Works! Limiting multiple LAN users, thru single external proxy
-
No question here, just documenting that I got something working.
I work for a school, I am testing out limiting each classroom computer to a fixed max capacity. We also have an external proxy filter through which all traffic must flow for CIPA compliance, with direct web access firewalled off for LAN users.
Firewall: Traffic Shaper: Limiter
Name: InLimitLAN
Bandwidth: 1500 Kb/s
Mask: Destination addressesName: OutLimitLAN
Bandwidth: 1500 Kb/s
Mask: Source addressesFirewall: Rules: LAN
I already had created a Pass rule to allow all LAN users to use the outgoing proxy:
- Pass Any protocol / Any Addr / Any Port to [External proxy address]
I simply modified this existing Pass rule, to add the In/Out queues for the limiter:
- Advanced Features, In/Out: OutLimitLAN / InLimitLAN
It can be a bit hard wrapping yer head around the Limiter mask, but my initial selections were backwards. When testing this initially with http://www.speedtest.net rather than each machine having 1.5 meg, pfSense was instead creating the limiter queues based on the number of proxy addresses.
There's only one proxy address we use for all computers, so there was only 1 limiter queue for everything, and running multiple SpeedTest runs would show only a fraction of 1.5 meg per computer.
The correct mask choices are shown above. With this selection, the limiter is making a queue for each individual desktop, so every machine can hit 1.5 meg in speedtest.net at the same time, up to the combined limit for our Internet connection.