How to limit total bandwidth per interface AND limit by individual IP ?



  • Hi,

    we have a client on an expensive and limited leased line product, with synchronous 5mb up and down.  We need to manage their bandwidth very carefully as they also use VoIP exclusively as their telecoms.

    So, currently we have LAN, WAN and VoIP interfaces set up.  The LAN has IN and OUT limiters set at 3mb each way, with 1mb limiters set for the VoIP interface and we then have 1mb to play with if we need to add bandwidth anywhere.

    These limiters work very well - VoIP quality is flawless, and the upload/download traffic from/to the LAN never, ever exceeds 3mb.

    However, we do have a couple of users who unwittingly forget that they are in a VERY low bandwidth situation, and will download a 3GB iso file from time to time, and saturate the entire download capability of the LAN for a day or so.

    So, we need to impose, say a 1mb limit per LAN IP, so that even if one of the idiots does this again, they won't saturate the entire download limiter.

    Unfortunately, I can't see how to do this with a mask in the limiter - a single download limiter with a 1mb limit and a /32 destination mask would in theory limit each computer to a max of 1mb, BUT no limit on the number of people that can download at this maximum - is that right ?  If so, we could very easily exceed the 3mb that we have to play with, and could start affecting the VoIP traffic.

    I can't imagine that there's no way to do this, but I've searched off and on for weeks and looked at any number of traffic shaping howto's and nothing works as I want to.

    We can do this really easily with a Draytek - we just set an overall limit for the interface and then allocate a maximum of around 25% of that to any LAN client.  Surely traffic shaping on a draytek can't be better than PfSense, can it ?



  • This is how I would do it:
    Bridge LAN and VoIP interfaces (or use a switch so you have just LAN) and use HFSC queues on WAN and BRIDGE|LAN interfaces to prioritize VoIP. Use a limiter on the BRIDGE|LAN to limit each IP to 1mbit.



  • Out of interest, why would you bridge the interfaces and then use priorities to QoS the VoIP out ? By creating a dedicated interface and running it on a different subnet it's miles easier to segregate the traffic & guarantee bandwidth, plus I then just use a rule on that interface to dump all the traffic to / from our PBX into the VoIP queue, so it gets the highest priority through the firewall…

    I'm genuinely curious to know if I'm doing it wrong, as I've used variations on this VoIP setup with about 3 or 4 different clients.

    Also, a simple limiter isn't going to achieve what we need - it's going to either give everyone a max of 1mb EACH (in which case all we need is 3 people downloading anything to hit our bandwidth limit), or an AGGREGATE of 1mb, which doesn't fully use the bandwidth we have for the LAN clients of 3mb.

    What I want is to have a total limit for ALL LAN clients combined of 3mb up and down, with each INDIVIDUAL LAN user limited to 750k up and down.  This must be possible ?



  • I would combine the interfaces so that HFSC can efficiently manage all of the downstream. That way you can use all bandwidth for downloading if nobody is using VoIP for example.

    In HFSC have a high priority (1mbit realtime) queue for VoIP, and a lower priority (5mbit or 3mbit upperlimit) queue for the downloads. That assures that downloads have to wait for VoIP and never exceed 5/3mbit in total.

    To limit (maximum) individual download capacity to 1mbit or whatever, add a limiter on top.

    Personally I would use a 1mbit realtime queue for VoIP and a 5mbit upperlimited queue for the downloads and no limiters for individual IPs. That way, if just one guy wants to download something, he can use all the bandwidth available.


  • Banned

    Why not use Squid and block the ISO files from downloading??



  • Senser is right, Multi-LAN does not really work well with the traffic shaper. The reason is that you cannot have queues that apply to multiple interfaces at the same time. So you won't be able to properly shape download as well as VoIP traffic. Best is to either bridge the interfaces, or use VLANs connected to the same physical interfaces (if you want to get it to work this way)



  • Rather than start a new thread on the same topic, I thought I'd resurrect this semi-old thread from the dead.

    I've got my limiters configured very similar to what the OP has described.  The only difference is that I've got more vlan's and have chosen to use weighted child limiters, which works very well.

    In addition to creating the limiters, I have also enabled a captive portal on the vlan(s) in question, and then set the per-user bandwidth restriction under the captive portal configuration.

    Unless I am mistaken, this achieves what the OP and I are looking for.  It limits the bandwidth per user while placing an upper limit on the sum total of all traffic from all vlan's.

    So if this is possible by using the captive portal (which appears to be setting up limiters behind the scene), then shouldn't it also be technically possible to accomplish without using the captive portal, even if it means configuring a limiter via the command line?

    Looking for feedback to confirm or deny logic.



  • @senser:

    I would combine the interfaces so that HFSC can efficiently manage all of the downstream. That way you can use all bandwidth for downloading if nobody is using VoIP for example.

    In HFSC have a high priority (1mbit realtime) queue for VoIP, and a lower priority (5mbit or 3mbit upperlimit) queue for the downloads. That assures that downloads have to wait for VoIP and never exceed 5/3mbit in total.

    To limit (maximum) individual download capacity to 1mbit or whatever, add a limiter on top.

    Personally I would use a 1mbit realtime queue for VoIP and a 5mbit upperlimited queue for the downloads and no limiters for individual IPs. That way, if just one guy wants to download something, he can use all the bandwidth available.

    For individual download limit where to make rules ?? In floating (lan or wan) or in serperate wan or lan interfaces ??



  • Hello all. I want to ask you something.
    I have this scenario. I want to put a pfsense only for QoS purposing with 2 NICs WAN & LAN but this 2 are bridged in br0 so WAN & LAN don't have ip only br0.
    I'm trying to limit my hosts download & upload speed by Queues & every host has a different speed limit.
    I make first queue on br0 with my isp speed limit and then 1 child download and other 1 upload, and into these 2 I make children for every host down and up. but rules where do i have to create them in br0 or where?.

    Sorry for my English.
    Thanks


Log in to reply