Traffic Shaper Limiter for a Specific Interface - Load Balancing Multi-Wan Setup

  • Greetings everyone! Sorry to bother, I've been struggling with a problem I'm having with setting up a limiter for a specific WAN interface for over a week now. I've been back-reading of the previous topics that might be related but I still haven't found the solution.


    - I currently have a multi-wan setup with two WANs and one LAN. Everything is working perfectly except for this issue I've been having.
      - The two WAN interfaces are grouped into one gateway with both being Tier 1 for load balancing. I named the gateway: "LoadBalancer".
      - No problems with port forwarding to a specific interface.
      - Traffic shaper limiters work for traffic I route to a specific WAN interface's gateway. ("WAN_DHCP" or "WAN2_DHCP" gateway, not the "LoadBalancer" gateway)
      - There is a big disparity between the upload speeds of my two WAN connections, one has 1mbps upload speed while the other one has 11mbps.
      - I direct all http and https traffic through the primary WAN connection.

    My issue arises with torrent traffic. I'd like to specifically set an upload limit on the primary WAN connection because the torrent client saturates too much of its upload bandwidth.
    I could just set an upload limit on the torrent client itself but that would limit the total upload for both connections and there would still be a possibility of my primary WAN connection getting saturated.
    Also, I'd like to keep things dead simple and not mess with the other queues anymore. I just want to be able to set a In/Out limiter for traffic on a specific interface on a load balancing gateway group.
    I've tried adding limiter rules for the WAN interface only but it wasn't enough. I'm having trouble figuring out how to set the rule for the LAN interface. With the LAN as the source, if I set the limiter for a specific gateway group then I would effectively be limiting both interfaces. With the LAN still being the source, if I instead set the gateway to be WAN_DHCP, I would be able to limit the traffic on the primary interface only but then all of the traffic would just pass through the primary WAN interface since I effectively set it as the destination.

    Am I missing something very trivial? Any help with this would be greatly appreciated!

    Thanks everyone!

  • Make sure under the General Setup you specify DNS for each gateway or your load balancing gateway will not work. put in 4 DNS servers and split 2 to one WAN GW and 2 to another.  The load balancer gateway should be used under the Interface rules , not floating rules.

    So make the last rule , the any / any rule use the load balancer gateway.  To test this  -  open a webpage to in chrome and then open another one in IE to the same webpage and you should get different IP's as it should balance.

    that being said since you have a difference in speeds , I would make the faster one Tier 1 and the slower one Tier 2 and set for high latency / congestion for failover.

  • Thanks for the quick reply! Like I mentioned, I don't have any issues with the load balancing itself, everything is working perfectly. The only thing I want to do is add an upload speed limiter to one specific interface that's part of a gateway group. I want to be able to fully utilize both connections for downloading but limit one interface on uploading. I forgot to mention that the reason why I prefer to use the connection with the slower upload speed as my primary one is because it is more stable than the other connection. The other connection is an LTE modem that I sometimes bring with me. My primary connection also has a lower ping for stuff I use it for. There's got to be a way to set up this up easily, I just don't know what I'm overlooking. It's dead simple to do with just one WAN connection/gateway.

    Thanks again!

  • Then make a limter under the traffic shaper like this:

    1. Download - XMbps here
        Download LAN - Destination Address

    2. Upload - XMbps here
        Upload LAN - Destination Address

    Under the firewall rules under LAN before the last rule do:

    TCP - Source - LAN Net  Destination !LAN NET Ports - any  In - Upload LAN / Out - Download LAN - Gateway - WAN GW you want it to go out.

    This will catch all TCP connections not going local to use the limiter and send it out the gateway you want.

    See the forum here for exactly how it is done as there are multiple post on it.

  • Greetings sideout! Yes, I have already tried that and I've mentioned it also in my original post.
    The problem with doing it that way is that all of the traffic will go to just the primary WAN gateway and never the other one because only the first rule the traffic matches will take effect.
    I want the traffic to go out my "LoadBalancer" gateway that includes both WANs but have one of the WAN interfaces limited. With your example, this is how I want it to look like:

    TCP - Source - LAN Net 
    Destination !LAN NET
    Ports - any 
    In - Upload LAN / Out - Download LAN
    Gateway - LoadBalancer
    Out Interface - WAN

    but I have no idea how to add that additional constraint on the rule.

    Again, if I set the gateway to be WAN_DHCP, then all the traffic will just go to that gateway. I've already tried this.

    Thanks again for the replies. Greatly appreciated!

  • I don't think there is a way to just limit the upload speed on an interface that is apart of a gateway group and have it load balance.

    You could try making a floating rule and do something like:
    Direction - Out
    Interface - LAN
    TCP - Source - LAN Net
    Destination !LAN Net
    Ports - any
    In - Upload LAN / Out - Download LAN
    Gateway - WAN1

    So then any traffic from the LAN going out on TCP on any port going to not a LAN address would be limited on WAN1 and then WAN 2 would not have a limit.

    Maybe try that?

  • Greetings again! Sorry for the late reply. Sadly, I've also tried using floating rules matching what you've said and a lot of other test rules but have still not been able to limit upload traffic of a specific interface in a gateway group. This issue has been bugging me so bad, I awoke form my sleep thinking about it. lol

  • Did you ever figure out how to do this?

    Having trouble with the same config.

  • +1

    I also have similar setup and would like to do per IP limiter to better distribute the available bandwidth.

    Also using squid and squidguard.

  • LAYER 8 Netgate

    You all do realize that when there is disparity in speeds like that you can set the gateway weights to give the load balancer more information in its decision making?

    For 1Mbps vs 11Mbps you have 12Mbps available and want the 1Mbps link to shoulder about 8% of the load so I would start with a weight of 12 on the 11Mbps GW and a weight of 1 on the 1Mbps GW. That should try to put 1 / 12 = 8.33% of the load on the slower link.

    This is in the book under Unequal Cost Load Balancing.

    It probably won't be perfect but should help some and is the proper way to set your equal-tier (load balacing) gateway group in this situation.

  • If I understood correctly (sorry, TL;DR), your problem is that you are applying the rules on the LAN interface.

    In this case, it is best to create floating rules with direction OUT, on each of the WANs. It does not matter how the gateway groups or the routing are configured.

    Whatever gets OUT of the specified WAN, will go into the specified queue, period. Of course you will need two "trees" within the shaper, to accomodate each of the WANs

    My general advice is to always tag traffic with floating rules direction out on the proper WAN interface