Limit bandwidth per IP
-
Limiter would be an easy way to go.
Go to the Firewall>>>Traffic Shaper option
Create a limiter, name it "in", type in the connection speed. Save it and enable it.
Create another limiter, name it "out", type in the connection speed. Save it and enable it.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Go to firewall>>>Rules>>>Floating
Create a new rule. Traffic type ANY, select the interface you'd like to limit, Set the alias as the source, scroll down click advanced next to in/out, set the first to in, the second to out.
That should work if I didn't forget something.
-
You would need to create a limiter for each ip source if want to split it up. Course this is the same you would have to do in the traffic shaper. The difference is you create floating rules and queues without having to change your firewall rules. Either way, it works about the same way. Personally, I would use shaper, then add them all up and create a queue for it. This way if all connections in there are active, you get limited to 0.50Mbits/s, but if no other connections are going, you can get higher speeds. This cannot be done in the limiters (course, you might want it that way for this situation).
-
Thanks for all your comments and replies.
However do I really need to specify a limiter each IP I want to restrict? Can't I use a subnet mask? I normally have a couple of hundred clients, and the problem is that a few of them grabs almost all bandwidth and leaves almost nothing to the rest of them. Almost all traffic is on port 80, so I don't think it is torrents…
I have a wan bandwidth of around 60Mbps and by trying to impose that no client would get above 0.5Mbps I hope that everybody is more likely get their fair share.
Tor
-
Limiter would be an easy way to go.
Go to the Firewall>>>Traffic Shaper option
Create a limiter, name it "in", type in the connection speed. Save it and enable it.
Create another limiter, name it "out", type in the connection speed. Save it and enable it.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Go to firewall>>>Rules>>>Floating
Create a new rule. Traffic type ANY, select the interface you'd like to limit, Set the alias as the source, scroll down click advanced next to in/out, set the first to in, the second to out.
That should work if I didn't forget something.
Will those limiters apply to each user or to each open connection?
-
I would think it works like a queue and it would be an overall limit and you would need multiple to attain what you are looking for, but since I don't use it, I am not sure.
-
Could someone from pfsense pop in a give a qualified answer on if it is possible to limit bandwidth per local user (ip). As I mentioned beofre I can have up to 200 users and I cannot create rules manually for each of them .-)
regards Tor
-
I normally have a couple of hundred clients…
Well, that changes things. I thought you had maybe a few ip's that you wanted to restrict bandwidth to. A limiter is a virtual pipe, if you group ip's, they ALL share the setting of the limiter. This will work for you, but you'd have to make a few hundred limiters and rules, far from optimal. The same thing goes for penalty box queues.
…and the problem is that a few of them grabs almost all bandwidth and leaves almost nothing to the rest of them.
This is exactly what the traffic sharper was made for. You need to identify the traffic that is stealing all the bandwidth, limit it, and deprioritize it with queues.
-
The shaper is good for that, even if you wanted to have them all in a queue. If you want to limit them to 0.5Mbits/s then you really don't have enough bandwidth for every one if you setup limiters. With the shaper, you limit that queue to a max bandwidth, say 20Mbtis/s and put all the http/https traffic in there. This will force them to share that bandwidth equally since they will have the same priority. So if all 200 are active at the same time, the shaper will limit the connections to 0.1Mbits/s and this will not take up all the bandwidth. If only 1 is active, that one computer can use up to 20Mbits/s for what every they are doing. I am guessing that the limiter can also do this equally?
-
I'm pretty sure what you're wanting to do is covered with the use of Limiter Masks. This will be similar to what awesomo said (and partly copied from it)
Go to the Firewall>>>Traffic Shaper option
Create a new limiter, make sure Enable is checked, name it "500dest", set bandwidth to 500Kbit/s, set mask to destination. Save it.
Create another limiter, make sure Enable is checked, name it "500src", set bandwidth to 500Kbit/s, set mask to source. Save it.
Make sure to apply changes.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Apply changes.
Go to firewall>>>Rules>>>LAN
Create a new rule. Protocol type ANY, Set the alias as the source, scroll down click advanced next to in/out, set the first to 500src, the second to 500dest.
Make sure your new rule is higher than any default allow out.Apply changes and test it out.
Alternatively you could edit the LAN default allow out and add the In/Out option there and it would apply to every host on the LAN individually (each host individually limited to 500Kbps/500Kbps).
-
Wouldnt those limiters apply to the total bandwidth instead of just per user?
-
Why not just use Captive Portal. Assign your users under pass thru mac addresses and enter their assigned bandwidth.
Additionally, you could also utilize Squid to minimize bandwidth usage with repetitive internet http requests.
Also, you should consider setting up Traffic shaping to smooth things out for you.
You can get some very good insight here –> https://calomel.org/pf_hfsc.html
Hope this helps…
Jits
-
Limiters are best to put a hard limit on bandwidth per IP. You just need one limiter with the appropriate source/destination mask to automatically create a pipe of the specified limit for each IP.
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter
-
In Pfsense, I'm using Lusca cache (modified squid proxy server) to cache big files. From what I read here so far using limiters, it is possible to limit the bandwidth of individual PCs passing through the proxy. In conjunction with bandwidth limiting for each PC, is it possible to configure pfsense so that a PC downloading a big file in the internet that is already in the proxy server, will be allowed to access that file in the proxy server without bandwidth limit?
I mean if the PC is downloading a file in the internet that is not yet in the proxy server, it will have a bandwidth limit during the download. But if the file being downloaded is already in the proxy server (already cached), the PC will be allowed to download the file from the proxy server at full speed without the bandwidth limit.
Can anyone has any idea how this can be done using port 3128 in the browser or the default port 80? Thank you.
-
nydron: are you using transparent proxy?
-
nydron: are you using transparent proxy?
Hi Podilarius, no, I'm not using transparent proxy at the moment. I configured the PCs' browsers to point to the pfsense sever's ip LAN address using port 3128. In the future, I plan to use transparent proxy when I figure out how to separate different data traffic.
I already tested limiting the PCs bandwidth using Pfsense's limiter and it worked pretty well. I'm still studying and researching how to allow the PCs access the lusca/squid cache without bandwidth limit.
-
Then it would seem like you could limit traffic on wan with destination of port 80 and leave port 3128 on LAN without any limiters or just prioritization.
-
Thanks for the tip Podilarius. I actually tried that but it seems the limit I put on port 80 (http) on the WAN side was not taking an effect. I'll review my settings again to see if I missed something.
-
…
I mean if the PC is downloading a file in the internet that is not yet in the proxy server, it will have a bandwidth limit during the download. But if the file being downloaded is already in the proxy server (already cached), the PC will be allowed to download the file from the proxy server at full speed without the bandwidth limit.
...
I use transparant proxy and I want to do this also. Any sugestion?
-
If you set the limits on the lan interface of your firewall the limit will be applied nonetheless the file is being served by the cache or remote side.
-
@ermal:
If you set the limits on the lan interface of your firewall the limit will be applied nonetheless the file is being served by the cache or remote side.
Right now, I have two limiters (Firewall > Traffic Shapper > Limiter):
1. Name: In128
Bandwidth: 128Kbps
Mask: source address2. Name: Out128
Bandwidth: 128Kbps
Mask: destination addressI have one LAN rule for that limiter (Firewall > Rules > LAN):
Interface: LAN
Proto: any
Source: TEST (this is an alias for a group of IP that have limited bandwidth)
Destination: any
In/Out: In128/Out128Or should I add another rule in WAN? Could you give me one example?
-
Hi, is there a way to limit only for accessing the internet at not the cached files on squid? I use squid transparent enabled.thanks.
-
Alternatively you could edit the LAN default allow out and add the In/Out option there and it would apply to every host on the LAN individually (each host individually limited to 500Kbps/500Kbps).
I have created the limiter of 10Mbit out and 3Mbit in, followed the instruction as described and put the limiter in the LAN default rule. I tested with 3 PC simultaneously and the speed of each was 9Mbit/s, 8Mbit/s and 10Mbit/s. They were older PC so the speed probably was slower because of its CPU.
Therefore I can attest that by putting the limiter in/out into the LAN default rule. It creates dummypipes for EACH of the IP, not collectively as a whole.
-
Further more, I've been testing with different values and placing the limiters in the default LAN rules.
Sometimes, even after I've removed the option of limiter, the setting sticks! I've tried changing the limiter value to something higher (even though it's not being used) to no avail.
Finally I disabled it the limiter and the speed came back up. Odd problem.
-
Thanks for the tip Podilarius. I actually tried that but it seems the limit I put on port 80 (http) on the WAN side was not taking an effect. I'll review my settings again to see if I missed something.
try to create a rule in floating tab for http and https ports and set its limit in advance in/out
-
As I find this whole direction thing confusing to figure out at first glance, I have made some screen shots of the settings that are currently working for me. I verified by going to speedof.me and testing before and after rule is applied.
The firewall rule is a FLOATING PASS rule, which i never used before but seems to work great. I had no other floating rules.
Please see attached screen shots and duplicate to rate limit one single local IP to 5mbps. Sorry I thought the instructions, while eventually working in some way were somewhat unclear. A picture as an example of working settings is far better imho.
-
I have same problem like this. This will limit traffic on this interface, not per client :(
-
@ipfftw
this is old but is it still working for you? I do not see any screenshots, probably cause this is so old...