Per IP traffic Shaping

jpalacio

Hi all:

I'm happily running a ISP with pfsense as core router ;D ;D. My next challenge is to setup per IP bandwidth limit to each client . The scenario goes as this :

–-----------------------
Client pool IP's --->| PfSense Router | --> Wan Link ( 80 Mbps)
-------------------------
For example: If the client A contracts 2 Mbps ( symmetric) my plan is to configure 4 limiters:

InLimitLan ( upload from client perspective) 2 Mbps
OutLimitLan (download from client perspective) 2 Mbps
InLimitWan (download from client perspective) 2 Mbps
OutLimitWan ( upload from client perspective) 2 Mbps

After that, and according to the available guides ( http://doc.pfsense.org/index.php/Traffic_Shaping_Guide) , the next step is to apply the limiters using in/out parameters on the firewall rules.

Here, it's where the doubts ??? ( and hopefully your help) begins:

Is it necessary to configure 4 limiters?
The rules can be configure in only 1 interface? let's say LAN
Have you ever think on a different approach?
Assuming that my approach is valid, should I configure the IP in the Source / Destination field over the firewall rule?

Any further comments are welcome!

Thanks in advance!

ptt

You need to create just 2 limiters:

Copy & paste from de guide at pfSense Docs

Setup Limiters
Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab.

You can use just one pipe for both inbound and outbound traffic, but that would mean you are simulating a half-duplex connection.

The recommended method is to create 2 pipes, one for inbound traffic and one for outbound traffic. The direction is from the perspective of the interface. If using limiters on LAN, the inbound queue is your upload and the outbound queue is your download. You should name the pipes so that you will easily remember which one is which, such as InLimitLan and OutLimitLan.

jpalacio

@ptt:

You need to create just 2 limiters:

Copy & paste from de guide at pfSense Docs

Setup Limiters
Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab.

You can use just one pipe for both inbound and outbound traffic, but that would mean you are simulating a half-duplex connection.

The recommended method is to create 2 pipes, one for inbound traffic and one for outbound traffic. The direction is from the perspective of the interface. If using limiters on LAN, the inbound queue is your upload and the outbound queue is your download. You should name the pipes so that you will easily remember which one is which, such as InLimitLan and OutLimitLan.

Hi Ptt

I already read that portion of the guide, my concern : Is there any difference in applying the limiters on the Wan or Lan Interface?

Thanks for your quick response!

ptt

Some time ago i done some tests with limiters and used on LAN, and works fine for me.

Actually i dont use it, because i do the "Traffic Shaping" on each client CPE. All the CPEs ( ubiquiti) on the network (wireless) have that feature….

jpalacio

@ptt:

Some time ago i done some tests with limiters and used on LAN, and works fine for me.

Actually i dont use it, because i do the "Traffic Shaping" on each client CPE. All the CPEs ( ubiquiti) on the network (wireless) have that feature….

Well , I will try to do it on the LAN . I have a mixture of ubiquiti and other brands ( without traffic shaping support), I have to support the feature on the core routers.

Thanks for your help!
:D

Tomax

Hi there. I manage to implement a similar system, and now users on my lan are limited by the limit i implement, and works very fine. Although they can't reach anymore bandwidth if there are more avaiable. So my question, is this possible with pfsense? not that users have a limited bandwidth but a guaranteed one?

Tomax

@jpalacio:

@ptt:

Some time ago i done some tests with limiters and used on LAN, and works fine for me.

Actually i dont use it, because i do the "Traffic Shaping" on each client CPE. All the CPEs ( ubiquiti) on the network (wireless) have that feature….

Well , I will try to do it on the LAN . I have a mixture of ubiquiti and other brands ( without traffic shaping support), I have to support the feature on the core routers.

Thanks for your help!
:D

Btw i think i can clear your ideia. when u limit the WAN you are limiting the connection it-self because all LAN connection access WAN to communicate, so if u have more then 1 WAN and want to limit there usage, you have to place the limiters on WAN interface. But if you want to limit the users of the network, you have to apply the limiters on the LAN interface.

jpalacio

Well, I managed to do this by defining 4 traffic shaping limiters per client ( or IP, group of IP's) . The scenario goes as this:

Always from the point of view of the router

Create 4 Limiters per client:
IncomingWan –->> Download (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)
OutgoingLan --- >> Download (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
IncomingLan ---->> Upload (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
OutgoingWan ---->>Upload ( (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)

After creating the limiters you need to apply them on Firewall>>Rules ( I did it over my LAN Interface)

Create 2 rules by IP

You need to specify the IP or IP group as source in one rule and the other as destination.

On each rule , go to advanced and select IN/OUT limiters .
Example : IncomingWan --- OutgoingLAN ( when the IP is the destination) download
IncomingLAN --- OutgoingWAN ( when the IP is the source) upload

This works for me . Hope I made myself clear.

Regards

Tomax

Your approx work very well to limit the users. Altho now i would like to know how to guarantee instead of limit. i'll start a new threat ty for this tips :)

Tomax

i'll bring this up for 1 question, it is possible to allow bandwith borrow on limiters? or do i have to implemente a queue to allow this?

Cino

@Tomax:

i'll bring this up for 1 question, it is possible to allow bandwith borrow on limiters? or do i have to implemente a queue to allow this?

I could be wrong but I believe you would have to setup queues for this….

eri--

You can with childs that can be created on limiters.
You create one limiter.
After that you have a add new queue/child in the form if you click/select the limiter.
So you can imagine the limiter as the link speed you have and you can create childs/queues containing various weights per the priority you want the to have.

The important thing here is that a limiters child will use full bandwidth when availble otherwise will split it according to the mask and weight.

Tomax

Thank you ermal, your answer enlighten me the bit that i need to understand limiters a little better :) I'll try it tonight at home and post if i succeed or not with the implementation.

Tomax

Work like a charm ;) thankyou again ermal.

rodolfosevero007

@jpalacio:

Well, I managed to do this by defining 4 traffic shaping limiters per client ( or IP, group of IP's) . The scenario goes as this:

Always from the point of view of the router

Create 4 Limiters per client:
IncomingWan –->> Download (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)
OutgoingLan --- >> Download (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
IncomingLan ---->> Upload (Select Mask "Source addresses" when creating the limiter , select also desire bandwidth here)
OutgoingWan ---->>Upload ( (Select Mask "Destination addresses" when creating the limiter , select also desire bandwidth here)

After creating the limiters you need to apply them on Firewall>>Rules ( I did it over my LAN Interface)

Create 2 rules by IP

You need to specify the IP or IP group as source in one rule and the other as destination.

On each rule , go to advanced and select IN/OUT limiters .
Example : IncomingWan --- OutgoingLAN ( when the IP is the destination) download
IncomingLAN --- OutgoingWAN ( when the IP is the source) upload

This works for me . Hope I made myself clear.

Regards

Guys i'm using pfsense 2.01 RC3 64bits i did EXACTLY this but the only thing that seems to work is the download limiter the upload still not limiting to the speed i need, i really need some help this thing is killing me i need to get this up and running soon =X

rodolfosevero007

Guys i'm using pfsense 2.01 RC3 64bits i did EXACTLY this but the only thing that seems to work is the download limiter the upload still not limiting to the speed i need, i really need some help this thing is killing me i need to get this up and running soon =X

Anyone?

ptt

Post a screenshot of your Limiters & your Rules

rodolfosevero007

@ptt:

Post a screenshot of your Limiters & your Rules

Thanks a lot for the reply…

Link of the SS Image is way too large to use img bbcode

VPS003 is a VPS running behind nat, it's internal ip adress is 192.168.10.8, it is supposted to be getting 10mbps of Download and 1mbps of Upload, as of now its getting all the upload speed the link has and for some reason that i can't understand now i'm getting 1mbps of DOWNLOAD.

I know something is wrong i just can't figure out what it is..

I was using clearOS before i switched to pfsense because pfsense if WAY better as a firewall, all the issues i had with ClearOS i don't have with pfsense and there's a lot more i can do with pfsense now, but if theres something i could never complain about clearos is that i can setup a bandwidth rule in 15 seconds and hell it works.. i really dont wanna go back.

ptt

Check this: http://forum.pfsense.org/index.php/topic,46071.0.html

rodolfosevero007

@ptt:

Check this: http://forum.pfsense.org/index.php/topic,46071.0.html

I've seen that thread before but it doesn't explain anything first theres source adress and destination adress it doesn't say anything about that, and now its only 2 limiters instead of 4 they say 2 work but nobody there said how to do it, the guy in this thread said 4 would work as well but as far as i can see nothing seems to work the way its supposed to, i think pfsense should make things more clear for the people that are implementing their software, it's simple all someone has to do is say if you want to limit the traffic for IP adress X you go there, do this apply that reset tables and your set but in a way that there's no way someone can get it wrong and before posting that he should test and see if it really works, i just don't get it why they make it so hard to setup something that should be so simple…