Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Per IP traffic Shaping

    Scheduled Pinned Locked Moved Traffic Shaping
    33 Posts 8 Posters 51.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jpalacio
      last edited by

      Hi all:

      I'm happily running a ISP with pfsense as core router  ;D ;D. My next challenge is to setup per IP bandwidth limit to each client .  The scenario goes as this :

      –-----------------------                           
      Client pool IP's --->| PfSense Router | --> Wan Link ( 80 Mbps)
                                      -------------------------
      For example: If the client A contracts 2 Mbps ( symmetric)  my plan is to configure 4 limiters:

      • InLimitLan ( upload from client perspective) 2 Mbps
      • OutLimitLan (download from client perspective) 2 Mbps
      • InLimitWan (download from client perspective) 2 Mbps
      • OutLimitWan ( upload  from client perspective) 2 Mbps

      After that, and according to the available guides ( http://doc.pfsense.org/index.php/Traffic_Shaping_Guide) , the next step is to apply the limiters using in/out parameters on the firewall rules.

      Here, it's where the doubts  ???  ( and hopefully your help) begins:

      • Is it necessary to configure 4 limiters?
      • The rules can be configure in only 1 interface? let's say LAN
      • Have you ever think on a different approach?
      • Assuming that my approach is valid, should I configure the IP in the Source / Destination field over the firewall rule?

      Any further comments are welcome!

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        You need to create just 2 limiters:

        Copy & paste from de guide at pfSense Docs

        Setup Limiters
        Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab.

        You can use just one pipe for both inbound and outbound traffic, but that would mean you are simulating a half-duplex connection.

        The recommended method is to create 2 pipes, one for inbound traffic and one for outbound traffic. The direction is from the perspective of the interface. If using limiters on LAN, the inbound queue is your upload and the outbound queue is your download. You should name the pipes so that you will easily remember which one is which, such as InLimitLan and OutLimitLan.

        1 Reply Last reply Reply Quote 0
        • J
          jpalacio
          last edited by

          @ptt:

          You need to create just 2 limiters:

          Copy & paste from de guide at pfSense Docs

          Setup Limiters
          Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab.

          You can use just one pipe for both inbound and outbound traffic, but that would mean you are simulating a half-duplex connection.

          The recommended method is to create 2 pipes, one for inbound traffic and one for outbound traffic. The direction is from the perspective of the interface. If using limiters on LAN, the inbound queue is your upload and the outbound queue is your download. You should name the pipes so that you will easily remember which one is which, such as InLimitLan and OutLimitLan.

          Hi Ptt

          I already read that portion of the guide, my concern : Is there any difference in applying the limiters on the Wan or Lan Interface?

          Thanks for your quick response!

          1 Reply Last reply Reply Quote 0
          • pttP
            ptt Rebel Alliance
            last edited by

            Some time ago i done some tests with limiters and used on LAN, and works fine for me.

            Actually i dont use it, because i do the "Traffic Shaping" on each client CPE. All the CPEs ( ubiquiti) on the network (wireless) have that feature….

            1 Reply Last reply Reply Quote 0
            • J
              jpalacio
              last edited by

              @ptt:

              Some time ago i done some tests with limiters and used on LAN, and works fine for me.

              Actually i dont use it, because i do the "Traffic Shaping" on each client CPE. All the CPEs ( ubiquiti) on the network (wireless) have that feature….

              Well , I will try to do it on the LAN . I have a mixture of ubiquiti and other brands ( without traffic shaping support), I have to support the feature on the core routers.

              Thanks for your help!
              :D

              1 Reply Last reply Reply Quote 0
              • T
                Tomax
                last edited by

                Hi there. I manage to implement a similar system, and now users on my lan are limited by the limit i implement, and works very fine. Although they can't reach anymore bandwidth if there are more avaiable. So my question, is this possible with pfsense? not that users have a limited bandwidth but a guaranteed one?

                1 Reply Last reply Reply Quote 0
                • T
                  Tomax
                  last edited by

                  @jpalacio:

                  @ptt:

                  Some time ago i done some tests with limiters and used on LAN, and works fine for me.

                  Actually i dont use it, because i do the "Traffic Shaping" on each client CPE. All the CPEs ( ubiquiti) on the network (wireless) have that feature….

                  Well , I will try to do it on the LAN . I have a mixture of ubiquiti and other brands ( without traffic shaping support), I have to support the feature on the core routers.

                  Thanks for your help!
                  :D

                  Btw i think i can clear your ideia. when u limit the WAN you are limiting the connection it-self because all LAN connection access WAN to communicate, so if u have more then 1 WAN and want to limit there usage, you have to place the limiters on WAN interface. But if  you want to limit the users of the network, you have to apply the limiters on the LAN interface.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jpalacio
                    last edited by

                    Well, I managed to do this by defining 4 traffic shaping limiters per client ( or IP, group of IP's) . The scenario goes as this:

                    Always from the point of view of the router

                    Create 4 Limiters per client:
                    IncomingWan –->> Download  (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)
                    OutgoingLan --- >> Download  (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
                    IncomingLan ---->> Upload (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
                    OutgoingWan ---->>Upload ( (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)

                    After creating the limiters you need to apply them on Firewall>>Rules ( I did it over my LAN Interface)

                    Create 2 rules by IP

                    You need to specify the IP or IP group as source in one rule and the other as destination.

                    On each rule , go to advanced and select IN/OUT limiters  .
                    Example : IncomingWan --- OutgoingLAN  ( when the IP is the destination) download
                                    IncomingLAN --- OutgoingWAN  ( when the IP is the source) upload

                    This works for me . Hope I made myself clear.

                    Regards

                    1 Reply Last reply Reply Quote 0
                    • T
                      Tomax
                      last edited by

                      Your approx work very well to limit the users. Altho now i would like to know how to guarantee instead of  limit. i'll start a new threat ty for this tips :)

                      1 Reply Last reply Reply Quote 0
                      • T
                        Tomax
                        last edited by

                        i'll bring this up for 1 question, it is possible to allow bandwith borrow on limiters? or do i have to implemente a queue to allow this?

                        1 Reply Last reply Reply Quote 0
                        • C
                          Cino
                          last edited by

                          @Tomax:

                          i'll bring this up for 1 question, it is possible to allow bandwith borrow on limiters? or do i have to implemente a queue to allow this?

                          I could be wrong but I believe you would have to setup queues for this….

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by

                            You can with childs that can be created on limiters.
                            You create one limiter.
                            After that you have a add new queue/child in the form if you click/select the limiter.
                            So you can imagine the limiter as the link speed you have and you can create childs/queues containing various weights per the priority you want the to have.

                            The important thing here is that a limiters child will use full bandwidth when availble otherwise will split it according to the mask and weight.

                            1 Reply Last reply Reply Quote 0
                            • T
                              Tomax
                              last edited by

                              Thank you ermal, your answer enlighten me the bit that i need to understand limiters a little better :) I'll try it tonight at home and post if i succeed or not with the implementation.

                              1 Reply Last reply Reply Quote 0
                              • T
                                Tomax
                                last edited by

                                Work like a charm  ;) thankyou again ermal.

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rodolfosevero007
                                  last edited by

                                  @jpalacio:

                                  Well, I managed to do this by defining 4 traffic shaping limiters per client ( or IP, group of IP's) . The scenario goes as this:

                                  Always from the point of view of the router

                                  Create 4 Limiters per client:
                                  IncomingWan –->> Download  (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)
                                  OutgoingLan --- >> Download  (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
                                  IncomingLan ---->> Upload (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
                                  OutgoingWan ---->>Upload ( (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)

                                  After creating the limiters you need to apply them on Firewall>>Rules ( I did it over my LAN Interface)

                                  Create 2 rules by IP

                                  You need to specify the IP or IP group as source in one rule and the other as destination.

                                  On each rule , go to advanced and select IN/OUT limiters  .
                                  Example : IncomingWan --- OutgoingLAN  ( when the IP is the destination) download
                                                  IncomingLAN --- OutgoingWAN  ( when the IP is the source) upload

                                  This works for me . Hope I made myself clear.

                                  Regards

                                  Guys i'm using pfsense 2.01 RC3 64bits i did EXACTLY this but the only thing that seems to work is the download limiter the upload still not limiting to the speed i need, i really need some help this thing is killing me i need to get this up and running soon =X

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    rodolfosevero007
                                    last edited by

                                    Guys i'm using pfsense 2.01 RC3 64bits i did EXACTLY this but the only thing that seems to work is the download limiter the upload still not limiting to the speed i need, i really need some help this thing is killing me i need to get this up and running soon =X

                                    Anyone?

                                    1 Reply Last reply Reply Quote 0
                                    • pttP
                                      ptt Rebel Alliance
                                      last edited by

                                      Post a screenshot of your Limiters & your Rules

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        rodolfosevero007
                                        last edited by

                                        @ptt:

                                        Post a screenshot of your Limiters & your Rules

                                        Thanks a lot for the reply…

                                        Link of the SS Image is way too large to use img bbcode

                                        VPS003 is a VPS running behind nat, it's internal ip adress is 192.168.10.8, it is supposted to be getting 10mbps of Download and 1mbps of Upload, as of now its getting all the upload speed the link has and for some reason that i can't understand now i'm getting 1mbps of DOWNLOAD.

                                        I know something is wrong i just can't figure out what it is..

                                        I was using clearOS before i switched to pfsense because pfsense if WAY better as a firewall, all the issues i had with ClearOS i don't have with pfsense and there's a lot more i can do with pfsense now, but if theres something i could never complain about clearos is that i can setup a bandwidth rule in 15 seconds and hell it works.. i really dont wanna go back.

                                        1 Reply Last reply Reply Quote 0
                                        • pttP
                                          ptt Rebel Alliance
                                          last edited by

                                          Check this: http://forum.pfsense.org/index.php/topic,46071.0.html

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            rodolfosevero007
                                            last edited by

                                            @ptt:

                                            Check this: http://forum.pfsense.org/index.php/topic,46071.0.html

                                            I've seen that thread before but it doesn't explain anything first theres source adress and destination adress it doesn't say anything about that, and now its only 2 limiters instead of 4 they say 2 work but nobody there said how to do it, the guy in this thread said 4 would work as well but as far as i can see nothing seems to work the way its supposed to, i think pfsense should make things more clear for the people that are implementing their software, it's simple all someone has to do is say if you want to limit the traffic for IP adress X you go there, do this apply that reset tables and your set but in a way that there's no way someone can get it wrong and before posting that he should test and see if it really works, i just don't get it why they make it so hard to setup something that should be so simple…

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.