Bandwidth Control (Limiters) on Port-Forwarded Traffic

  • I have a situation where I need to control the bandwidth of devices on the internet connecting to my server behind my pfSense firewall.

    Basically, I need to limit the bandwidth of EACH client on the internet connecting to an internal server on my LAN network. If anyone knows how this could be implemented or has a working solution, please help me :D


    I thought it would not be that hard and tried to implement it using limiters, but that did not work.

    Right now I have a server on my LAN side listening on a specific port. I have a NAT port-forward rule to redirect traffic with that specific port from the WAN interface, to the server on the LAN interface. Everything works perfectly fine except that I have a home internet package which the upload speed is a lot lower compared to the download speed, and just a few clients connecting to the server could easily fill up the upload bandwidth. Ideally I want to limit connections to 500 kbps (both download and upload) PER CLIENT connecting to the server.

    I went ahead with using limiters because I am also using limiters to control bandwidth for LAN to internet traffics, and they work without any problem. For the LAN to internet bandwidth control, I have an UploadPipe (mask the source address), and a DownloadPipe (mask the destination address). The firewall rule that allows traffic from LAN to the internet has advanced features set for the In/Out queue with UploadPipe/DownloadPipe. This allows each device on the LAN network to have its own bandwidth control.

    I thought the same effect where each client connecting from the internet to the local server having their own bandwidth control could be achieved easily using the same idea, but applying it on the WAN interface. I set up 2 pipes – ServerInbound (mask source address), and ServerOutbound (mask destination address). And on the auto-generated NAT port-forward rule, I set the In/Out queue to ServerInbound/ServerOutbound. It did not work. I tried to connect to the server from outside and there was no response.

    I set the In/Out back to none/none, and I was able to connect to the server successfully like before. Setting the In/Out to ServerInbound/none also worked, but this only limited the server’s download speed (client’s upload), which would not solve my initial problem.

    I set the In/Out back to ServerInboud/ServerOutbound and did packet dumping on the server. When I tried to connect to the server from my computer on the internet, SYN packets from the computer appeared in the dump, and SYN ACK packets from the server to the computer also appeared. I checked the firewall log, the traffic was passed to the server, but the packets going back out was dropped. What I don’t understand is that for the incoming traffic, the source and destination is shown as:

    Source Destination
    [Internet-Device-IP]:[Random-Port] [Server-LAN-Address]:[Server-Port]

    However, the dropped traffic shows

    Source Destination
    [pfSense-WAN-Address]:[Server-Port] [Internet-Device-IP]:[Random-Port]

    I don’t know if this is normal or has anything to do with it being dropped, but I was expecting the source to be [Server-LAN-Address]:[Server-Port] so I thought that was strange and could be something to consider.

    Also, according to pfSense, the rule that triggered the drop were:

    @4 scrub on pppoe0 all fragment reassemble
    @4 block drop out log inet all label “Default deny rule IPv4”

    If I understand how pfSense firewall works correctly, the second line means that the traffic did not match any rule so it got denied by the default policy – but this did not happen without the limiters set, so why would having limiters changed how rules are applied? I checked the state table and there were 2 states with status CLOSED:SYN_SENT and ESTABLISHED:SYN_SENT for the internet device to the server with that port, so there could not have been a problem with states either. Does it have anything to do with the nature of the limiters – a limit of the limiter maybe? Or am I doing anything wrong? Basically I couldn’t connect to the server because the request was sent but the reply got dropped by the pfSense. What is going on? If anyone knows an answer to this and could clear up my understanding of how this whole thing works I would appreciate it very much.

    If my initial problem of limiting clients’ connections to the server could be implement in any other ways (a more correct way perhaps?) please tell me! The –- LONGER VERSION --- section is just me being curious why my method did not work and trying to understand how pfSense works.

    Thank you in advance!

Log in to reply