Limit bandwidth per subnet and per IP simultaneously



  • hi all,

    i have a little complicated situation and looking for the best available solution. i have deployed pfsense (2.2.6-RELEASE) for managing bandwidth in an enterprise environment. we have multiple subnets, lets say 30 different subnets and i intend to assign specific amount of bandwidth per subnet. within those subnets, i want to specify specific amount for each IP as well. e.g:

    192.168.1.0/24  ->  12Mbps total for the subnet  ->  2Mbps per IP
    192.168.7.0/24  ->  20Mbps total for the subnet  ->  4Mbps per IP
    192.168.9.0/29  ->  10Mbps total for the subnet  ->  2Mbps per IP
    etc….

    now, with the limiter (using dynamic pipe) and firewall rules, i am able to effectively assign/ limit per IP bandwidth for each of the subnets. but i am little confused on how should i approach to cap or limit the total allocated bandwidth per subnet. a quick solution was to rate limit the subnets from my router interface. but that actually limits internal traffics as well.

    hope i could express my situation clearly. is there anyone who is running similar kind of solutions? thanks in advance. cheers...


  • LAYER 8 Netgate

    There is no third layer of limiters so I think you're going to be out of luck reaching that level of granularity. I think the best you're going to be able to do is to define a limiter for, say, a /29 then instruct it to try to evenly share that available bandwidth among the users at the second level.

    If each subnet is limited, do you really care about limiting it further if it's somewhat equally shared?

    Otherwise you might be looking at cascading limiters. One node limiting per subnet and another node limiting per IP address.



  • thanks Derelict. appreciate your quick reply.

    @Derelict:

    Otherwise you might be looking at cascading limiters. One node limiting per subnet and another node limiting per IP address.

    don't really wanna add another hop and add some more latency.

    @Derelict:

    If each subnet is limited, do you really care about limiting it further if it's somewhat equally shared?

    that might be the way to go about it. but as you understand, we have different departments (in different subnets) that needs to be treated differently. within the departments there are people (e.g directors) for who i need to allocate guaranteed bandwidth.

    just thinking aloud…. what is gonna happen if i put subnet limit rules in "floating" rules and per IP dynamic pipe rules in "LAN" rules? also i can put all the directors IPs in an alias and add a rule in "floating" rules with quick option checked. do you think it would work? to clarify:

    FLOATING:

    PASS  ->  Subnet_gp_1 (alias)  ->  In: Limiter_12Mbps_Up; Out: Limiter_12Mbps_Down
    PASS  ->  Subnet_gp_2 (alias)  ->  In: Limiter_20Mbps_Up; Out: Limiter_20Mbps_Down
    PASS  ->  Quick: checked  ->  Directors (alias)  ->  In: Limiter_4Mbps_Up; Out: Limiter_4Mbps_Down

    LAN:

    PASS  ->  Subnet_gp_1 (alias)  ->  In: Limiter_2Mbps_Up; Out: Limiter_2Mbps_Down (dynamic pipe)
    PASS  ->  Subnet_gp_2 (alias)  ->  In: Limiter_2Mbps_Up; Out: Limiter_2Mbps_Down (dynamic pipe)

    wondering what is going to happen. will the quick checked floating rule be able to guarantee 4Mbps for Directors? looks like it won't. also the floating rules will not be able to cap the subnets out at 12Mbps or 20Mbps, right?


  • LAYER 8 Netgate

    Please specify what interfaces and directions you are thinking about applying those floating rules on.


  • LAYER 8 Netgate

    don't really wanna add another hop and add some more latency.

    If you really need to do this, I don't think another .25ms is going to hurt you.



  • @Derelict:

    Please specify what interfaces and directions you are thinking about applying those floating rules on.

    i was thinking about LAN interface to be honest. but would it work if i put them in WAN interface?


  • LAYER 8 Netgate

    You can't filter on WAN out based on LAN IP address if you NAT. You have to mark the traffic at LAN and treat it differently on WAN based on that mark.

    If you want to do what you have described, I think I have given you the easiest way to accomplish it.



  • @Derelict:

    If you really need to do this, I don't think another .25ms is going to hurt you.

    @Derelict:

    If you want to do what you have described, I think I have given you the easiest way to accomplish it.

    you are right and i agree that would be the simplest way to go about it. but the idea of putting another node is turning me off. i would really like to be able to do it in the same box, if possible.

    @Derelict:

    You can't filter on WAN out based on LAN IP address if you NAT. You have to mark the traffic at LAN and treat it differently on WAN based on that mark.

    i am not running NAT on this box.

    anyway, thanks for your replies. i think i will do some more r&d and test before i reach to a solution. in the mean time, if something else comes to your mind, please let me know! thanks again… cheers...



  • hi Derelict,

    @Derelict:

    If each subnet is limited, do you really care about limiting it further if it's somewhat equally shared?

    decided to go on with this option, at least till i reach to any other suitable solution. can you please point me to the directions on how should i implement this (configuration wise)?

    i get the "limiting each subnet" part. i create limiters (without dynamic pipes) and apply it in LAN rules for subnets. How am i gonna configure to "somewhat equally share" bandwidth within the users of that subnet?

    thanks in advance.


Log in to reply