Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic shaping per users

    Scheduled Pinned Locked Moved Traffic Shaping
    11 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      simonreal
      last edited by

      Hello,

      we have a connection bandwith of 2 Mbps and about 50 users.

      We want to limit the bandwith per user to 50Kbps after the host has used the full bandwidth for about 5-10 minutes.

      How we can configure pfSense to do it?

      Best regards.

      1 Reply Last reply Reply Quote 0
      • L
        lovingHDTV
        last edited by

        I believe you want to look into Limiters under Firewall->Traffic Shapers->Limiters

        1 Reply Last reply Reply Quote 0
        • S
          simonreal
          last edited by

          Unfortunately (if I understood well, that section) there you cannot specify the parameter per User/host, unless you create after a Rule for each IP Address.

          Is it right?

          The secondo question is: how can manage the burst parameter. I've made some test, but the burst doesn't works.

          1 Reply Last reply Reply Quote 0
          • S
            simonreal
            last edited by

            Ok, I found the solution to have a limit per host.

            with this settings

            every host has 500 kbps of bandwidth limit.

            the problem remain the "burst" parameter, that seems has no influence on the navigation.

            Does anyone could explain how the burst works?

            limiter.png
            limiter.png_thumb

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              The burst parameter is an amount of data (in bytes) that can be transferred at full speed (no limit).  As soon as that amount of data has been transferred in a steady manner, the limiter will kick in.

              A good way to think about it is a bucket that will hold burst amount of water with a hole in the bottom the size of your limiter.  Your client's perspective is pouring water into the bucket.  He can pour water into the bucket as fast as he wants.  As soon as it fills up, the overflow will be packets dropped by the limiter.  If he eases up on the transfer, the water drains and there's more room for full-speed transfers.

              So a casual user who is just browsing the web and checking email will likely never experience the limiter at all.  But the user that starts a download will be able to download burst amount of data then the limiter will kick in.

              The limit and the burst aren't really related.  In order to get a good amount for the burst (5-10 mins is a long time) you need to take the full, unlimited download speed and multiply it by the desired number of seconds of burst and use that amount of data, in bytes, in burst.

              The limiter takes multiple bandwidth settings.  I'd have to do some testing to see if you can tell it that the top-end for the user is 500k, then set a lower limit with a burst.  That'd probably be more what you're looking for.

              (EDIT: No, I don't see a way to nest two limiters each with a bandwidth setting.  Probably need HFSC for that.  The multiple limiter entries are so you can schedule different limiters at different times.)

              When you're using the limiter you're using ipfw so this is a good source of info:

              https://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                And you don't need that 32 in the mask.  Not sure if it will hurt.  Selecting destination address on LAN_DOWN is enough.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  ssp
                  last edited by

                  @Derelict - thank you for the excellent explanation about the limiter and burst!

                  Has anyone figured out how the burst works in the scenario described above? I'm attempting to do the same thing – If I set the burst at 1000000, will it allow ~1Mb (no limiting) PER DESTINATION? (or does that burst amount get divided among hosts like the bandwidth does??).

                  @Derelict:

                  The burst parameter is an amount of data (in bytes) that can be transferred at full speed (no limit).  As soon as that amount of data has been transferred in a steady manner, the limiter will kick in.

                  A good way to think about it is a bucket that will hold burst amount of water with a hole in the bottom the size of your limiter.  Your client's perspective is pouring water into the bucket.  He can pour water into the bucket as fast as he wants.  As soon as it fills up, the overflow will be packets dropped by the limiter.  If he eases up on the transfer, the water drains and there's more room for full-speed transfers.

                  So a casual user who is just browsing the web and checking email will likely never experience the limiter at all.  But the user that starts a download will be able to download burst amount of data then the limiter will kick in.

                  The limit and the burst aren't really related.  In order to get a good amount for the burst (5-10 mins is a long time) you need to take the full, unlimited download speed and multiply it by the desired number of seconds of burst and use that amount of data, in bytes, in burst.

                  The limiter takes multiple bandwidth settings.  I'd have to do some testing to see if you can tell it that the top-end for the user is 500k, then set a lower limit with a burst.  That'd probably be more what you're looking for.

                  (EDIT: No, I don't see a way to nest two limiters each with a bandwidth setting.  Probably need HFSC for that.  The multiple limiter entries are so you can schedule different limiters at different times.)

                  When you're using the limiter you're using ipfw so this is a good source of info:

                  https://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Has anyone figured out how the burst works in the scenario described above? I'm attempting to do the same thing – If I set the burst at 1000000, will it allow ~1Mb (no limiting) PER DESTINATION? (or does that burst amount get divided among hosts like the bandwidth does??).

                    Depends on whether you set the per-source/destination masks or not.  Without the mask, everyone is using one big pool.  With the mask the limiter attempts to balance everyone on their own pipe within the limit set by the parent limiter.  The burst is just a parameter on the pipe.  The host either gets its own pipe because the mask mandates it or it doesn't.

                    With netmasks shorter than /32 you could put different groups of hosts within shared limiter pipes, too.  You can also do it with the firewall rules that can steer traffic from different hosts to different in/out queues.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S
                      ssp
                      last edited by

                      For all my hosts, I want equal sharing of bandwidth when it gets maxed out. The max is 11Mbps. I have the Limiter set that way (DownLimiter). Then there is a single child queue, Down_LAN, with Mask set to Destination addresses slots. The relevant firewall rule on LAN has this in the "Out" for the In/Out section (I have a similar set for the up traffic with Source addresses). This works great - Traffic Graph shows equal sharing at peak times. I've now also added 1000000 to the burst (I'm assuming this is always set to BYTES no matter what the unit for the bandwidth is in BITS (Mbits, Kbits, etc). I'm finding it difficult to test whether this will actually do what I want (per host BURST of 1MB traffic). Would appreciate any advice!

                      @Derelict:

                      Depends on whether you set the per-source/destination masks or not.  Without the mask, everyone is using one big pool.  With the mask the limiter attempts to balance everyone on their own pipe within the limit set by the parent limiter.  The burst is just a parameter on the pipe.  The host either gets its own pipe because the mask mandates it or it doesn't.

                      With netmasks shorter than /32 you could put different groups of hosts within shared limiter pipes, too.  You can also do it with the firewall rules that can steer traffic from different hosts to different in/out queues.

                      Limiter1.PNG
                      Limiter1.PNG_thumb
                      Limiter1Queue.PNG
                      Limiter1Queue.PNG_thumb

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        When you set the destination slots there's really no reason to set burst.  They get the full download speed unless someone else is in contention for it anyway.  Unless there's a reason you don't want someone to run free if the capacity is available, I'd just ditch it.

                        Actually, looking at it, it's really not going to do much for you, because the "Limit" that's going to be applied after the burst is exceeded will be the same as if no burst was applied at all.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S
                          ssp
                          last edited by

                          @Derelict:

                          When you set the destination slots there's really no reason to set burst.  They get the full download speed unless someone else is in contention for it anyway.  Unless there's a reason you don't want someone to run free if the capacity is available, I'd just ditch it.

                          Actually, looking at it, it's really not going to do much for you, because the "Limit" that's going to be applied after the burst is exceeded will be the same as if no burst was applied at all.

                          Thank you once again for the explanation - I see your point. I need to study up more on this. If bandwidth is available, I'd certainly want to allow any host to run free. However, when it's peak hours, I'd like to split evenly among hosts, which is what it does now and works great. The last think I'd love to have happen is to actually have it not quite split evenly between hosts when certain hosts have been downloading steadily while others are just trying to pull up a website. I thought that was something that burst would help with but perhaps I need to configure it differently.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.