this one.

    If anyone has anything to add, please post away :-) Thank you all!

    Update:

    According to the pfSense documentation:

    Limiters on Bridges
    When using limiters on bridges, you need to assign the bridge interface and put the IP address for the bridge there, and place the limiters on the member interfaces.

    Can anyone clarify this?



  • Ok, this one has been resolved after a bit of research and testing.

    1. Advanced -> System Tunables
      Set net.link.bridge.pfil_member = 1
      Set net.link.bridge.pfil_bridge = 0 (If set to 1, you will see routing issues and problems with passive FTP)

    2. Create your limiters (up/down) and apply them to the LAN or WAN rules. no need to use floating rules.

    If you will be using both WAN/LAN rules create 2 parent limiters and 2 childs for each such as:

    limiter1_downstream
    -> limiter1_downstream_wan
    -> limiter1_downstream_lan

    limiter1_upstream
    -> limiter1_upstream_wan
    -> limiter1_upstream_lan

    now, here is an example of how it's applied to the rules.

    WAN Rules
    wan -> lan  IN/OUT = limiter1_downstream_wan/limiter1_upstream_wan

    LAN Rules
    lan -> wan IN/OUT= limiter1_upstream_lan/limiter1_downstream_lan

    Notice 2 things:

    1. The limiters are using childs so they do not conflict with each others traffic but they still share the same total bandwidth for the parent.
    2. The direction is reverse on wan/lan, otherwise the wans upstream will share the lans downstream and vice versa, not very symmetrical.

    From my own testing, some FTP traffic on a NAT pfsense will not get limited. However, on the transparent firewall with the above setup FTP is being limited properly for both pasv/active (no FTP proxy in use).

    If some of your traffic is not being limited, make sure to check the wan/lan rule order.

    I can't tell you how much time, research, confusion and frustration went in to this but you get the idea… :-)

    Hope this helps.


Log in to reply