Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Limiting a single LAN IP's WAN traffic [Solved]

    Traffic Shaping
    2
    8
    1250
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JacktheSmack last edited by

      I am trying to limit one IP address on the network to 1 Mbit/s inbound, but the setup I have made after reading some guides doesn't work. I test using www.speedtest.net, and the results always say 3.8Mbit/s.


      ![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
      ![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Get rid of all the rules for this that you've put on WAN.

        Put a rule above your normal pass rule on LAN with a source address of Upstairs and your limiter as the out queue and it'll work.  You'll also need an In queue. I think in this circumstance you can just set In/Out to Upstairs/Upstairs if you want 1Mbit in each direction.  Might be better and more straightforward to make an UpstairsIn and UpstairsOut.

        The limiter is applied to the firewall state when it is created.  I know it's counter-intuitive to put a rule on LAN input to limit LAN output but that's the way it works.

        By the time your WAN port is receiving traffic for the Upstairs destination, the state is already created.

        Another way to do it would be to set the limiters in a floating match rule on WAN out with a source address of Upstairs.  In this case you would put UpstairsOut as the In queue and UpstairsIn as the out queue (Actually since we're changing from In to Out and changing interfaces too, it might be In/Out as UpstairsIn/UpstairsOut on WAN out.  I'd have to test it).  This has the benefit of ONLY setting the limiters and not passing traffic from Upstairs on LAN in a security context.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          JacktheSmack last edited by

          I tried to set a floating rule but it's still not working. I followed your instructions as exactly as I could:

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Change the type to Match, leave the interface on WAN and set the direction to Out.

            The rule will only apply to new connections.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              JacktheSmack last edited by

              @Derelict:

              Change the type to Match, leave the interface on WAN and set the direction to Out.

              The rule will only apply to new connections.

              OK So I applied this rule, then I reloaded speedtest.net and still got a 3.8Mbit/s download. I checked the IP address and it is correct. BTW: Thanks for your help so far.

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                I just put this on mine and it didn't work for me on WAN out so I might have misled you.

                Change the interface to LAN, the direction to In, and the gateway to None.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  JacktheSmack last edited by

                  @Derelict:

                  I just put this on mine and it didn't work for me on WAN out so I might have misled you.

                  Change the interface to LAN, the direction to In, and the gateway to None.

                  Awesome! This worked.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    Sorry for the error.  Glad it's working.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post