Dual Wan / 13VLan Bandwidth Limit



  • I'm going round and round in circles here and losing my mind a little bit.

    I'm setting up a pfSense firewall which is providing internet for 13 x studio apartments. Will be using two Fibre Lines for incoming, so will be assigning each studio a 10mbps download and 4mbps upload limit each.

    My firewall rules are setup like this on each VLAN -

    Individual on each vlan - Allow VLANX sub to VLANX sub (so members of one vlan can see eachother)
    Invididual on each vlan - NAT port forward (to force them to use DynDNS internet guide, even if they use their own DNS servers)

    Interface group with every VLAN as a member -

    destination not = RFC1918 subnets with Gateway set to LoadBalance group.

    This all works great, I can see members of the same VLAN, it forces the use of DynDNS internet guide DNS, and it blocks access to all other VLAN's and the management VLAN.

    I now need to set the limits on each VLAN, and this is where I'm getting confused.

    If I set up an In Limit, and an Out Limit and apply it to the interface group rule, it SHARES the limit between the VLAN'S (Checked by doing a speedtest from both VLAN's)

    So I tried to replicate the interface rule seperately on two VLAN's to check, and disabled the Interface Group Rule and added the limit in/out, but it still shared the one limit.

    Do I have to have a seperate rule for each vlan, with a seperate set in/out limit?

    I'm not particularly interested in allowing more bandwidth if available etc, a hard limit of 10/4 per VLAN group is fine.



  • Just tried seperate limits and seperate rules per VLAN and it works.

    However, before I do this 13 x times, is there an easier way?


  • Netgate

    If you were consistent in your subnetting you can create a mask so every interface (VLAN) gets its own pipe.

    For instance, if all VLANs are a /29 out of the same network you can just mask on source for the in queue and dest for the out queue with a mask of /29.

    Or if all VLANs are a /24, use /24 as the mask.

    I've never actually tried this but that's how I understand it works.



  • I'm a little stuck on the masks :(

    My management VLAN is on 192.168.200.1/24

    This can be unrestricted, as it won't really be used (except for when I connect through OpenVPN to check the firewall)

    The VLAN's are -

    192.168.201.1/24 through to 192.168.214.1/24


  • Netgate

    @The:

    I'm a little stuck on the masks :(

    My management VLAN is on 192.168.200.1/24

    This can be unrestricted, as it won't really be used (except for when I connect through OpenVPN to check the firewall)

    Then don't put the limiters in the rules on your Management interface. (Take it out of the interface group if it's in there since you want to treat it differently.)

    The VLAN's are -

    192.168.201.1/24 through to 192.168.214.1/24

    I think simply setting a limiter for what you want each VLAN to be able to use then setting the mask to /24 will accomplish what you want.  I think you can use the interface group for this.  With only 13 VLANs I'm not sure I wouldn't just put the rules on the individual interfaces.  Or maybe a floating match rule on all the VLAN interfaces inbound that sets the limiters.  Interface groups are pretty niche.

    Now I want to go back to this:

    I'm setting up a pfSense firewall which is providing internet for 13 x studio apartments. …

    Individual on each vlan - Allow VLANX sub to VLANX sub (so members of one vlan can see eachother)

    Are you sure that's what you want to do? I certainly wouldn't want some yahoo in another apartment on my LAN.

    A layer 3 switch and a routed /64 would allow you to give each unit a /30 and let them do their own firewall.  Trunk it into pfSense and limit it there with a /30 mask or just set the policing on the switch ports.



  • @Derelict:

    Then don't put the limiters in the rules on your Management interface. (Take it out of the interface group if it's in there since you want to treat it differently.)

    Apologies, I was being a bit dense in my earlier reply, you're quite right, the Management VLAN isn't in the interface group, thus won't go through the Limiter.

    @Derelict:

    I think simply setting a limiter for what you want each VLAN to be able to use then setting the mask to /24 will accomplish what you want.  I think you can use the interface group for this.  With only 13 VLANs I'm not sure I wouldn't just put the rules on the individual interfaces.  Or maybe a floating match rule on all the VLAN interfaces inbound that sets the limiters.  Interface groups are pretty niche.

    I'll try the mask firs, if it doesn't work as expected, it's not the end of the world to have to put a separate rule/limiter for each VLAN/

    @Derelict:

    Are you sure that's what you want to do? I certainly wouldn't want some yahoo in another apartment on my LAN.

    Apologies, should have been a bit clearer on the rules -

    The first rule on each VLAN interface ruleset is -

    Allow VLANx sub to VLANx sub.

    This allows traffic from one host to another on the SAME Vlan only.

    The next rule, which blocks RFC1918 networks by doing an allow to everything, except the RFC1918 alias group blocks the VLAN's from each other, and allows internet access.

    Each Studio has 1 x RJ45 network point, and an SSID on 4 x Ubiquity UAP-LR's, so whatever they have on their SSID and plugged into the wall will talk to eachother, but not the other VLAN's and not the Management VLAN, but the VLAN as a whole has 10mbps internet bandwidth.

    Hope that makes a bit more sense and thanks for your help so far :)


  • Netgate

    @The:

    Apologies, should have been a bit clearer on the rules -

    The first rule on each VLAN interface ruleset is -

    Allow VLANx sub to VLANx sub.

    This allows traffic from one host to another on the SAME Vlan only.

    Completely unnecessary.  You will not see same-subnet traffic on an interface.  The hosts on a subnet communicate directly with each other and don't go through the router/firewall at all.

    The next rule, which blocks RFC1918 networks by doing an allow to everything, except the RFC1918 alias group blocks the VLAN's from each other, and allows internet access.

    I'd use reject source VLANx dest RFC1918 followed by a Pass any any but others probably disagree.



  • @Derelict:

    Completely unnecessary.  You will not see same-subnet traffic on an interface.  The hosts on a subnet communicate directly with each other and don't go through the router/firewall at all.

    I've found the same as the poster in this thread, without that rule, I can't ping from my laptop to my iPhone and vice versa on the same VLAN, but when I enable the rule, I can! So there seems to be some argument if it's needed or not, but in my case, I've found I need the rule!

    https://forum.pfsense.org/index.php?topic=89598.0



  • Thank you for your help :)

    I've just setup an in and out limit, and set the mask to 24, applied it to the one rule under interface group. Tested over two different VLAN's (Laptop doing a speedtest and iPhone doing a speedtest) and was getting 10mbps each.

    The put them on the same VLAN and still got 10mbps each… swapped the "sources and destinations" options over on the Limiters and now sharing 10mbps over the VLAN.

    Great :D


  • Netgate

    @The:

    @Derelict:

    Completely unnecessary.  You will not see same-subnet traffic on an interface.  The hosts on a subnet communicate directly with each other and don't go through the router/firewall at all.

    I've found the same as the poster in this thread, without that rule, I can't ping from my laptop to my iPhone and vice versa on the same VLAN, but when I enable the rule, I can! So there seems to be some argument if it's needed or not, but in my case, I've found I need the rule!

    https://forum.pfsense.org/index.php?topic=89598.0

    Then you have something misconfigured at a basic level.

    IP networking is not whack-a-mole.  The rules are clear and defined.

    Host 1: 192.168.1.100/24
    Host 2: 192.168.1.101/24

    Both have a default gateway of 192.168.1.1

    All three devices are plugged into the same unmanaged switch.

    Traffic from 192.168.1.100 to 192.168.1.101 will NOT be sent to 192.168.1.1.  No rules on that interface will make any difference.

    192.168.1.100 will ask, using ARP, for the MAC address (who has 192.168.1.101)

    192.168.1.101 add the MAC address of 192.168.1.100 to its ARP table then will respond with its MAC address (I have 192.168.1.101)

    192.168.1.100 will add that MAC address to its ARP table.

    The two hosts will then communicate directly on the ethernet segment.  The router at 192.168.1.1 could be unplugged and they'd still communicate at the basic level just fine.

    If you need firewall rules for that communication to happen, your network is broken.



  • It's the next rule blocking dhcp to the firewall. In sure if I disabled the rule after they got IP's they'd still ping as you say.


  • Netgate

    What? Why would you block DHCP on the interface doing DHCP?  There are hidden, automatic rules that pass DHCP traffic on interfaces with a DHCP server enabled.

    And, regardless, you will still not see traffic on interface VLANx with both source and destination of VLANx.



  • It's a block everything RFC1918 rule next. So will block everything on the firewall side.

    Anyway, it works. So thanks for that.


  • Netgate

    The DHCP pass rules are hidden and are above that.

    Good luck.