Limit bandwidth per IP
-
Hi,
Is it possible to limit the bandwidth per local IP address to, say, 0.5Mbit/S with pfsense? If yes, how do I do that?
Thanks for comments on this.
regards Tor
-
Yes. You can do that with the traffic shaper and a penalty box or multiple penalty boxes.
-
Great, however I'm really stuck to where to start. Do I use the limiter tab?
Does it exist a white paper or something explaining the required config to set the bandwidth for each client IP on a certain interface to x kbit/s?
Thanks for help on this
regards Tor
-
I guess you could use the limiter, but I am not familiar with that setup. I use the traffic shaper, there is a wizard tab that will start you off. I seem to recall that if you search the forum and/or google, you will find what you are looking for. To me, it was relatively simple to setup.
-
Limiter would be an easy way to go.
Go to the Firewall>>>Traffic Shaper option
Create a limiter, name it "in", type in the connection speed. Save it and enable it.
Create another limiter, name it "out", type in the connection speed. Save it and enable it.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Go to firewall>>>Rules>>>Floating
Create a new rule. Traffic type ANY, select the interface you'd like to limit, Set the alias as the source, scroll down click advanced next to in/out, set the first to in, the second to out.
That should work if I didn't forget something.
-
You would need to create a limiter for each ip source if want to split it up. Course this is the same you would have to do in the traffic shaper. The difference is you create floating rules and queues without having to change your firewall rules. Either way, it works about the same way. Personally, I would use shaper, then add them all up and create a queue for it. This way if all connections in there are active, you get limited to 0.50Mbits/s, but if no other connections are going, you can get higher speeds. This cannot be done in the limiters (course, you might want it that way for this situation).
-
Thanks for all your comments and replies.
However do I really need to specify a limiter each IP I want to restrict? Can't I use a subnet mask? I normally have a couple of hundred clients, and the problem is that a few of them grabs almost all bandwidth and leaves almost nothing to the rest of them. Almost all traffic is on port 80, so I don't think it is torrents…
I have a wan bandwidth of around 60Mbps and by trying to impose that no client would get above 0.5Mbps I hope that everybody is more likely get their fair share.
Tor
-
Limiter would be an easy way to go.
Go to the Firewall>>>Traffic Shaper option
Create a limiter, name it "in", type in the connection speed. Save it and enable it.
Create another limiter, name it "out", type in the connection speed. Save it and enable it.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Go to firewall>>>Rules>>>Floating
Create a new rule. Traffic type ANY, select the interface you'd like to limit, Set the alias as the source, scroll down click advanced next to in/out, set the first to in, the second to out.
That should work if I didn't forget something.
Will those limiters apply to each user or to each open connection?
-
I would think it works like a queue and it would be an overall limit and you would need multiple to attain what you are looking for, but since I don't use it, I am not sure.
-
Could someone from pfsense pop in a give a qualified answer on if it is possible to limit bandwidth per local user (ip). As I mentioned beofre I can have up to 200 users and I cannot create rules manually for each of them .-)
regards Tor
-
I normally have a couple of hundred clients…
Well, that changes things. I thought you had maybe a few ip's that you wanted to restrict bandwidth to. A limiter is a virtual pipe, if you group ip's, they ALL share the setting of the limiter. This will work for you, but you'd have to make a few hundred limiters and rules, far from optimal. The same thing goes for penalty box queues.
…and the problem is that a few of them grabs almost all bandwidth and leaves almost nothing to the rest of them.
This is exactly what the traffic sharper was made for. You need to identify the traffic that is stealing all the bandwidth, limit it, and deprioritize it with queues.
-
The shaper is good for that, even if you wanted to have them all in a queue. If you want to limit them to 0.5Mbits/s then you really don't have enough bandwidth for every one if you setup limiters. With the shaper, you limit that queue to a max bandwidth, say 20Mbtis/s and put all the http/https traffic in there. This will force them to share that bandwidth equally since they will have the same priority. So if all 200 are active at the same time, the shaper will limit the connections to 0.1Mbits/s and this will not take up all the bandwidth. If only 1 is active, that one computer can use up to 20Mbits/s for what every they are doing. I am guessing that the limiter can also do this equally?
-
I'm pretty sure what you're wanting to do is covered with the use of Limiter Masks. This will be similar to what awesomo said (and partly copied from it)
Go to the Firewall>>>Traffic Shaper option
Create a new limiter, make sure Enable is checked, name it "500dest", set bandwidth to 500Kbit/s, set mask to destination. Save it.
Create another limiter, make sure Enable is checked, name it "500src", set bandwidth to 500Kbit/s, set mask to source. Save it.
Make sure to apply changes.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Apply changes.
Go to firewall>>>Rules>>>LAN
Create a new rule. Protocol type ANY, Set the alias as the source, scroll down click advanced next to in/out, set the first to 500src, the second to 500dest.
Make sure your new rule is higher than any default allow out.Apply changes and test it out.
Alternatively you could edit the LAN default allow out and add the In/Out option there and it would apply to every host on the LAN individually (each host individually limited to 500Kbps/500Kbps).
-
Wouldnt those limiters apply to the total bandwidth instead of just per user?
-
Why not just use Captive Portal. Assign your users under pass thru mac addresses and enter their assigned bandwidth.
Additionally, you could also utilize Squid to minimize bandwidth usage with repetitive internet http requests.
Also, you should consider setting up Traffic shaping to smooth things out for you.
You can get some very good insight here –> https://calomel.org/pf_hfsc.html
Hope this helps…
Jits
-
Limiters are best to put a hard limit on bandwidth per IP. You just need one limiter with the appropriate source/destination mask to automatically create a pipe of the specified limit for each IP.
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter
-
In Pfsense, I'm using Lusca cache (modified squid proxy server) to cache big files. From what I read here so far using limiters, it is possible to limit the bandwidth of individual PCs passing through the proxy. In conjunction with bandwidth limiting for each PC, is it possible to configure pfsense so that a PC downloading a big file in the internet that is already in the proxy server, will be allowed to access that file in the proxy server without bandwidth limit?
I mean if the PC is downloading a file in the internet that is not yet in the proxy server, it will have a bandwidth limit during the download. But if the file being downloaded is already in the proxy server (already cached), the PC will be allowed to download the file from the proxy server at full speed without the bandwidth limit.
Can anyone has any idea how this can be done using port 3128 in the browser or the default port 80? Thank you.
-
nydron: are you using transparent proxy?
-
nydron: are you using transparent proxy?
Hi Podilarius, no, I'm not using transparent proxy at the moment. I configured the PCs' browsers to point to the pfsense sever's ip LAN address using port 3128. In the future, I plan to use transparent proxy when I figure out how to separate different data traffic.
I already tested limiting the PCs bandwidth using Pfsense's limiter and it worked pretty well. I'm still studying and researching how to allow the PCs access the lusca/squid cache without bandwidth limit.
-
Then it would seem like you could limit traffic on wan with destination of port 80 and leave port 3128 on LAN without any limiters or just prioritization.