WAN limiting?



  • ive found walkthrough's on youtube for single IP's on the lan to be limited, but i dont want to set 250~ rules for a gaming LAN im helping host in a few weeks and since this lan is being hosted at a mates work, and their internet connection is vital for their buisness, we are allowed only 10mb/10mb out of the possible 100mb/100mb connection to the ISP is there a guide i can follow step by step of how to setup this throttling of the connection?

    edit: running 2.0.3-RELEASE and not 2.1 beta



  • All you should need to do is run the traffic shaping wizard and plug in your numbers (10/10) and it will be limited.  That will get you the basics.  Beyond that you can fine tune the traffic shaping by:

    Using floating rules and establishing alias's for gaming ports and then putting in rules and queues to limit traffic. So basically you would have

    WAN - HFSC 9MB (this is your upload)

    • qNerf - Default - 5%
    • qWebSteam - 15%
      -qAck -30%
    • qGaming - 50%

    LAN - HFSC
    -qInternet - 10MB (this is your download)
    –qAck - 20%
    --qNerf - Default -5%
    --qWebSteam - 10%
    --qGaming - 65%

    qACK will be for TCP ACK packets
    qWebSteam will be for 80,53 , and steam ports for upload / download , etc
    qNerf will be for any traffic not recognized
    qGaming should be for all your gaming traffic

    This will require you to know the ports for the games people are playing and either make rules for each port set per game or make an alias called gaming ports , put all the ports in it and use that in your floating firewall rule.

    Sometimes games can be tricky about what ports are being used so the best way to figure this out is to put up PFSense , run a PC behind it  and have it play the game and run a port capture on it to see what ports the game is actually using.  You can export the capture from PFSense to Wireshark.  This will be the part that will be the hardest to do , getting the games qualified into proper port mappings and then having them hit the correct queues.

    Running a 10/10 Internet connection with anything over 50 people is going to be rough as games like LoL (League of Legends) and others will tax it if your doing a tourney.  For 250 people I would see if you could get another 10MB on download and give up 5MB on upload.  If you see someone uploading alot ,then typically they are running a file sharing app and you need to shut them down.  I would recommend using PRTG as well and make a port mirror on your switch so you can see the traffic and monitor it and when you see someone hogging the bandwidth - I do the following:

    1. See what traffic / port they are passing and to what IP if it resolves.
    2. Find the MAC of the PC . Make a static reservation in PFSense for that MAC to get a static IP.
    3. Delete their current lease to force them to renew and get your static IP.
    4. I make a LAN rule to block all traffic for that MAC to any connection on the network.
    5. Now you can wait for someone to come up and say they can't get to anything and you can see what they were doing.
    Typically they will have something like Spotify running or some other file sharing application.

    If you have better switches and you can see what table switch port they are on , then you can just shutdown the port  but alot of LAN's just run dumb gigabit switches at the tables and a Layer2 at the core for the most part. The above way is effective in shutting them down.

    I would recommend thoroughly testing out your configuration by doing the above with a couple of PC's so you can see how it is going to perform.  You will need to use Intel NIC's in the PFSense box for the best performance.

    Btw - I run the network / Internet for LAN's that are about 120 people in size and we usually have 2 or 3 50/5 cable modems for our Internet and use load balancing with a similar config. I run a PRTG box to monitor my stats and I run a Dell Poweredge 2950 server with ESXi 5 that holds all our gaming servers. We use an Intel Dual Core 3GHZ 8G RAM , 80G SATA , 4 Intel Gigabit NIC PC running PFSense.

    Sorry for the long post but the best advice I can give you is test , test , test before the event.