Limiter rules not working
-
So i created 2 limiter rules, created fw rule and assigned limiter rules to and when i go to Diagnostic - Limiter info i see following:
- only 1 rule instead of 2
- that only rule that i see have wrong value for limits
How can i see from where it pulls this values (filename name) ?
Thanks!
-
Script that loads limiter rules is broken since i found the rule inside config.xml and it should load. Which script is going that?
-
Same problem here and its driving me nuts.
-
Managed to get everything work but some IPs are avoding limiter or only few packets go trough it and then rest of packets go without limiting.
For example i want to limit outgoing traffic for a range of IPs to 3Mbit
- I defined IP alias with all those IPs (ip/32) that i want to limit.
- Created limiting rule 3mbit_in , 3mbit_out
- Created outgoing rule on firewall (LAN rule) where is source is IP_alias user 3_mbit limiter
Under Diganostic - limiter info sometimes IP shows even though it's sending traffic all the time and only few packets appear there.
If i do iftop -i eth1 (LAN INT) and then l with source IP i see that IP is sending 5Mbits.
Limiters: 00001: 2.000 Mbit/s 0 ms burst 2097152 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail sched 65537 type FIFO flags 0x1 256 buckets 0 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 00002: 2.000 Mbit/s 0 ms burst 2097152 q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail sched 65538 type FIFO flags 0x1 256 buckets 0 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 00003: 3.000 Mbit/s 0 ms burst 3145728 q131075 50 sl. 0 flows (1 buckets) sched 65539 weight 0 lmax 0 pri 0 droptail sched 65539 type FIFO flags 0x1 256 buckets 8 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 126 ip 192.168.255.107/0 0.0.0.0/0 5 809 0 0 0 160 ip 192.168.255.132/0 0.0.0.0/0 132 155152 0 0 0 176 ip 192.168.255.140/0 0.0.0.0/0 1 52 0 0 0 180 ip 192.168.255.142/0 0.0.0.0/0 5 809 0 0 0 182 ip 192.168.255.143/0 0.0.0.0/0 1444 1702492 0 0 0 184 ip 192.168.255.136/0 0.0.0.0/0 5 809 0 0 0 186 ip 192.168.255.137/0 0.0.0.0/0 5 809 0 0 0 190 ip 192.168.255.139/0 0.0.0.0/0 5 809 0 0 0 00004: 3.000 Mbit/s 0 ms burst 3145728 q131076 50 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0 droptail sched 65540 type FIFO flags 0x1 256 buckets 4 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 132 ip 67.148.153.136/0 0.0.0.0/0 1 52 0 0 0 162 ip 67.148.153.27/0 0.0.0.0/0 19 988 0 0 0 164 ip 67.148.153.24/0 0.0.0.0/0 44 2296 0 0 0 170 ip 192.168.0.1/0 0.0.0.0/0 40 6435 0 0 0 00005: 4.000 Mbit/s 0 ms burst 4194304 q131077 50 sl. 0 flows (1 buckets) sched 65541 weight 0 lmax 0 pri 0 droptail sched 65541 type FIFO flags 0x1 256 buckets 3 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 60 ip 192.168.0.202/0 0.0.0.0/0 3 132 0 0 0 142 ip 192.168.255.147/0 0.0.0.0/0 2177 2630678 0 0 0 174 ip 192.168.2.3/0 0.0.0.0/0 1 41 0 0 0 00006: 4.000 Mbit/s 0 ms burst 4194304 q131078 50 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 droptail sched 65542 type FIFO flags 0x1 256 buckets 2 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 132 ip 67.148.153.136/0 0.0.0.0/0 1 52 0 0 0 188 ip 67.148.153.20/0 0.0.0.0/0 1032 55979 0 0 0
So 192.168.255.140 should not use more than 3Mbit but live display says it is using 5Mbit and you see in limiter info only few packets are displayed. I've rebooted pfsense so i am sure it not related to ongoing connection that was active while i created limiter rules.
-
I'm having issues as well, and finally out of sheer frustration, giving up and registering an account to chime in. I am now fully convinced that there is some obscure bug with limiter. :'(
On an individual limiter and per these YouTube instructions (pfSense 2.0 - Limit Download & Upload bandwidth per IP - https://www.youtube.com/watch?v=Usi195rK35I) I followed step-by-step, it works fine; and this is how I keep a server in check that likes to fly off the handle and suck down as much bandwidth as it possibly can. On this particular server, I knock it's common bandwidth down to 50KB/s download, 15KB/s upload, and have a separate rule for SSH (above it's default rule on LAN) that gives it's SSH 4Mb/s download while retaining same upload so that when it pulls backups from other servers through rsync across SSH, then it finishes within a few minutes while keeping everything else throttled. Based upon my understanding of pfSense this is combined 15KB/s upload not two separate; so if rsync and default traffic were pushing maximum throughput upload, it would be 15KB/s not 30KB/s.
Now when I want to make use of dynamic pipes feature from limiter with "Source addresses" and "Destination addresses" so that other machines on the network (including my wife and I; and reciprocal phones, etc.) want to make use of bandwith, I try and aim for 4MB/s download, 50KB/s upload. If I make entry for "Source addresses" and "Destination addresses" and model it like I have for the server and use "Source" as "LAN Subnet" then it works fine for download, and when both of us are using network on top of server, we never quite max out the pipe (8-9MB/s and 1MB/s) so this is as expected and even leaves some wiggle-room for our VoIP phones throughout the studio, desks, etc.
But where it gets weird is if I have all of this and it works, what doesn't work is the upload throttling, and whomever decides to upload media to server, synchronize a backup, or whatever is that device occupying all bandwidth and ruining the experience for everyone else (example: earlier, the iPad doing it's updates just killed everything and made it unbearable for all other devices.)
If I take out the limiter for the dynamic pipe of "Destination addresses" limiter, EVEN IF IT'S NOT USED is when the functionality of upload throttling starts working again. So basically, I have to pick which I want:
Throttling of Uploads working? "Source addresses" entry. If I add in "Destination addresses" even if it's not used in any ruleset anywhere, it knocks this down, and it stops working. I even have to go re-create the limiter since something goes awry on the back end.
Throttling of Downloads working? "Source addresses" entry and "Destination addresses" limiter filled out, and rules entered identically same as I have for server which is on Static DHCP IP; with the difference being "LAN Subnet" instead of a particular IP.
Very peculaiar, glad I'm not the only one noticing problems, and I've followed A LOT of examples all day long and thought it was me.
-
Sadly, the traffic shaping/limiting part of pfSense is plain unusable by ordinary users. Lot of effort required into producing working wizards for common scenarios, or even a simple checkbox. People should not have to deal with manual configuration of this thing normally, since they usually end up with completely broken setup, or a setup that has no effect at all. Way too many features, way too complicated and very hard to understand. No amount of convoluted, techblurb docs is going to change this.