Limit bandwidth from websites using Limiter and CIDR?



  • I would like to be able to limit the amount of bandwidth streamed into my network by setting up limiters and applying firewall rules for a set of identified CIDR values.

    How would I go about doing this correctly?  I've created the limiters in Traffic Shaper for bandwidth and burst in Kbps (one for each IN/OUT).. then applied the two to the In/Out settings in Advanced Properties of the rule, with the CIDR value of the Source as type Network and Address for their class range (199.9.248.0/21).  This is applied to the WAN interface; however, I am seeing no change in either burst or sustained traffic control from this video streaming website.

    I also tried just creating floating rules this way as a general "catch all" for all interfaces, but this did not seem to work either (which I would have preferred to do this way like other traffic shaper rules).

    I can confirm that Traffic Shaper does work… quite good for general HTTP, games, P2P, but I just can not seem to get this to work for specific CIDR sources.

    Is there a better way to do this?



  • I have not done it with a CIDR but what I did is this :

    1. create a limiter under the Traffic Shaper LANIN and LANOUT
    2. Create an Alias called LAN LIMIT - that alias if for my DHCP scope addresses
    3. Make a rule on the LAN firewall rule page that says - any TCP source LAN LIMIT destination NOT LAN Subnet then apply the Limiters I set.

    What this did for me is any traffic from the DHCP scope that was TCP was subjected to a limit of 500Kbits download and 250Kbits upload.

    So you could create an ALIAS called say CIDERLIMIT . Use the IP Range and then make a rule on the LAN that says:

    TCP / source LAN Subnet destination CIDERLIMIT then apply the Limiters.

    I put it on the LAN side as I have floating rules with the quick option to shape other traffic. My understanding is that Floating rules are done first before interface rules and if you select quick , no other rule processing will apply.

    I tested it by setting a machine to static IP outside DHCP and setting a machine to DHCP and did a speedtest.  The machine from the DHCP scope was limited while the other was not.



  • this works like a charm!  thanks so much.. the tip for Alias makes it even easier to do!



  • Your welcome!!  yes using Alias's make it easier when setting up rules and things using IP's and ports.  just dont forget to back them up to your local machine so you have a copy of them and your whole PFSense config as well.


Log in to reply