Server's Traffic that i permitted getting limitted



  • Hi All,

    I made some rules for LAN network to access internet and my other server in my office.
    Rules for LAN to limit speed access to internet is worked
    Rules for LAN to pass or have full speed access to WAN is worked
    Rules for LAN to pass or have full speed access 10.1.1.x is not worked, i still have 300-400KB/s my normal speed is 7-8MB/s. But when i turn off all the rules i have, the speed is still 300-400KB/s

    i attached the network, and my rules list

    is there any wrong step that i did? or miss step?
    Thanks in advance.


    ![tab list.png](/public/imported_attachments/1/tab list.png)
    ![tab list.png_thumb](/public/imported_attachments/1/tab list.png_thumb)



  • I kinda got confused. Can you use screen-shots or more cleanly display your rules?



  • @Nullity:

    I kinda got confused. Can you use screen-shots or more cleanly display your rules?

    Hi Nullity,
    Sorry can't do screen shot because i'm not in the office right now.

    Shortly, back when i was not use pfsense i could transfer data into this server with 7-8MBPS speed, but now just 300-400KBPS.

    so i have 3 rules.
    first, rule for give a limit speed internet in LAN segment. I've created limiter 1MBPS for download and upload, then the rule is from LAN net to any (Worked!),

    second, rule for full speed connection in LAN segment to access WAN segment, from LAN net to WAN net (Worked,i have got 7-8MBPS while access the WAN segment),

    Third, rule for LAN segment to have full Access speed to my Server, lets say server A. I've created alias contains Server A's IP address segment. then the rules become, from LAN net to Alias.

    The problem is, The third rules is maybe working but when i test to transfer data into server A, i just got 300-400KBPS speed, When i change the default gateway of my computer or i was bypassed this pfsense, i got 7-8MBPS speed.

    Hopefully you can help me, but if this is not clear enough, i will post some screenshot tomorrow.

    Thanks in advance



  • Here i attach .zip file's contain screenshot of my rules and the environment of my system

    Hope you can help it.

    [Rules problem.zip](/public/imported_attachments/1/Rules problem.zip)


  • LAYER 8 Netgate

    Just attach screenshots when you post.

    Rules are evaluated top down, first match stops processing. Post your Firewall, Rules, LAN tab list

    So if you have a host on LAN net that you want to be treated differently, that rule has to be above more general rules.

    Pass IPv4 any source specific server dest any in/out none
    Pass IPv4 any source LAN net dest any in/out limiters

    Not sure why WAN net is an internal network. That's pretty confusing.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • @Derelict:

    Just attach screenshots when you post.

    Rules are evaluated top down, first match stops processing. Post your Firewall, Rules, LAN tab list

    So if you have a host on LAN net that you want to be treated differently, that rule has to be above more general rules.

    Pass IPv4 any source specific server dest any in/out none
    Pass IPv4 any source LAN net dest any in/out limiters

    Not sure why WAN net is an internal network. That's pretty confusing.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Sorry my bad, so i've created pfsense server in VM and this vm located in my server, and in my office, The address segment of all server is 192.168.0.x And for all of users who use internet is 192.168.200.x. So i created pfsense with 2 NIC, first NIC is wan segment(192.168.0.254) and the second is LAN segment(192.168.200.254).
    I make a rule for limit the internet usage, and unlimit access to WAN and access to our another server(i make an alias and give name "intranetalias"), So here is my rule
    Here i Attach the tab list

    ![tab list.png](/public/imported_attachments/1/tab list.png)
    ![tab list.png_thumb](/public/imported_attachments/1/tab list.png_thumb)


  • LAYER 8 Netgate

    Why are all your rules TCP-only?



  • Also, WAN Net is not the Internet in general, it's just the network your WAN is on.  Rules 2 & 3 are useless since the same access is handled by rule 5.  You could delete them and get the same results.


  • LAYER 8 Netgate

    Look at the diagram again. WAN is not WAN but is another LAN/OPT. Nice and confusing.



  • Look at the diagram again.

    I didn't look at it the first time  ;D

    OK, disregard what I said about that.


  • LAYER 8 Netgate

    Probably still has a gateway set on it.



  • @Derelict:

    Why are all your rules TCP-only?

    i just want to make rules for 192.168.200.x
    what did i do wrong? can you give me some example for create pfsense correctly? because if i deleted all of that rules and transfer data to my another server i just have 300-400KB/s but without pfSense i can have 7-8MB/s speed.


  • LAYER 8 Netgate

    TCP is just one protocol. You probably also want UDP and ICMP. Change the TCPs to any unless you know you are dealing with TCP ports.


  • LAYER 8 Netgate

    @Arief:

    @Derelict:

    Why are all your rules TCP-only?

    i just want to make rules for 192.168.200.x
    what did i do wrong? can you give me some example for create pfsense correctly? because if i deleted all of that rules and transfer data to my another server i just have 300-400KB/s but without pfSense i can have 7-8MB/s speed.

    I suggest you blow out the config and start over. Make WAN to interface going to your upstream, and make LAN for your LAN.  Get everything routing how you want THEN add OPT1 for the other segment.  Get everything routing how you want THEN worry about the limiters.



  • @Derelict:

    I suggest you blow out the config and start over. Make WAN to interface going to your upstream, and make LAN for your LAN.  Get everything routing how you want THEN add OPT1 for the other segment.  Get everything routing how you want THEN worry about the limiters.

    Wait, i got a little confused. So i need to provide 3 NIC and the wan ip is 192.168.0.1?


  • LAYER 8 Netgate

    According to your diagram the WAN IP should be 192.168.0.x and the gateway should be 192.168.0.1 but we only know what you have posted.



  • @Derelict:

    According to your diagram the WAN IP should be 192.168.0.x and the gateway should be 192.168.0.1 but we only know what you have posted.

    Oh yes, i fill in the upstream gateway for wan is 192.168.0.1 but the WAN IP is 192.168.0.254



  • So i should build configuration like this?



  • LAYER 8 Netgate

    Yes that makes a lot more sense.



  • @Derelict:

    Yes that makes a lot more sense.

    Wait, 192.168.0.1 is my gateway. will it conflict if i put WAN ip address 192.168.0.1?


  • LAYER 8 Netgate

    Of course. You said WAN IP was .254



  • @Derelict:

    Of course. You said WAN IP was .254

    Sorry i don't understand, so when i set interface(s) ip address, i should put 192.168.0.1 in WAN IPv4 Address?
    will it affect my current gateway?


  • LAYER 8 Netgate

    Your WAN IP address should be something other than your gateway IP address.

    IP addresses on a subnet must be unique.



  • @Derelict:

    Your WAN IP address should be something other than your gateway IP address.

    IP addresses on a subnet must be unique.

    oh i just got it, the reason i build that confusing configuration because the upstream gateway(192.168.0.1) is internet gateway in my office.
    and if i want to built configuration like u suggested, how do i can connect to internet, should i put the upstream gateway anyway?



  • Sorry, how about this? i think my pfsense right now is more like this




  • @Derelict:

    Your WAN IP address should be something other than your gateway IP address.

    IP addresses on a subnet must be unique.

    i have edited my first post, perhaps its clearer than before.


Log in to reply