Best strategy for limiting in public library setting



  • Folks -

    What would be the best strategy limiter/rules-wise to limit the bandwidth of each public machine in the library I work at? We are using 2.0.1-RELEASE, and I am able to limit people one at a time - currently I have one alias call the "slammer" and I can put a given IP in that spot and slow down that one seat (the guy that sits there likes to open 10 youtubes at a time!), but what I would like to is limit all 78 of my public machines. Is there a way to create a blanket alias of all the machine IP's and limit each one by a certain bandwidth, but not the entire group? We have a 50Mbs pipe and I would like to give each patron no more than 1mb or so at a time. Do I have to set up a rule for each seat?



  • My recent post covers the basics of this:
    Works! Limiting multiple LAN users, thru single external proxy
    http://forum.pfsense.org/index.php/topic,60861.0.html

    In general, to create different speed groups, you need to do some coordination of your network addresses, and you can't just use automatic address assignment by DHCP for the entire building LAN.

    You'll probably want to inventory all the MAC addresses of the public machines so that they can be assigned addresses within the same common block, via DHCP MAC reservations . (You can also manually assign addresses directly to each machine without DHCP reservations, though this can be a maintenance hassle if the machines are wiped and reimaged occasionally.)

    The collective address range is then restricted by the limiter. Anything outside the range would be permitted full speed.

    A more thorough option is to group all the wired public machines into a single network switch or a VLAN, and then applying a subnet and automatic DHCP to that entire group through an optional interface on your pfSense router.

    This requires lots of fiddly crawling around under tables, locating of ports on walls and who is what port number, and then moving cables around in closets to put all the wires into a common group on a single switch or to make a VLAN range of ports.

    (You can also create a freeform VLAN for scattered ports across the switch without moving cables on the switches, but this is more management hassle later if there's a problem, IMO.)

    This would allow the computers to all be limited without needing to do DHCP reservations, and also allows for an open public wifi service for patron laptops and mobile devices to join the subnet and be limited also.


Log in to reply