Limit bandwidth per IP

awesomo

@bushtor:

I normally have a couple of hundred clients…

Well, that changes things. I thought you had maybe a few ip's that you wanted to restrict bandwidth to. A limiter is a virtual pipe, if you group ip's, they ALL share the setting of the limiter. This will work for you, but you'd have to make a few hundred limiters and rules, far from optimal. The same thing goes for penalty box queues.

@bushtor:

…and the problem is that a few of them grabs almost all bandwidth and leaves almost nothing to the rest of them.

This is exactly what the traffic sharper was made for. You need to identify the traffic that is stealing all the bandwidth, limit it, and deprioritize it with queues.

podilarius

The shaper is good for that, even if you wanted to have them all in a queue. If you want to limit them to 0.5Mbits/s then you really don't have enough bandwidth for every one if you setup limiters. With the shaper, you limit that queue to a max bandwidth, say 20Mbtis/s and put all the http/https traffic in there. This will force them to share that bandwidth equally since  they will have the same priority. So if all 200 are active at the same time, the shaper will limit the connections to 0.1Mbits/s and this will not take up all the bandwidth. If only 1 is active, that one computer can use up to 20Mbits/s for what every they are doing. I am guessing that the limiter can also do this equally?

ltech

I'm pretty sure what you're wanting to do is covered with the use of Limiter Masks.  This will be similar to what awesomo said (and partly copied from it)

Go to the Firewall>>>Traffic Shaper option

Create a new limiter, make sure Enable is checked, name it "500dest", set bandwidth to 500Kbit/s, set mask to destination. Save it.

Create another limiter, make sure Enable is checked, name it "500src", set bandwidth to 500Kbit/s, set mask to source. Save it.

Make sure to apply changes.

Create an alias with all the ip's you want in Firewall>>> Aliases

Name it, save it.

Apply changes.

Go to firewall>>>Rules>>>LAN

Create a new rule. Protocol type ANY, Set the alias as the source, scroll down click advanced next to in/out, set the first to 500src, the second to 500dest.
Make sure your new rule is higher than any default allow out.

Apply changes and test it out.

Alternatively you could edit the LAN default allow out and add the In/Out option there and it would apply to every host on the LAN individually (each host individually limited to 500Kbps/500Kbps).

rjaco31

Wouldnt those limiters apply to the total bandwidth instead of just per user?

jits

Why not just use Captive Portal. Assign your users under pass thru mac addresses and enter their assigned bandwidth.

Additionally, you could also utilize Squid to minimize bandwidth usage with repetitive internet http requests.

Also, you should consider setting up Traffic shaping to smooth things out for you.

You can get some very good insight here –> https://calomel.org/pf_hfsc.html

Hope this helps…

Jits

cmb

Limiters are best to put a hard limit on bandwidth per IP. You just need one limiter with the appropriate source/destination mask to automatically create a pipe of the specified limit for each IP.

http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter

nydron

In Pfsense, I'm using Lusca cache (modified squid proxy server) to cache big files. From what I read here so far using limiters, it is possible to limit the bandwidth of individual PCs passing through the proxy. In conjunction with bandwidth limiting for each PC, is it possible to configure pfsense so that a PC downloading a big file in the internet that is already in the proxy server, will be allowed to access that file in the proxy server without bandwidth limit?

I mean if the PC is downloading a file in the internet that is not yet in the proxy server, it will have a bandwidth limit during the download. But if the file being downloaded is already in the proxy server (already cached), the PC will be allowed to download the file from the proxy server at full speed without the bandwidth limit.

Can anyone has any idea how this can be done using port 3128 in the browser or the default port 80?  Thank you.

podilarius

nydron: are you using transparent proxy?

nydron

@podilarius:

nydron: are you using transparent proxy?

Hi Podilarius, no, I'm not using transparent proxy at the moment. I configured the PCs' browsers to point to the pfsense sever's ip LAN address using port 3128.  In the future, I plan to use transparent proxy when I figure out how to separate different data traffic.

I already tested limiting the PCs bandwidth using Pfsense's limiter and it worked pretty well.  I'm still studying and researching how to allow the PCs access the lusca/squid cache without bandwidth limit.

podilarius

Then it would seem like you could limit traffic on wan with destination of port 80 and leave port 3128 on LAN without any limiters or just prioritization.

nydron

Thanks for the tip Podilarius. I actually tried that but it seems the limit I put on port 80 (http) on the WAN side was not taking an effect. I'll review my settings again to see if I missed something.

agismaniax

@nydron:

…

I mean if the PC is downloading a file in the internet that is not yet in the proxy server, it will have a bandwidth limit during the download. But if the file being downloaded is already in the proxy server (already cached), the PC will be allowed to download the file from the proxy server at full speed without the bandwidth limit.

...

I use transparant proxy and I want to do this also. Any sugestion?

eri--

If you set the limits on the lan interface of your firewall the limit will be applied nonetheless the file is being served by the cache or remote side.

agismaniax

@ermal:

If you set the limits on the lan interface of your firewall the limit will be applied nonetheless the file is being served by the cache or remote side.

Right now, I have two limiters (Firewall > Traffic Shapper > Limiter):
1. Name: In128
Bandwidth: 128Kbps
Mask: source address

2. Name: Out128
Bandwidth: 128Kbps
Mask: destination address

I have one LAN rule for that limiter (Firewall > Rules > LAN):
Interface: LAN
Proto: any
Source: TEST (this is an alias for a group of IP that have limited bandwidth)
Destination: any
In/Out: In128/Out128

Or should I add another rule in WAN? Could you give me one example?

joviscomp

Hi, is there a way to limit only for accessing the internet at not the cached files on squid? I use squid transparent enabled.thanks.

kyu

@ltech:

Alternatively you could edit the LAN default allow out and add the In/Out option there and it would apply to every host on the LAN individually (each host individually limited to 500Kbps/500Kbps).

I have created the limiter of 10Mbit out and 3Mbit in, followed the instruction as described and put the limiter in the LAN default rule. I tested with 3 PC simultaneously and the speed of each was 9Mbit/s, 8Mbit/s and 10Mbit/s. They were older PC so the speed probably was slower because of its CPU.

Therefore I can attest that by putting the limiter in/out into the LAN default rule. It creates dummypipes for EACH of the IP, not collectively as a whole.

kyu

Further more, I've been testing with different values and placing the limiters in the default LAN rules.

Sometimes, even after I've removed the option of limiter, the setting sticks! I've tried changing the limiter value to something higher (even though it's not being used) to no avail.

Finally I disabled it the limiter and the speed came back up. Odd problem.

cheonne

@nydron:

Thanks for the tip Podilarius. I actually tried that but it seems the limit I put on port 80 (http) on the WAN side was not taking an effect. I'll review my settings again to see if I missed something.

try to create a rule in floating tab for http and https ports and set its limit in advance in/out

ipfftw

As I find this whole direction thing confusing to figure out at first glance, I have made some screen shots of the settings that are currently working for me. I verified by going to speedof.me and testing before and after rule is applied.

The firewall rule is a FLOATING PASS rule, which i never used before but seems to work great. I had no other floating rules.

Please see attached screen shots and duplicate to rate limit one single local IP to 5mbps. Sorry I thought the instructions, while eventually working in some way were somewhat unclear. A picture as an example of working settings is far better imho.

comeback1106

I have same problem like this. This will limit traffic on this interface, not per client :(