Traffic limiter not affective



  • dear all,

    i apply traffice limiter through aliases but not affective even after limiter client get more bandwidth than specified in the limiter for your more info i attached the images and i did like below

    1. 1st i create inlanlimit and outlanlimit  firewall->trafic limiter->limiter
    2. 2nd create aliases name alias1 firewall->aliases
    3. creal floating rule on lan and in source select single host or alies than down below in/out put the inlanlimit and outlanlimit both have same value.

    please guide me










  • LAYER 8 Netgate

    Get rid of the burst settings until you understand what they do.

    Also, it should work as a floating rule but it might be more straightforward as a rule on LAN.

    Everything else looks good.  Note that it will only affect new states (connections) generated by the clients.



  • As Derelict says, put it on LAN Firewall Rules tab to be sure, and up near the top as the first pass rule (after any block rules that you want to apply).
    I would put protocol any, you might as well limit all their traffic, including ICMP…, then you know you have caught it all.
    And hopefully you have destination any.
    The limiter like that will limit all those IPs to a single combined pipe of 256Kbps. That happens to be exactly what I do with the private mobile phones on my network, and it works just like that - I check my settings and they are the same stuff as yours, even feeding the traffic into a gateway (group) and limiter in the 1 rule. So it should be just a matter of getting the rule to be effective.



  • @phil.davis:

    As Derelict says, put it on LAN Firewall Rules tab to be sure, and up near the top as the first pass rule (after any block rules that you want to apply).
    I would put protocol any, you might as well limit all their traffic, including ICMP…, then you know you have caught it all.
    And hopefully you have destination any.
    The limiter like that will limit all those IPs to a single combined pipe of 256Kbps. That happens to be exactly what I do with the private mobile phones on my network, and it works just like that - I check my settings and they are the same stuff as yours, even feeding the traffic into a gateway (group) and limiter in the 1 rule. So it should be just a matter of getting the rule to be effective.

    @Derelict:

    Get rid of the burst settings until you understand what they do.

    Also, it should work as a floating rule but it might be more straightforward as a rule on LAN.

    Everything else looks good.  Note that it will only affect new states (connections) generated by the clients.

    thanks Phil.Davis and Derelict

    i am still trying to be get affected thes rules to be… but sometimes it seem to be working but sometime not


  • LAYER 8 Netgate

    Do you have port forwards for your bittorrent ports?  UPnP opening ports for bittorrent clients?



  • @Derelict:

    Do you have port forwards for your bittorrent ports?  UPnP opening ports for bittorrent clients?

    please explain little bit.

    i try try to limit the bandwidth for single ip and its work but not for alieses, and if i add single single ips than the cpu usage goes to to 70 percent.

    i need to limit bandwith for group of clients who are creating probelm for the valid trafic.


  • LAYER 8 Netgate

    Are you trying to limit bittorrent?  If so, do you have port forwards for specific bittorrent ports OR are you allowing bittorrent clients to use UPnP to open ports for themselves?

    It matters because incoming connections won't be caught be the shaper rules if either of those conditions are true.

    Actually, it's true for any time ports are forwarded from WAN to LAN regardless of protocol.

    It looks like I might be confusing this with another thread that explicitly mentioned bittorrent.  If so and I'm unnecessarily complicating things, my apologies.

    There is no way the limiter is using 70% CPU.  What else are you doing?



  • @Derelict:

    Are you trying to limit bittorrent?  If so, do you have port forwards for specific bittorrent ports OR are you allowing bittorrent clients to use UPnP to open ports for themselves?

    It matters because incoming connections won't be caught be the shaper rules if either of those conditions are true.

    Actually, it's true for any time ports are forwarded from WAN to LAN regardless of protocol.

    It looks like I might be confusing this with another thread that explicitly mentioned bittorrent.  If so and I'm unnecessarily complicating things, my apologies.

    There is no way the limiter is using 70% CPU.  What else are you doing?

    dear  i dont care of bittorrent i just want to limit their bandwith so the other never disturb.


  • LAYER 8 Netgate

    What you've done will do that.



  • @Derelict:

    What you've done will do that.

    dear derelict,

    sorry for late reply, pf-sense is helping me lot. at LAN i fixed speed for all user and than give some managers to full access. it works for me.

    now i have two problems

    1. 1st torrent is still problem when i make test on clinet they are good with limit speed. but when i saw traffic graphs user are exceeding than the given limits i fixed 512 Kb but client showing 1.12 mbps. image attached

    2. i want to monitor the live traffic like let say if a user goes for some site than is there any monitor who shows the live traffic with website names traffic. i have ntop are bandwidthd but they only show ips….

    Regarding #1 i have attach images




  • professional please help


  • LAYER 8 Netgate

    do you have port forwards for specific bittorrent ports OR are you allowing bittorrent clients to use UPnP to open ports for themselves?



  • @Derelict:

    do you have port forwards for specific bittorrent ports OR are you allowing bittorrent clients to use UPnP to open ports for themselves?

    please little bit explain i never understand or just tell me..


  • LAYER 8 Netgate

    The issue is if you have bittorrent configured to accept incoming connections you need to shape those differently.

    This is usually accomplished by establishing a port in your client and putting a port forward in your firewall.  Sometimes the port is opened automatically using UPnP - possibly without your knowledge (though with pfSense I'm pretty sure UPnP is off by default.)

    All that said, traffic shaping is not perfect.  It cannot control how much data is sent to you over the internet.  It can only control how much of that received data is sent out your LAN port.

    ![Screen Shot 2014-12-03 at 10.50.53 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-03 at 10.50.53 PM.png)
    ![Screen Shot 2014-12-03 at 10.50.53 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-03 at 10.50.53 PM.png_thumb)



  • @Derelict:

    The issue is if you have bittorrent configured to accept incoming connections you need to shape those differently.

    This is usually accomplished by establishing a port in your client and putting a port forward in your firewall.  Sometimes the port is opened automatically using UPnP - possibly without your knowledge (though with pfSense I'm pretty sure UPnP is off by default.)

    All that said, traffic shaping is not perfect.  It cannot control how much data is sent to you over the internet.  It can only control how much of that received data is sent out your LAN port.

    but we cannot go to clients one by one and enable or disable the port.
    eventhough i apply layer 7 shaper but not affect. i limit speed per ip its also not affected.

    i want to give each ip 512kbps no matter he downloads or browse


  • LAYER 8 Netgate

    If you didn't enable UPnP or set port forwards in pfsense there's nothing to do at the client.  I'm just telling you my experience with rate-limiting bittorrent clients.  Only you know how your network is configured.


Log in to reply