How do I create bandwidth caps?

fbiryujin · Sep 8, 2011, 6:06 PM

I have an IPSec site-to-site setup, and I'd like to create a monthly hard limit on the amount of GB a single LAN IP can transfer over the IPSec connection in order to prevent transfer abuse. How can I set this up?

Thanks

Metu69salemi · Sep 8, 2011, 6:08 PM

if i remember right there is no straight forward mean to do monthly restrictions. but i can remember it wrongly

jimp · Sep 12, 2011, 1:28 PM

There isn't a way to set long-term limits in that way built into the system.

If you use something like Captive Portal and tie that back to a RADIUS server, you could do such a limit via RADIUS accounting if the RADIUS server software supports limits like that.

fbiryujin · Sep 12, 2011, 7:15 PM

That could work. Do you know if Windows Server 2008 R2 RADIUS supports that feature?

jimp · Sep 12, 2011, 7:24 PM

I don't know. I know it does support accounting if you turn that on, but I'm not sure if it can act on the data there. It's probably something you can do in NPS one way or another. I know there are a lot of different policies you can set in there. I haven't done much with it first-hand but I've helped several people get it talking to pfSense for use with things like OpenVPN.

fbiryujin · Sep 12, 2011, 7:42 PM

Ah ok. Right now I'm trying to figure that out. Also gotta figure out how to have RADIUS for PPTP and Captive Portal, without users having access to both or neither. So far I can only get it to authenticate both, or neither :/ (That's probably too off topic, and in need of another thread though)

jimp · Sep 12, 2011, 7:44 PM

Not sure if that is possible the way things are done, but yeah that's probably a topic for another thread. I'm not sure if NPS can distinguish between pfSense requests for those two systems. You might be able to find a radius attribute that is only present in one or the other and limit based on that, make groups that can only get access based on the presence of a certain attribute.

Probably need to sniff the requests with tcpdump/wireshark and insepct them.

fbiryujin · Sep 13, 2011, 3:03 PM

That might work. I think that if RADIUS auth's any of the parameters in the list, it is considered a success though, so I think I'd need to either have 2 separate RADIUS servers, or contact a Windows expert.

rafaelmagu · Oct 16, 2011, 9:56 PM

I have that with daloRADIUS. Each user has 1GB free per month (it's a hostel) and they can buy additional data packs. It does require a manual reset of the free plans, though. I suppose a clever cron job could run that every 1st of the month.

Bear in mind that traffic accounting seems to be broken in pfSense 2.0-RELEASE. I'm seeing a big increase in traffic usage reports from RADIUS even though the ISP saw no difference on the monthly usage. It seems pfSense is incorrectly multiplying the real traffic used (sometimes by 6 times).

Pretty much the same as here: http://forum.pfsense.org/index.php/topic,39555.0.html