Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help setting up a simple limiter

    Scheduled Pinned Locked Moved Traffic Shaping
    20 Posts 6 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shull
      last edited by

      I've got a problem with my 14 yr old grandson: he's addicted to online games and streaming, but can't seem to find time to do his homework.  My wife and I work late.  From the time he gets home after school until we get home, our grandson typically manages to download 5 or 6 GB.  I'd like to limit his bandwidth to the point of degrading his realtime streaming while still allowing a reasonable response time for normal web browsing.  To that end, I've been trying to set up a simple limiter.  I have not been able to get it to work, and would appreciate any advice.  Here's my setup:

      Limiter 1:
      Name:  Download
      Bandwidth:  56 Kbits (for testing)
      Mask:  Destination addresses
      Mask bits IPv4 & IPv6:  Blank
      No queues

      Limiter 2:
      Name:  Upload
      Bandwidth:  56 Kbits
      Mask:  Destination addresses
      Mask bits IPv4 & IPv6:  Blank
      No queues

      I have defined an alias with 3 static IPs defining my grandson's devices:  Maxs_devices

      I added the following firewall rule to the LAN interface, and moved it ahead of the default rule to allow LAN to any:
      Action:  Pass
      Interface:  LAN
      TCP/IP:  IPv4
      Protocol:  TCP/UDP
      Source: Maxs_devices
      Source Ports: any
      Destination: LAN_net
      Destination Ports:  any
      Advanced features:
      In/Out:
        Upload/Download

      Any advice would be greatly appreciated.  Thanks!

      shull

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        Are you trying to limit bandwidth usage or are you trying to discourage access?

        Personally, I would just use queues, since they are easier to understand.

        Regarding the firewall rule, I think you have the "Destination" wrong. I use NOT LAN as a destination.

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • S
          shull
          last edited by

          "Are you trying to limit bandwidth usage or are you trying to discourage access?"

          • Not sure I understand what you're asking.  I want to limit bandwidth on 3 devices to 56K (I'll tweak the final value), in order to degrade his online gaming and streaming activities to the point where he gives up out of frustration.  I want to be able to schedule the times when the network is throttled, and I want to limit that throttling to just 3 devices.

          "Personally, I would just use queues, since they are easier to understand."

          • I tried this setup using queues, but thought they added complexity.  I couldn't get them to work, either.  But, I wasn't using ! LAN_net as the destination.  If queueing allows control over response time (i.e., gaming feels more sluggish), that's a plus.

          "Regarding the firewall rule, I think you have the "Destination" wrong. I use NOT LAN as a destination."
          -  I wanted to clarify that you meant NOT LAN_net, but that didn't work.  I even disabled all my other firewall rules to make sure I hadn't inadvertently left something in place that bypassed the limiter rule.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • N
            Nullity
            last edited by

            @shull:

            "Are you trying to limit bandwidth usage or are you trying to discourage access?"

            • Not sure I understand what you're asking.  I want to limit bandwidth on 3 devices to 56K (I'll tweak the final value), in order to degrade his online gaming and streaming activities to the point where he gives up out of frustration.  I want to be able to schedule the times when the network is throttled, and I want to limit that throttling to just 3 devices.

            What I meant was do you want to block him (an arbitrary parental limit), or are you trying to save bandwidth (perhaps you use 3/4G or satellite internet and have a per month/day gigabyte limit)?

            Please correct any obvious misinformation in my posts.
            -Not a professional; an arrogant ignoramous.

            1 Reply Last reply Reply Quote 0
            • N
              Nullity
              last edited by

              If you want to block access, block it. (firewall rules)
              If you want to limit bandwidth, limit bandwidth. (traffic-shaping)

              You can block many services, depending on the client's skills. Maybe snort can help.

              The best QoS does not compare to physically asking/demanding that the user stop their inconsiderate activities. :)

              Please correct any obvious misinformation in my posts.
              -Not a professional; an arrogant ignoramous.

              1 Reply Last reply Reply Quote 0
              • S
                shull
                last edited by

                Thanks, but we already tried blocking.  From a technical standpoint, everything worked perfectly:  we could set a schedule and allow/not allow access accordingly.  What we didn't anticipate was my grandson's violent temper tantrum when he realized we had shut off his internet access.  I wasn't at home at the time, but he got physically abusive toward my wife.  My wife and I decided totally blocking access, even for short periods of time, wasn't worth the risk.  As you can see, we're way beyond asking/demanding that he cut back on his online activities.  He's demonstrated that he's willing to take his defiance further than we're willing to go.  Which leads us to bandwidth control.  I think we can explain that we don't know why the internet runs slow at times- maybe our neighbors just installed wifi and it's interfering with ours?  Maybe solar flares have disrupted the internet near Atlanta, or who knows?  I can randomize the time and bandwidth to make it look like an arbitrary event.

                I'm running snort.  It's a great tool for detecting and preventing unauthorized or malicious attempts to access your network, but it's not really designed for bandwidth control.

                I read somewhere that the limiters were originally developed to facilitate testing networks to see how well they handled impaired conditions.  Well, I need to generate some impairments.  Thanks,

                shull

                1 Reply Last reply Reply Quote 0
                • N
                  Nullity
                  last edited by

                  @shull:

                  Thanks, but we already tried blocking.  From a technical standpoint, everything worked perfectly:  we could set a schedule and allow/not allow access accordingly.  What we didn't anticipate was my grandson's violent temper tantrum when he realized we had shut off his internet access.  I wasn't at home at the time, but he got physically abusive toward my wife.  My wife and I decided totally blocking access, even for short periods of time, wasn't worth the risk.  As you can see, we're way beyond asking/demanding that he cut back on his online activities.  He's demonstrated that he's willing to take his defiance further than we're willing to go.  Which leads us to bandwidth control.  I think we can explain that we don't know why the internet runs slow at times- maybe our neighbors just installed wifi and it's interfering with ours?  Maybe solar flares have disrupted the internet near Atlanta, or who knows?  I can randomize the time and bandwidth to make it look like an arbitrary event.

                  I'm running snort.  It's a great tool for detecting and preventing unauthorized or malicious attempts to access your network, but it's not really designed for bandwidth control.

                  I read somewhere that the limiters were originally developed to facilitate testing networks to see how well they handled impaired conditions.  Well, I need to generate some impairments.  Thanks,

                  shull

                  You could just as easily create a queue with a limit of 56k. You can use pftop to assure traffic is passing through the proper queue.

                  I wish I could help with the limiters, but I don't use them.

                  I would enable logging on the firewall rule to confirm it is seeing the proper traffic, then use pftop to confirm that the firewall rule is assigning that traffic to the proper queue. Done.

                  Please correct any obvious misinformation in my posts.
                  -Not a professional; an arrogant ignoramous.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sideout
                    last edited by

                    Dude my 2 cents here - he gets abusive like that - call the cops and report an unruly child. Let him get hauled away in cuffs and enjoy some time on the other side.  You are seriously in the wrong place if you are trying to appease him and "limit" his access.  I had my ex do that on my kid when he got like that once and no problems ever since.

                    I have a 17 and 16 year old boys and trust me , they pull that crap , a beat down in going to happen.

                    Put lock on the breaker box and shut off his breaker , sell his stuff , whatever - nip that in the bud fast.  You are not way beyond asking/demanding he cut back. Your the freaking parent here. This is what is wrong with this country today - people let their kids decide - screw that - man up and handle it.

                    I recognize it is your kid and you have the right to parent the way you choose.  I wish you good luck in dealing with that situation.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dabigoreo
                      last edited by

                      @sideout:

                      Dude my 2 cents here - he gets abusive like that - call the cops and report an unruly child. Let him get hauled away in cuffs and enjoy some time on the other side.  You are seriously in the wrong place if you are trying to appease him and "limit" his access.  I had my ex do that on my kid when he got like that once and no problems ever since.

                      I have a 17 and 16 year old boys and trust me , they pull that crap , a beat down in going to happen.

                      Put lock on the breaker box and shut off his breaker , sell his stuff , whatever - nip that in the bud fast.  You are not way beyond asking/demanding he cut back. Your the freaking parent here. This is what is wrong with this country today - people let their kids decide - screw that - man up and handle it.

                      I recognize it is your kid and you have the right to parent the way you choose.  I wish you good luck in dealing with that situation.

                      THIS ^….

                      fw: 2.3-RELEASE(amd64)
                      packages: Snort, Nmap

                      system: Dell Optiplex 745 desktop
                      cpu: Intel Pentium D 3.4GHz
                      ram: 4GB DDR2
                      wan nic: Broadcom Gbe
                      lan nic: Marvell Gbe

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nullity
                        last edited by

                        I would like to throw in a preemptive "stay on topic"…

                        Please correct any obvious misinformation in my posts.
                        -Not a professional; an arrogant ignoramous.

                        1 Reply Last reply Reply Quote 0
                        • S
                          shull
                          last edited by

                          I agree, we need to shift this thread back on topic.  The pfSense book has a good overview of limiters in the section on traffic shaping.  Based on what I read, I think they are exactly the solution I'm looking for.  I haven't seen any good examples here in the forums.  I'm really just looking for specific advice on how to set them up.  Thanks!

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nullity
                            last edited by

                            @shull:

                            I agree, we need to shift this thread back on topic.  The pfSense book has a good overview of limiters in the section on traffic shaping.  Based on what I read, I think they are exactly the solution I'm looking for.  I haven't seen any good examples here in the forums.  I'm really just looking for specific advice on how to set them up.  Thanks!

                            Limiters & queues are very similar, but the thing they both rely on is a firewall that catches the proper traffic.
                            For your puposes, queues & limiters function the same since you are only using only the simplest of features.

                            Like I outlined, verify the firewall rule then verify the queue/limiter.

                            PS - If you have seen no good examples on the forums, then you have not searched. There are thousands of examples.

                            Please correct any obvious misinformation in my posts.
                            -Not a professional; an arrogant ignoramous.

                            1 Reply Last reply Reply Quote 0
                            • S
                              shull
                              last edited by

                              Unbelievable (see attached msg from Comcast).

                              ![Comcast Overage.jpg](/public/imported_attachments/1/Comcast Overage.jpg)
                              ![Comcast Overage.jpg_thumb](/public/imported_attachments/1/Comcast Overage.jpg_thumb)

                              1 Reply Last reply Reply Quote 0
                              • S
                                shull
                                last edited by

                                From the pfSense book:
                                "Enforce Bandwidth Limits
                                Using limiters you can apply a bandwidth limit to a group of people, such as all traffic on an interface, or you can set masking on the limiters to apply them on a per-IP basis. This way you can ensure that no one person can consume all available bandwidth.

                                Limiters
                                Limiters are a new method of traffic shaping, introduced in pfSense 2.0 under Firewall Traffic Shaper on the Limiters tab. Limiters use dummynet(4) to enact bandwidth limits and perform other prioritization tasks, among other things. Limiters are currently the only way to achieve per-IP bandwidth limiting in pfSense.
                                Limiters have actually been in use for a lot longer on pfSense as part of the Captive Portal’s per-user bandwidth limits, but in 2.0 they have been hooked into pf so that they may be used on their own with normal firewall rules, outside of Captive Portal.

                                Like HFSC and CBQ, Limiters may be nested with queues inside other queues. Root-level limiters (Also called Pipes), may have bandwidth limits and delays, while child limiters (Also called queues), may have priorities (Also called weights). Bandwidth limits can be optionally masked by either the source IP or the destination IP, so that the limits can be applied per-IP instead of as a group."


                                I don't quite know how to interpret that last paragraph.  It pretty much says limiters and queues have different sets of functionality.  If they were the same, we wouldn't need both would we?  And the fact that Limiters may be nested also implies that it's also possible they might not be nested.  Taking these together, I interpret this paragraph to mean:
                                a) If you want to use bandwidth limits, you set it in the root level limiter
                                b) Child limiters are also known as queues
                                c) If you need to set priorities on different classes of service or for different groups of IPs, you need to use a queue, which is nested under a Limiter.

                                From these, I conclude that Limiters should work with or without queues, and that queues are only needed to support  advanced features such as traffic prioritization.

                                I'll be the first to admit that I have ZERO experience with Limiters.  I've done the research, used respectable sources, and applied my best deductive reasoning  to figure out how to make them work.  If I've made some invalid assumptions along the way or reached the wrong conclusion, I hope someone with more knowledge can steer me in the right direction.  But the way I see it right now, queues are an unnecessary complication.  If I'm wrong, don't just tell me I'm wrong, educate me so I can learn something.  Got a working example?  Show me.  Thanks!

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Your problem in your first post is Destination LAN net. That should be destination any. Everything else looks like it should work, though I would just use protocol any too. Oh and your Upload (LAN in) limiter should be masked on source address. Your Download (LAN out) limiter is fine with destination address. Note that this will create a separate pipe for each address. If you just want one limit shared by all devices, don't set a mask at all.

                                  With limiters (dummynet) you can also do nifty things like induce random packet loss and delay. That might also help discourage use.

                                  I'll leave whether this is wise policy to others. I have my own 16-year-old problem to deal with.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    shull
                                    last edited by

                                    EUREKA!!  I found the problem!

                                    The short answer:  I had created an alias that contained the fully qualified device names of the 3 devices my grandson uses.  I've been using pfBlockerNG to block undesirable web sites.  Apparently there's a conflict between the DNS Resolver and pfBlockerNG, so you are advised to turn OFF the feature in the Resolver that registers static DHCP mappings.  Therefore… my firewall rules never recognized traffic to/from my grandson's devices, and all his traffic ended up hitting the default rule that allowed normal cllients to send/receive traffic.  As soon as I changed the firewall rule from using an alias to using a hardwired IP address, the limiters started working.

                                    For future reference, in case somebody else needs to set up something similar, here are the settings that I ended up with:

                                    Under Firewall->Traffic Shaper->Limiter, create 2 Limiters:
                                    Name:  Limiter-A
                                    Bandwidth:  I used 1 Mbps
                                    Description:  Upload speed from the PC to WAN

                                    Name:  Limiter-B
                                    Bandwidth:  I set it to 512 Kbits
                                    Description:  Download speed from WAN to PC

                                    Added the following rule to the firewall:
                                    Interface:
                                      LAN
                                    Source:  IP address of device I want to limit
                                    Destination: ! IP address of device I want to limit any
                                    In/Out:  Limiter-A/Limiter-B

                                    This is about as simple a setup as possible.  I plan to subnet my grandson's static IPs so I can use 1 rule to limit all his devices.  I will also experiment with random packet loss and delay as Derelict suggested.  That will require queues, but now that I have a working foundation, it should be a lot easier to get these features working.

                                    Thanks to everyone who took the time to help!

                                    -shull

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      Destination:  ! IP address of device I want to limit

                                      Just use any, amigo.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        shull
                                        last edited by

                                        @Derelict:

                                        Destination:  ! IP address of device I want to limit

                                        Just use any, amigo.

                                        Thanks, good observation.

                                        1 Reply Last reply Reply Quote 0
                                        • jahonixJ
                                          jahonix
                                          last edited by

                                          @shull:

                                          I will also experiment with random packet loss and delay as Derelict suggested.

                                          Just found this when reading about limiters in the pfSense book for another project I'm working on:

                                          The dummynet(4) system was originally designed, according to its man page, as a means to test TCP congestion control, and it grew up from there. Due to this purpose, a unique feature of limiters is that they can be used to induce artificial packet loss and delay into network traffic. That is primarily used in troubleshooting and testing (or being evil and playing a prank on someone), and not often found in production.

                                          1 Reply Last reply Reply Quote 0
                                          • DerelictD
                                            Derelict LAYER 8 Netgate
                                            last edited by

                                            Dialup PPP was about 48kbps with about 220ms delay at best. Toss in about 5% packet loss to mimic overbooked ISP T1 uplink for good measure. Next time some kid bitches about slow internet, show them what it was like in the good old days. Have fun. :) And get off my lawn.

                                            Chattanooga, Tennessee, USA
                                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.