Speed Limit not working using limiter



  • I have Done the following steps for Limiting the bandwidth per IP.

    1. Firewall –-->Traffic Shaper --->limiter----> create new limiter( I have created two new limiter the are as follows ).

    a) enabled the "Enable limiter and its children" --->name "up lan" ---->bandwidth "2mb"---->source address ---> mask IPV4 "8" .
    b) enabled the "Enable limiter and its children" --->name "down lan" ---->bandwidth "2mb"---->source address ---> mask IPV4 "8" .

    2. Firewall ---->rules ----->lan----> + (Create new rule) ---> most of the settings are unchanged, only the following settings are changed .

    Protocol :  TCP/UDP -----> source :  single host or alias ---> put the client machine's IP -----> in/out: " down lan"  "up lan" ---> then save

    but when I am checking the client speed using speedtest.net , limiter not working .

    Kindly guide on this.


  • Netgate

    Ok.  That's wrong.

    I assume you want a 2Mb download / 2Mb upload limit per host.

    a) enabled the "Enable limiter and its children" –->name "up lan" ---->bandwidth "2mb"---->source address ---> mask IPV4 "8" .

    Should be:

    a) enabled the "Enable limiter and its children" –->name "up lan" ---->bandwidth "2mb"---->source address ---> Don't set a mask.  Leave it at the default (/32)

    b) enabled the "Enable limiter and its children" –->name "down lan" ---->bandwidth "2mb"---->source address ---> mask IPV4 "8" .

    Should be:

    b) enabled the "Enable limiter and its children" –->name "down lan" ---->bandwidth "2mb"---->dest address ---> Don't set a mask.  Leave it at the default (/32)

    Protocol :  TCP/UDP –---> source :  single host or alias ---> put the client machine's IP -----> in/out: " down lan"  "up lan" ---> then save

    Should be:

    Protocol :  TCP/UDP –---> source :  single host or alias ---> put the client machine's IP -----> in/out: "up lan" "down lan" ---> then save

    Make sure that rule is above anything else that matches.



  • Thank you Sir,

    But still it's not working. Is there any other mandatory setting.


  • Netgate

    Post screenshots:  Limiter configs, firewall rules.



  • Hello everyone.

    I too have the same problem. is a PFSense 2.2 (no update, new installation).

    the traffic Shapping Works in a host, but don´t work for a network.

    The rules in the Firewall is:

    Proto                        Source            Port    Destination    Port      Gateway    Queue
    IPv4 TCP/UDP      10.70.240.0/21        *          *            80 - 443        *          none

    Featur Advance:
    IN/OUT –>  INLAN / OUT LAN  (6MB for each)

    The Limiter in the Traffic Shaper:

    enabled the "Enable limiter and its children" --->name "in lan" ---->bandwidth "6mb"---->source address ---> Don't set a mask
    enabled the "Enable limiter and its children" --->name "out lan" ---->bandwidth "6mb"---->source address ---> Don't set a mask

    The configuration is Proxy Transparent

    I send the screenshots











  • Netgate

    There are no queues defined for that rule so I don't know why you're showing that.  If that's the traffic you want to limit you have to set the in/out queues on that rule.

    You probably want to make an alias for ports 80 and 443 and use that instead of the range 80-443.  Or make one rule for each port.

    There is no need to include UDP for HTTP/HTTPS.  They are both TCP-only.



  • Hi Derelict.

    Is necesary the queue?

    Is not enough the limiter?


  • Netgate

    You create the limiters, but then you need to assign traffic to the limiter queues using firewall rules.  In the IN/OUT advanced section.



  • Effectively I have it configured that way, in the screenshots I sent is the configuration


  • Netgate

    No idea what you need to do to make it work with a proxy.  sorry.

    I do see one more error.  You have both limiters masked by source address.

    On LAN:
    your out queue will be your clients' download and should be masked by dest address
    your in queue will be your clients' upload and should be masked by source address.

    These should be applied to your lan rules with in as in and out as out.