Limiter rules not working



  • So i created 2 limiter rules, created fw rule and assigned limiter rules to and when i go to Diagnostic - Limiter info i see following:

    1. only 1 rule instead of 2
    2. that only rule that i see have wrong value for limits

    How can i see from where it pulls this values (filename name) ?

    Thanks!



  • Script that loads limiter rules is broken since i found the rule inside config.xml and it should load. Which script is going that?



  • Same problem here and its driving me nuts.



  • Managed to get everything work but some IPs are avoding limiter or only few packets go trough it and then rest of packets go without limiting.

    For example i want to limit outgoing traffic for a range of IPs to 3Mbit

    1. I defined IP alias with all those IPs (ip/32) that i want to limit.
    2. Created limiting rule 3mbit_in , 3mbit_out
    3. Created outgoing rule on firewall (LAN rule) where is source is IP_alias user 3_mbit limiter

    Under Diganostic - limiter info sometimes IP shows even though it's sending traffic all the time and only few packets appear there.

    If i do iftop -i eth1 (LAN INT) and then l with source IP i see that IP is sending 5Mbits.

    
    Limiters:
    00001:   2.000 Mbit/s    0 ms burst 2097152 
    q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
     sched 65537 type FIFO flags 0x1 256 buckets 0 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
    00002:   2.000 Mbit/s    0 ms burst 2097152 
    q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
     sched 65538 type FIFO flags 0x1 256 buckets 0 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
    00003:   3.000 Mbit/s    0 ms burst 3145728 
    q131075  50 sl. 0 flows (1 buckets) sched 65539 weight 0 lmax 0 pri 0 droptail
     sched 65539 type FIFO flags 0x1 256 buckets 8 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
    126 ip   192.168.255.107/0             0.0.0.0/0        5      809  0    0   0
    160 ip   192.168.255.132/0             0.0.0.0/0      132   155152  0    0   0
    176 ip   192.168.255.140/0             0.0.0.0/0        1       52  0    0   0
    180 ip   192.168.255.142/0             0.0.0.0/0        5      809  0    0   0
    182 ip   192.168.255.143/0             0.0.0.0/0     1444  1702492  0    0   0
    184 ip   192.168.255.136/0             0.0.0.0/0        5      809  0    0   0
    186 ip   192.168.255.137/0             0.0.0.0/0        5      809  0    0   0
    190 ip   192.168.255.139/0             0.0.0.0/0        5      809  0    0   0
    00004:   3.000 Mbit/s    0 ms burst 3145728 
    q131076  50 sl. 0 flows (1 buckets) sched 65540 weight 0 lmax 0 pri 0 droptail
     sched 65540 type FIFO flags 0x1 256 buckets 4 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
    132 ip    67.148.153.136/0             0.0.0.0/0        1       52  0    0   0
    162 ip     67.148.153.27/0             0.0.0.0/0       19      988  0    0   0
    164 ip     67.148.153.24/0             0.0.0.0/0       44     2296  0    0   0
    170 ip       192.168.0.1/0             0.0.0.0/0       40     6435  0    0   0
    00005:   4.000 Mbit/s    0 ms burst 4194304 
    q131077  50 sl. 0 flows (1 buckets) sched 65541 weight 0 lmax 0 pri 0 droptail
     sched 65541 type FIFO flags 0x1 256 buckets 3 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
     60 ip     192.168.0.202/0             0.0.0.0/0        3      132  0    0   0
    142 ip   192.168.255.147/0             0.0.0.0/0     2177  2630678  0    0   0
    174 ip       192.168.2.3/0             0.0.0.0/0        1       41  0    0   0
    00006:   4.000 Mbit/s    0 ms burst 4194304 
    q131078  50 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 droptail
     sched 65542 type FIFO flags 0x1 256 buckets 2 active
        mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
    BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
    132 ip    67.148.153.136/0             0.0.0.0/0        1       52  0    0   0
    188 ip     67.148.153.20/0             0.0.0.0/0     1032    55979  0    0   0
    
    

    So 192.168.255.140 should not use more than 3Mbit but live display says it is using 5Mbit and you see in limiter info only few packets are displayed. I've rebooted pfsense so i am sure it not related to ongoing connection that was active while i created limiter rules.



  • I'm having issues as well, and finally out of sheer frustration, giving up and registering an account to chime in.  I am now fully convinced that there is some obscure bug with limiter. :'(

    On an individual limiter and per these YouTube instructions (pfSense 2.0 - Limit Download & Upload bandwidth per IP - https://www.youtube.com/watch?v=Usi195rK35I) I followed step-by-step, it works fine; and this is how I keep a server in check that likes to fly off the handle and suck down as much bandwidth as it possibly can.  On this particular server, I knock it's common bandwidth down to 50KB/s download, 15KB/s upload, and have a separate rule for SSH (above it's default rule on LAN) that gives it's SSH 4Mb/s download while retaining same upload so that when it pulls backups from other servers through rsync across SSH, then it finishes within a few minutes while keeping everything else throttled.  Based upon my understanding of pfSense this is combined 15KB/s upload not two separate; so if rsync and default traffic were pushing maximum throughput upload, it would be 15KB/s not 30KB/s.

    Now when I want to make use of dynamic pipes feature from limiter with "Source addresses" and "Destination addresses" so that other machines on the network (including my wife and I; and reciprocal phones, etc.) want to make use of bandwith, I try and aim for 4MB/s download, 50KB/s upload.  If I make entry for "Source addresses" and "Destination addresses" and model it like I have for the server and use "Source" as "LAN Subnet" then it works fine for download, and when both of us are using network on top of server, we never quite max out the pipe (8-9MB/s and 1MB/s) so this is as expected and even leaves some wiggle-room for our VoIP phones throughout the studio, desks, etc.

    But where it gets weird is if I have all of this and it works, what doesn't work is the upload throttling, and whomever decides to upload media to server, synchronize a backup, or whatever is that device occupying all bandwidth and ruining the experience for everyone else (example: earlier, the iPad doing it's updates just killed everything and made it unbearable for all other devices.)

    If I take out the limiter for the dynamic pipe of "Destination addresses" limiter, EVEN IF IT'S NOT USED is when the functionality of upload throttling starts working again.  So basically, I have to pick which I want:

    Throttling of Uploads working?  "Source addresses" entry.  If I add in "Destination addresses" even if it's not used in any ruleset anywhere, it knocks this down, and it stops working.  I even have to go re-create the limiter since something goes awry on the back end.

    Throttling of Downloads working? "Source addresses" entry and "Destination addresses" limiter filled out, and rules entered identically same as I have for server which is on Static DHCP IP; with the difference being "LAN Subnet" instead of a particular IP.

    Very peculaiar, glad I'm not the only one noticing problems, and I've followed A LOT of examples all day long and thought it was me.


  • Banned

    Sadly, the traffic shaping/limiting part of pfSense is plain unusable by ordinary users. Lot of effort required into producing working wizards for common scenarios, or even a simple checkbox. People should not have to deal with manual configuration of this thing normally, since they usually end up with completely broken setup, or a setup that has no effect at all. Way too many features, way too complicated and very hard to understand. No amount of convoluted, techblurb docs is going to change this.


Log in to reply