Traffic shaping per users



  • Hello,

    we have a connection bandwith of 2 Mbps and about 50 users.

    We want to limit the bandwith per user to 50Kbps after the host has used the full bandwidth for about 5-10 minutes.

    How we can configure pfSense to do it?

    Best regards.



  • I believe you want to look into Limiters under Firewall->Traffic Shapers->Limiters



  • Unfortunately (if I understood well, that section) there you cannot specify the parameter per User/host, unless you create after a Rule for each IP Address.

    Is it right?

    The secondo question is: how can manage the burst parameter. I've made some test, but the burst doesn't works.



  • Ok, I found the solution to have a limit per host.

    with this settings

    every host has 500 kbps of bandwidth limit.

    the problem remain the "burst" parameter, that seems has no influence on the navigation.

    Does anyone could explain how the burst works?



  • Netgate

    The burst parameter is an amount of data (in bytes) that can be transferred at full speed (no limit).  As soon as that amount of data has been transferred in a steady manner, the limiter will kick in.

    A good way to think about it is a bucket that will hold burst amount of water with a hole in the bottom the size of your limiter.  Your client's perspective is pouring water into the bucket.  He can pour water into the bucket as fast as he wants.  As soon as it fills up, the overflow will be packets dropped by the limiter.  If he eases up on the transfer, the water drains and there's more room for full-speed transfers.

    So a casual user who is just browsing the web and checking email will likely never experience the limiter at all.  But the user that starts a download will be able to download burst amount of data then the limiter will kick in.

    The limit and the burst aren't really related.  In order to get a good amount for the burst (5-10 mins is a long time) you need to take the full, unlimited download speed and multiply it by the desired number of seconds of burst and use that amount of data, in bytes, in burst.

    The limiter takes multiple bandwidth settings.  I'd have to do some testing to see if you can tell it that the top-end for the user is 500k, then set a lower limit with a burst.  That'd probably be more what you're looking for.

    (EDIT: No, I don't see a way to nest two limiters each with a bandwidth setting.  Probably need HFSC for that.  The multiple limiter entries are so you can schedule different limiters at different times.)

    When you're using the limiter you're using ipfw so this is a good source of info:

    https://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html


  • Netgate

    And you don't need that 32 in the mask.  Not sure if it will hurt.  Selecting destination address on LAN_DOWN is enough.



  • @Derelict - thank you for the excellent explanation about the limiter and burst!

    Has anyone figured out how the burst works in the scenario described above? I'm attempting to do the same thing – If I set the burst at 1000000, will it allow ~1Mb (no limiting) PER DESTINATION? (or does that burst amount get divided among hosts like the bandwidth does??).

    @Derelict:

    The burst parameter is an amount of data (in bytes) that can be transferred at full speed (no limit).  As soon as that amount of data has been transferred in a steady manner, the limiter will kick in.

    A good way to think about it is a bucket that will hold burst amount of water with a hole in the bottom the size of your limiter.  Your client's perspective is pouring water into the bucket.  He can pour water into the bucket as fast as he wants.  As soon as it fills up, the overflow will be packets dropped by the limiter.  If he eases up on the transfer, the water drains and there's more room for full-speed transfers.

    So a casual user who is just browsing the web and checking email will likely never experience the limiter at all.  But the user that starts a download will be able to download burst amount of data then the limiter will kick in.

    The limit and the burst aren't really related.  In order to get a good amount for the burst (5-10 mins is a long time) you need to take the full, unlimited download speed and multiply it by the desired number of seconds of burst and use that amount of data, in bytes, in burst.

    The limiter takes multiple bandwidth settings.  I'd have to do some testing to see if you can tell it that the top-end for the user is 500k, then set a lower limit with a burst.  That'd probably be more what you're looking for.

    (EDIT: No, I don't see a way to nest two limiters each with a bandwidth setting.  Probably need HFSC for that.  The multiple limiter entries are so you can schedule different limiters at different times.)

    When you're using the limiter you're using ipfw so this is a good source of info:

    https://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html


  • Netgate

    Has anyone figured out how the burst works in the scenario described above? I'm attempting to do the same thing – If I set the burst at 1000000, will it allow ~1Mb (no limiting) PER DESTINATION? (or does that burst amount get divided among hosts like the bandwidth does??).

    Depends on whether you set the per-source/destination masks or not.  Without the mask, everyone is using one big pool.  With the mask the limiter attempts to balance everyone on their own pipe within the limit set by the parent limiter.  The burst is just a parameter on the pipe.  The host either gets its own pipe because the mask mandates it or it doesn't.

    With netmasks shorter than /32 you could put different groups of hosts within shared limiter pipes, too.  You can also do it with the firewall rules that can steer traffic from different hosts to different in/out queues.



  • For all my hosts, I want equal sharing of bandwidth when it gets maxed out. The max is 11Mbps. I have the Limiter set that way (DownLimiter). Then there is a single child queue, Down_LAN, with Mask set to Destination addresses slots. The relevant firewall rule on LAN has this in the "Out" for the In/Out section (I have a similar set for the up traffic with Source addresses). This works great - Traffic Graph shows equal sharing at peak times. I've now also added 1000000 to the burst (I'm assuming this is always set to BYTES no matter what the unit for the bandwidth is in BITS (Mbits, Kbits, etc). I'm finding it difficult to test whether this will actually do what I want (per host BURST of 1MB traffic). Would appreciate any advice!

    @Derelict:

    Depends on whether you set the per-source/destination masks or not.  Without the mask, everyone is using one big pool.  With the mask the limiter attempts to balance everyone on their own pipe within the limit set by the parent limiter.  The burst is just a parameter on the pipe.  The host either gets its own pipe because the mask mandates it or it doesn't.

    With netmasks shorter than /32 you could put different groups of hosts within shared limiter pipes, too.  You can also do it with the firewall rules that can steer traffic from different hosts to different in/out queues.





  • Netgate

    When you set the destination slots there's really no reason to set burst.  They get the full download speed unless someone else is in contention for it anyway.  Unless there's a reason you don't want someone to run free if the capacity is available, I'd just ditch it.

    Actually, looking at it, it's really not going to do much for you, because the "Limit" that's going to be applied after the burst is exceeded will be the same as if no burst was applied at all.



  • @Derelict:

    When you set the destination slots there's really no reason to set burst.  They get the full download speed unless someone else is in contention for it anyway.  Unless there's a reason you don't want someone to run free if the capacity is available, I'd just ditch it.

    Actually, looking at it, it's really not going to do much for you, because the "Limit" that's going to be applied after the burst is exceeded will be the same as if no burst was applied at all.

    Thank you once again for the explanation - I see your point. I need to study up more on this. If bandwidth is available, I'd certainly want to allow any host to run free. However, when it's peak hours, I'd like to split evenly among hosts, which is what it does now and works great. The last think I'd love to have happen is to actually have it not quite split evenly between hosts when certain hosts have been downloading steadily while others are just trying to pull up a website. I thought that was something that burst would help with but perhaps I need to configure it differently.