Need help setting up a simple limiter

shull

I've got a problem with my 14 yr old grandson: he's addicted to online games and streaming, but can't seem to find time to do his homework.  My wife and I work late.  From the time he gets home after school until we get home, our grandson typically manages to download 5 or 6 GB.  I'd like to limit his bandwidth to the point of degrading his realtime streaming while still allowing a reasonable response time for normal web browsing.  To that end, I've been trying to set up a simple limiter.  I have not been able to get it to work, and would appreciate any advice.  Here's my setup:

Limiter 1:
Name:  Download
Bandwidth:  56 Kbits (for testing)
Mask:  Destination addresses
Mask bits IPv4 & IPv6:  Blank
No queues

Limiter 2:
Name:  Upload
Bandwidth:  56 Kbits
Mask:  Destination addresses
Mask bits IPv4 & IPv6:  Blank
No queues

I have defined an alias with 3 static IPs defining my grandson's devices:  Maxs_devices

I added the following firewall rule to the LAN interface, and moved it ahead of the default rule to allow LAN to any:
Action:  Pass
Interface:  LAN
TCP/IP:  IPv4
Protocol:  TCP/UDP
Source: Maxs_devices
Source Ports: any
Destination: LAN_net
Destination Ports:  any
Advanced features:
In/Out:  Upload/Download

Any advice would be greatly appreciated.  Thanks!

shull

Nullity

Are you trying to limit bandwidth usage or are you trying to discourage access?

Personally, I would just use queues, since they are easier to understand.

Regarding the firewall rule, I think you have the "Destination" wrong. I use NOT LAN as a destination.

shull

"Are you trying to limit bandwidth usage or are you trying to discourage access?"

• Not sure I understand what you're asking.  I want to limit bandwidth on 3 devices to 56K (I'll tweak the final value), in order to degrade his online gaming and streaming activities to the point where he gives up out of frustration.  I want to be able to schedule the times when the network is throttled, and I want to limit that throttling to just 3 devices.

"Personally, I would just use queues, since they are easier to understand."

• I tried this setup using queues, but thought they added complexity.  I couldn't get them to work, either.  But, I wasn't using ! LAN_net as the destination.  If queueing allows control over response time (i.e., gaming feels more sluggish), that's a plus.

"Regarding the firewall rule, I think you have the "Destination" wrong. I use NOT LAN as a destination."
-  I wanted to clarify that you meant NOT LAN_net, but that didn't work.  I even disabled all my other firewall rules to make sure I hadn't inadvertently left something in place that bypassed the limiter rule.

Thanks!

Nullity

@shull:

"Are you trying to limit bandwidth usage or are you trying to discourage access?"

• Not sure I understand what you're asking.  I want to limit bandwidth on 3 devices to 56K (I'll tweak the final value), in order to degrade his online gaming and streaming activities to the point where he gives up out of frustration.  I want to be able to schedule the times when the network is throttled, and I want to limit that throttling to just 3 devices.

What I meant was do you want to block him (an arbitrary parental limit), or are you trying to save bandwidth (perhaps you use 3/4G or satellite internet and have a per month/day gigabyte limit)?

Nullity

If you want to block access, block it. (firewall rules)
If you want to limit bandwidth, limit bandwidth. (traffic-shaping)

You can block many services, depending on the client's skills. Maybe snort can help.

The best QoS does not compare to physically asking/demanding that the user stop their inconsiderate activities. :)

shull

Thanks, but we already tried blocking.  From a technical standpoint, everything worked perfectly:  we could set a schedule and allow/not allow access accordingly.  What we didn't anticipate was my grandson's violent temper tantrum when he realized we had shut off his internet access.  I wasn't at home at the time, but he got physically abusive toward my wife.  My wife and I decided totally blocking access, even for short periods of time, wasn't worth the risk.  As you can see, we're way beyond asking/demanding that he cut back on his online activities.  He's demonstrated that he's willing to take his defiance further than we're willing to go.  Which leads us to bandwidth control.  I think we can explain that we don't know why the internet runs slow at times- maybe our neighbors just installed wifi and it's interfering with ours?  Maybe solar flares have disrupted the internet near Atlanta, or who knows?  I can randomize the time and bandwidth to make it look like an arbitrary event.

I'm running snort.  It's a great tool for detecting and preventing unauthorized or malicious attempts to access your network, but it's not really designed for bandwidth control.

I read somewhere that the limiters were originally developed to facilitate testing networks to see how well they handled impaired conditions.  Well, I need to generate some impairments.  Thanks,

shull

Nullity

@shull:

Thanks, but we already tried blocking.  From a technical standpoint, everything worked perfectly:  we could set a schedule and allow/not allow access accordingly.  What we didn't anticipate was my grandson's violent temper tantrum when he realized we had shut off his internet access.  I wasn't at home at the time, but he got physically abusive toward my wife.  My wife and I decided totally blocking access, even for short periods of time, wasn't worth the risk.  As you can see, we're way beyond asking/demanding that he cut back on his online activities.  He's demonstrated that he's willing to take his defiance further than we're willing to go.  Which leads us to bandwidth control.  I think we can explain that we don't know why the internet runs slow at times- maybe our neighbors just installed wifi and it's interfering with ours?  Maybe solar flares have disrupted the internet near Atlanta, or who knows?  I can randomize the time and bandwidth to make it look like an arbitrary event.

I'm running snort.  It's a great tool for detecting and preventing unauthorized or malicious attempts to access your network, but it's not really designed for bandwidth control.

I read somewhere that the limiters were originally developed to facilitate testing networks to see how well they handled impaired conditions.  Well, I need to generate some impairments.  Thanks,

shull

You could just as easily create a queue with a limit of 56k. You can use pftop to assure traffic is passing through the proper queue.

I wish I could help with the limiters, but I don't use them.

I would enable logging on the firewall rule to confirm it is seeing the proper traffic, then use pftop to confirm that the firewall rule is assigning that traffic to the proper queue. Done.

sideout

Dude my 2 cents here - he gets abusive like that - call the cops and report an unruly child. Let him get hauled away in cuffs and enjoy some time on the other side.  You are seriously in the wrong place if you are trying to appease him and "limit" his access.  I had my ex do that on my kid when he got like that once and no problems ever since.

I have a 17 and 16 year old boys and trust me , they pull that crap , a beat down in going to happen.

Put lock on the breaker box and shut off his breaker , sell his stuff , whatever - nip that in the bud fast.  You are not way beyond asking/demanding he cut back. Your the freaking parent here. This is what is wrong with this country today - people let their kids decide - screw that - man up and handle it.

I recognize it is your kid and you have the right to parent the way you choose.  I wish you good luck in dealing with that situation.

dabigoreo

@sideout:

Dude my 2 cents here - he gets abusive like that - call the cops and report an unruly child. Let him get hauled away in cuffs and enjoy some time on the other side.  You are seriously in the wrong place if you are trying to appease him and "limit" his access.  I had my ex do that on my kid when he got like that once and no problems ever since.

I have a 17 and 16 year old boys and trust me , they pull that crap , a beat down in going to happen.

Put lock on the breaker box and shut off his breaker , sell his stuff , whatever - nip that in the bud fast.  You are not way beyond asking/demanding he cut back. Your the freaking parent here. This is what is wrong with this country today - people let their kids decide - screw that - man up and handle it.

I recognize it is your kid and you have the right to parent the way you choose.  I wish you good luck in dealing with that situation.

THIS ^….

Nullity

I would like to throw in a preemptive "stay on topic"…

shull

I agree, we need to shift this thread back on topic.  The pfSense book has a good overview of limiters in the section on traffic shaping.  Based on what I read, I think they are exactly the solution I'm looking for.  I haven't seen any good examples here in the forums.  I'm really just looking for specific advice on how to set them up.  Thanks!

Nullity

@shull:

I agree, we need to shift this thread back on topic.  The pfSense book has a good overview of limiters in the section on traffic shaping.  Based on what I read, I think they are exactly the solution I'm looking for.  I haven't seen any good examples here in the forums.  I'm really just looking for specific advice on how to set them up.  Thanks!

Limiters & queues are very similar, but the thing they both rely on is a firewall that catches the proper traffic.
For your puposes, queues & limiters function the same since you are only using only the simplest of features.

Like I outlined, verify the firewall rule then verify the queue/limiter.

PS - If you have seen no good examples on the forums, then you have not searched. There are thousands of examples.

shull

Unbelievable (see attached msg from Comcast).


shull

From the pfSense book:
"Enforce Bandwidth Limits
Using limiters you can apply a bandwidth limit to a group of people, such as all traffic on an interface, or you can set masking on the limiters to apply them on a per-IP basis. This way you can ensure that no one person can consume all available bandwidth.

Limiters
Limiters are a new method of traffic shaping, introduced in pfSense 2.0 under Firewall Traffic Shaper on the Limiters tab. Limiters use dummynet(4) to enact bandwidth limits and perform other prioritization tasks, among other things. Limiters are currently the only way to achieve per-IP bandwidth limiting in pfSense.
Limiters have actually been in use for a lot longer on pfSense as part of the Captive Portal’s per-user bandwidth limits, but in 2.0 they have been hooked into pf so that they may be used on their own with normal firewall rules, outside of Captive Portal.

Like HFSC and CBQ, Limiters may be nested with queues inside other queues. Root-level limiters (Also called Pipes), may have bandwidth limits and delays, while child limiters (Also called queues), may have priorities (Also called weights). Bandwidth limits can be optionally masked by either the source IP or the destination IP, so that the limits can be applied per-IP instead of as a group."

---

I don't quite know how to interpret that last paragraph.  It pretty much says limiters and queues have different sets of functionality.  If they were the same, we wouldn't need both would we?  And the fact that Limiters may be nested also implies that it's also possible they might not be nested.  Taking these together, I interpret this paragraph to mean:
a) If you want to use bandwidth limits, you set it in the root level limiter
b) Child limiters are also known as queues
c) If you need to set priorities on different classes of service or for different groups of IPs, you need to use a queue, which is nested under a Limiter.

From these, I conclude that Limiters should work with or without queues, and that queues are only needed to support  advanced features such as traffic prioritization.

I'll be the first to admit that I have ZERO experience with Limiters.  I've done the research, used respectable sources, and applied my best deductive reasoning  to figure out how to make them work.  If I've made some invalid assumptions along the way or reached the wrong conclusion, I hope someone with more knowledge can steer me in the right direction.  But the way I see it right now, queues are an unnecessary complication.  If I'm wrong, don't just tell me I'm wrong, educate me so I can learn something.  Got a working example?  Show me.  Thanks!

Derelict

Your problem in your first post is Destination LAN net. That should be destination any. Everything else looks like it should work, though I would just use protocol any too. Oh and your Upload (LAN in) limiter should be masked on source address. Your Download (LAN out) limiter is fine with destination address. Note that this will create a separate pipe for each address. If you just want one limit shared by all devices, don't set a mask at all.

With limiters (dummynet) you can also do nifty things like induce random packet loss and delay. That might also help discourage use.

I'll leave whether this is wise policy to others. I have my own 16-year-old problem to deal with.

shull

EUREKA!!  I found the problem!

The short answer:  I had created an alias that contained the fully qualified device names of the 3 devices my grandson uses.  I've been using pfBlockerNG to block undesirable web sites.  Apparently there's a conflict between the DNS Resolver and pfBlockerNG, so you are advised to turn OFF the feature in the Resolver that registers static DHCP mappings.  Therefore… my firewall rules never recognized traffic to/from my grandson's devices, and all his traffic ended up hitting the default rule that allowed normal cllients to send/receive traffic.  As soon as I changed the firewall rule from using an alias to using a hardwired IP address, the limiters started working.

For future reference, in case somebody else needs to set up something similar, here are the settings that I ended up with:

Under Firewall->Traffic Shaper->Limiter, create 2 Limiters:
Name:  Limiter-A
Bandwidth:  I used 1 Mbps
Description:  Upload speed from the PC to WAN

Name:  Limiter-B
Bandwidth:  I set it to 512 Kbits
Description:  Download speed from WAN to PC

Added the following rule to the firewall:
Interface:  LAN
Source:  IP address of device I want to limit
Destination: ! IP address of device I want to limit any
In/Out:  Limiter-A/Limiter-B

This is about as simple a setup as possible.  I plan to subnet my grandson's static IPs so I can use 1 rule to limit all his devices.  I will also experiment with random packet loss and delay as Derelict suggested.  That will require queues, but now that I have a working foundation, it should be a lot easier to get these features working.

Thanks to everyone who took the time to help!

-shull

Derelict

Destination:  ! IP address of device I want to limit

Just use any, amigo.

shull

@Derelict:

Destination:  ! IP address of device I want to limit

Just use any, amigo.

Thanks, good observation.

jahonix

@shull:

I will also experiment with random packet loss and delay as Derelict suggested.

Just found this when reading about limiters in the pfSense book for another project I'm working on:

The dummynet(4) system was originally designed, according to its man page, as a means to test TCP congestion control, and it grew up from there. Due to this purpose, a unique feature of limiters is that they can be used to induce artificial packet loss and delay into network traffic. That is primarily used in troubleshooting and testing (or being evil and playing a prank on someone), and not often found in production.

Derelict

Dialup PPP was about 48kbps with about 220ms delay at best. Toss in about 5% packet loss to mimic overbooked ISP T1 uplink for good measure. Next time some kid bitches about slow internet, show them what it was like in the good old days. Have fun. :) And get off my lawn.