Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Server's Traffic that i permitted getting limitted

    Scheduled Pinned Locked Moved Traffic Shaping
    26 Posts 4 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Arief
      last edited by

      Hi All,

      I made some rules for LAN network to access internet and my other server in my office.
      Rules for LAN to limit speed access to internet is worked
      Rules for LAN to pass or have full speed access to WAN is worked
      Rules for LAN to pass or have full speed access 10.1.1.x is not worked, i still have 300-400KB/s my normal speed is 7-8MB/s. But when i turn off all the rules i have, the speed is still 300-400KB/s

      i attached the network, and my rules list

      is there any wrong step that i did? or miss step?
      Thanks in advance.
      b.png
      b.png_thumb
      ![tab list.png](/public/imported_attachments/1/tab list.png)
      ![tab list.png_thumb](/public/imported_attachments/1/tab list.png_thumb)

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        I kinda got confused. Can you use screen-shots or more cleanly display your rules?

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • A
          Arief
          last edited by

          @Nullity:

          I kinda got confused. Can you use screen-shots or more cleanly display your rules?

          Hi Nullity,
          Sorry can't do screen shot because i'm not in the office right now.

          Shortly, back when i was not use pfsense i could transfer data into this server with 7-8MBPS speed, but now just 300-400KBPS.

          so i have 3 rules.
          first, rule for give a limit speed internet in LAN segment. I've created limiter 1MBPS for download and upload, then the rule is from LAN net to any (Worked!),

          second, rule for full speed connection in LAN segment to access WAN segment, from LAN net to WAN net (Worked,i have got 7-8MBPS while access the WAN segment),

          Third, rule for LAN segment to have full Access speed to my Server, lets say server A. I've created alias contains Server A's IP address segment. then the rules become, from LAN net to Alias.

          The problem is, The third rules is maybe working but when i test to transfer data into server A, i just got 300-400KBPS speed, When i change the default gateway of my computer or i was bypassed this pfsense, i got 7-8MBPS speed.

          Hopefully you can help me, but if this is not clear enough, i will post some screenshot tomorrow.

          Thanks in advance

          1 Reply Last reply Reply Quote 0
          • A
            Arief
            last edited by

            Here i attach .zip file's contain screenshot of my rules and the environment of my system

            Hope you can help it.

            [Rules problem.zip](/public/imported_attachments/1/Rules problem.zip)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Just attach screenshots when you post.

              Rules are evaluated top down, first match stops processing. Post your Firewall, Rules, LAN tab list

              So if you have a host on LAN net that you want to be treated differently, that rule has to be above more general rules.

              Pass IPv4 any source specific server dest any in/out none
              Pass IPv4 any source LAN net dest any in/out limiters

              Not sure why WAN net is an internal network. That's pretty confusing.

              https://doc.pfsense.org/index.php/Firewall_Rule_Basics

              https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

              https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                Arief
                last edited by

                @Derelict:

                Just attach screenshots when you post.

                Rules are evaluated top down, first match stops processing. Post your Firewall, Rules, LAN tab list

                So if you have a host on LAN net that you want to be treated differently, that rule has to be above more general rules.

                Pass IPv4 any source specific server dest any in/out none
                Pass IPv4 any source LAN net dest any in/out limiters

                Not sure why WAN net is an internal network. That's pretty confusing.

                https://doc.pfsense.org/index.php/Firewall_Rule_Basics

                https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

                https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                Sorry my bad, so i've created pfsense server in VM and this vm located in my server, and in my office, The address segment of all server is 192.168.0.x And for all of users who use internet is 192.168.200.x. So i created pfsense with 2 NIC, first NIC is wan segment(192.168.0.254) and the second is LAN segment(192.168.200.254).
                I make a rule for limit the internet usage, and unlimit access to WAN and access to our another server(i make an alias and give name "intranetalias"), So here is my rule
                Here i Attach the tab list

                ![tab list.png](/public/imported_attachments/1/tab list.png)
                ![tab list.png_thumb](/public/imported_attachments/1/tab list.png_thumb)
                Environment.png
                Environment.png_thumb

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Why are all your rules TCP-only?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Also, WAN Net is not the Internet in general, it's just the network your WAN is on.  Rules 2 & 3 are useless since the same access is handled by rule 5.  You could delete them and get the same results.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Look at the diagram again. WAN is not WAN but is another LAN/OPT. Nice and confusing.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        Look at the diagram again.

                        I didn't look at it the first time  ;D

                        OK, disregard what I said about that.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Probably still has a gateway set on it.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • A
                            Arief
                            last edited by

                            @Derelict:

                            Why are all your rules TCP-only?

                            i just want to make rules for 192.168.200.x
                            what did i do wrong? can you give me some example for create pfsense correctly? because if i deleted all of that rules and transfer data to my another server i just have 300-400KB/s but without pfSense i can have 7-8MB/s speed.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              TCP is just one protocol. You probably also want UDP and ICMP. Change the TCPs to any unless you know you are dealing with TCP ports.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                @Arief:

                                @Derelict:

                                Why are all your rules TCP-only?

                                i just want to make rules for 192.168.200.x
                                what did i do wrong? can you give me some example for create pfsense correctly? because if i deleted all of that rules and transfer data to my another server i just have 300-400KB/s but without pfSense i can have 7-8MB/s speed.

                                I suggest you blow out the config and start over. Make WAN to interface going to your upstream, and make LAN for your LAN.  Get everything routing how you want THEN add OPT1 for the other segment.  Get everything routing how you want THEN worry about the limiters.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Arief
                                  last edited by

                                  @Derelict:

                                  I suggest you blow out the config and start over. Make WAN to interface going to your upstream, and make LAN for your LAN.  Get everything routing how you want THEN add OPT1 for the other segment.  Get everything routing how you want THEN worry about the limiters.

                                  Wait, i got a little confused. So i need to provide 3 NIC and the wan ip is 192.168.0.1?

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    According to your diagram the WAN IP should be 192.168.0.x and the gateway should be 192.168.0.1 but we only know what you have posted.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      Arief
                                      last edited by

                                      @Derelict:

                                      According to your diagram the WAN IP should be 192.168.0.x and the gateway should be 192.168.0.1 but we only know what you have posted.

                                      Oh yes, i fill in the upstream gateway for wan is 192.168.0.1 but the WAN IP is 192.168.0.254

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        Arief
                                        last edited by

                                        So i should build configuration like this?

                                        should.png
                                        should.png_thumb

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          Yes that makes a lot more sense.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            Arief
                                            last edited by

                                            @Derelict:

                                            Yes that makes a lot more sense.

                                            Wait, 192.168.0.1 is my gateway. will it conflict if i put WAN ip address 192.168.0.1?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.