Works! Limiting multiple LAN users, thru single external proxy

  • No question here, just documenting that I got something working.

    I work for a school, I am testing out limiting each classroom computer to a fixed max capacity. We also have an external proxy filter through which all traffic must flow for CIPA compliance, with direct web access firewalled off for LAN users.

    Firewall: Traffic Shaper: Limiter

    Name: InLimitLAN
    Bandwidth: 1500 Kb/s
    Mask: Destination addresses

    Name: OutLimitLAN
    Bandwidth: 1500 Kb/s
    Mask: Source addresses

    Firewall: Rules: LAN

    I already had created a Pass rule to allow all LAN users to use the outgoing proxy:

    • Pass Any protocol / Any Addr / Any Port  to [External proxy address]

    I simply modified this existing Pass rule, to add the In/Out queues for the limiter:

    • Advanced Features, In/Out: OutLimitLAN / InLimitLAN

    It can be a bit hard wrapping yer head around the Limiter mask, but my initial selections were backwards. When testing this initially with  rather than each machine having 1.5 meg, pfSense was instead creating the limiter queues based on the number of proxy addresses.

    There's only one proxy address we use for all computers, so there was only 1 limiter queue for everything, and running multiple SpeedTest runs would show only a fraction of 1.5 meg per computer.

    The correct mask choices are shown above. With this selection, the limiter is making a queue for each individual desktop, so every machine can hit 1.5 meg in at the same time, up to the combined limit for our Internet connection.

Log in to reply