Limit all workstations to max download\upload rate, per machine



  • I want to limit each user (computer) to 3mb upload and 1mb,
    Using Firewall: Traffic Shaper: Limiter, I can create a "3mb" limiter and "1mb" limiter and assign that to in\out of the lan firewall rules.
    The question is, will it limit each user to those limitations, or all lan users will share this limitations (lets say 10 users using the same program, every one of them will get 0.3mb or 3mb?).

    Many thanks!



  • depends on whether you're using dynamic queue creation. info here
    http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter



  • By using the source or destination masks, you can limit either globally (all users), per-user or both.

    Source mask would be used for upload limits and destination for download limits.  You can further limit by using the in/ out sections to pass the traffic through a global limiter (without masks) in addition to a masked limiter (per user limit).

    e.g.

    You want to limit all traffic downloads to 10mbps for all users and 3 mbps per user.
    You would then setup 2 limiters - "globaldown" without mask at 10mbps and "peruserdown" with destination mask at 3mbps.

    You can then setup a firewall rule for any source host and protocol with destination host as your LAN subnet.  Setup direction as In on WAN interface.  Under limiters, setup In/ Out as "globaldown" and "peruserdown" respectively.

    This basically passes all the traffic inbound to LAN subnet from the WAN (that is download) into the global limiter first.  So all download traffic is limited to 10mbps regardless of user.  It then passes out the remaining traffic to the per user limiter which restricts data to 3mbps per LAN host (by IP).

    For outbound, you would repeat the process but reverse the source/ dest. accordingly and with separate limiters.



  • I am trying to do just this and could use a little more clarification…

    @dreamslacker:

    You can then setup a firewall rule for any source host and protocol with destination host as your LAN subnet.  Setup direction as In on WAN interface.  Under limiters, setup In/ Out as "globaldown" and "peruserdown" respectively.

    Ok, I have multiple LAN segments which must share the same 3mbps WAN link. I'm getting wicked ping times once I saturate the connection, even though I use local limits to put the traffic into separate queues.

    I presume I can add a rule for all traffic anywhere instead of to the LAN?

    Wouldn't this rule allow any traffic into my network, though?

    Puzzlement 1 - I'm having trouble understanding how to apply limits independently of firewall security rules. How do I apply the limits to everything without addling a line that says "pass everything though the firewall, and apply this limit." If I don't do that, how do I get the various firewall rules to share the same limit bandwidth?

    Puzzlement 2 - When I did have both my masked LAN rules and global WAN rules in place, the limiter info page showed a line per IP address on my LAN segments, but nothing at all on the WAN segment.

    Any thoughts?

    - Tim.



  • @FishOuttaWater:

    I presume I can add a rule for all traffic anywhere instead of to the LAN?

    On the floating interface.

    Wouldn't this rule allow any traffic into my network, though?

    Only if you use the Quick option.

    Puzzlement 1 - I'm having trouble understanding how to apply limits independently of firewall security rules. How do I apply the limits to everything without addling a line that says "pass everything though the firewall, and apply this limit." If I don't do that, how do I get the various firewall rules to share the same limit bandwidth?

    When you create a shaper rule on the floating interface without the quick option, the rule will apply to any matched packet and the packet will continue to be compared to your firewall rules for a match. Rules on the non-floating interface are implicitly quick, so if your packet matches a floating rule and some other firewall rule, both rules will normally apply.



  • @clarknova:

    When you create a shaper rule on the floating interface without the quick option, the rule will apply to any matched packet and the packet will continue to be compared to your firewall rules for a match. Rules on the non-floating interface are implicitly quick, so if your packet matches a floating rule and some other firewall rule, both rules will normally apply.

    Thanks for your advice here. I keep trying to make the floating interface rules work, but it's just not showing up for me.

    I create limited with no mask so they will apply to all traffic rather than create one queue per address, then I create a floating rule with pass or queue policy (doesn't seem to matter), setting an interface (WAN or one of the LANs), a direction, and selecting limiters in in/out in the advanced section. I reset the states to wipe out any existing connections, and look in the limiter info page. I don't see buckets getting filled in as I do for the rules on a fixed interface with a source or dest mask in the limiter.

    Any ideas what I'm doing wrong?

    Thanks,
        - Tim.


Log in to reply