Limiting a single LAN IP's WAN traffic [Solved]

JacktheSmack

I am trying to limit one IP address on the network to 1 Mbit/s inbound, but the setup I have made after reading some guides doesn't work. I test using www.speedtest.net, and the results always say 3.8Mbit/s.

![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)

Derelict

Get rid of all the rules for this that you've put on WAN.

Put a rule above your normal pass rule on LAN with a source address of Upstairs and your limiter as the out queue and it'll work. You'll also need an In queue. I think in this circumstance you can just set In/Out to Upstairs/Upstairs if you want 1Mbit in each direction. Might be better and more straightforward to make an UpstairsIn and UpstairsOut.

The limiter is applied to the firewall state when it is created. I know it's counter-intuitive to put a rule on LAN input to limit LAN output but that's the way it works.

By the time your WAN port is receiving traffic for the Upstairs destination, the state is already created.

Another way to do it would be to set the limiters in a floating match rule on WAN out with a source address of Upstairs. In this case you would put UpstairsOut as the In queue and UpstairsIn as the out queue (Actually since we're changing from In to Out and changing interfaces too, it might be In/Out as UpstairsIn/UpstairsOut on WAN out. I'd have to test it). This has the benefit of ONLY setting the limiters and not passing traffic from Upstairs on LAN in a security context.

JacktheSmack

I tried to set a floating rule but it's still not working. I followed your instructions as exactly as I could:

Derelict

Change the type to Match, leave the interface on WAN and set the direction to Out.

The rule will only apply to new connections.

JacktheSmack

@Derelict:

Change the type to Match, leave the interface on WAN and set the direction to Out.

The rule will only apply to new connections.

OK So I applied this rule, then I reloaded speedtest.net and still got a 3.8Mbit/s download. I checked the IP address and it is correct. BTW: Thanks for your help so far.

Derelict

I just put this on mine and it didn't work for me on WAN out so I might have misled you.

Change the interface to LAN, the direction to In, and the gateway to None.

JacktheSmack

@Derelict:

I just put this on mine and it didn't work for me on WAN out so I might have misled you.

Change the interface to LAN, the direction to In, and the gateway to None.

Awesome! This worked.

Derelict

Sorry for the error. Glad it's working.