Traffic Limiting with PfSense 2.0 RC3

August 17th, 2011 | Tags: , , , ,

PfSense is a FreeBSD-based firewall distribution, which is extremely flexible for both businesses and individuals.  Additionally this platform can be installed on small ALIX hardware with Flash Memory as the storage all the way up to a full server deployment.  To give you an idea of speed, the small ALIX box (I have a few) is easily able to push 20Mbps.  I have a slightly larger box with spinning disks and an Atom processor, which is able to push 60Mbps (which is the maximum on my WAN).  In addition to this though with the larger box I am able to deploy other packages on my PfSense box, such as Squid and many many more.

One of the things I set out to do was limit part of my Internet connection to ensure that my customers don’t experience any sort of slow down based on less important usage.

 Setup the Limiting Pipe

With the Advanced Rule options we are able to limit either the upload or download or both.  First we need to setup the Limiter “Pipes” one for upload and one for download.  In this example I am limiting down to 1Mbps download and .5Mbps upload.

pfSense Firewall Traffic Shaper Limiter UploadFigure 1 – pfSense 2.0 RC3 Traffic Shaping – Limiter Setup for Upload Stream

 pfSense Firewall Traffic Shaper Limiter DownloadFigure 2 – pfSense 2.0 RC3 Traffic Shaping – Limiter Setup for Download Stream

 Apply the Limitations to the Firewall Rule

Now that we have the limiter pipes set up it is time to apply the pipes to individual rules.

pfSense Firewall Rules Advanced Features In and OutFigure 3 – pfSense 2.0 RC3 Firewall Rule Setup – Advanced Setup – Applying Filter

 

pfSense Firewall RulesFigure 4 – pfSense 2.0 RC3 Rule Setup Overview

There you have it.  We now have firewall rule sets which will prevent a certain type of traffic from overtaking your entire connection.

  1. Roli Pete Armenia
    February 8th, 2012 at 06:11
    Quote | #1

    bro, how to limit specific ip addresses only.. or specific ip range

    • matthew.mattoon
      February 8th, 2012 at 07:40
      Quote | #2

      The way you setup any sort of traffic shaping in pfsense 2.0 is by configuring a pipe, then configuring a rule to use the pipe. So if your rule is for specific IP addresses only or even an IP range then the pipe will enforce the traffic restrictions on that firewall ruleset.

      -matt

  2. Devryguy81
    February 9th, 2012 at 14:35
    Quote | #3

    Why can pfSense not just tell us this? Their forums are loaded with traffic shaper questions and this is the ONLY site I’ve seen to list out exactly what I need!

    I’m running 2.0.1-RELEASE. It was super-easy. I wanted to limit traffic on two VLANs that were being used for non-organization related traffic. ALL I wanted to do was limit their upload/download speeds so that the could not saturate our connection.

    - I blew away my existing shaping Wizard config in Firewall –> Traffic Shaper
    - Go to “Limiter” tab
    - Create a new limiter
    - Enable it and call it something meaningful, like “upload-limiter”
    - Input the Bandwidth limit and give it a description
    - Change nothing else and press Save

    - Create a new limiter (again)
    - Enable it again and this one will be the “download-limiter”
    - Input the Bandwidth limit and description
    - Press Save

    - Now go to Firewall –> Rules, and select the appropriate interface tab
    - Create a new rule AT THE TOP
    - For the selected interface, for TCP protocol, for the same source, select “In/Out” from the Advanced Features below the rule information
    - If the limiter speeds are set the same, it doesn’t matter where the upload and download limiters go. Upload should go to the “In” and download should go to the “Out”. Remember it’s all from the viewpoint of the INTERFACE, not the user!

    Good luck! It worked instantly for me and I’m VERY happy now!

    • Devryguy81
      February 9th, 2012 at 14:42
      Quote | #4

      Of course, also remember to reset your State table or you will wonder why it’s not working!

    • matthew.mattoon
      February 9th, 2012 at 14:51
      Quote | #5

      To be fair to the guys who work on pfSense, they do have it documented…

      http://doc.pfsense.org/index.php/Traffic_Shaping_Guide

      However they are quite difficult to understand, this is why I wrote up an article on it. In this case I suspect that this is due to the complex nature of traffic shaping and its many use cases. Additionally this is a fairly new release in which a load of changes were made, and like any other open source project documentation is generally much slower to get updated then the actual code.

      Good note about making sure that the rule is in the top of the ruleset. In case folks don’t know you want to ensure that it is the first matching rule that is applied. So if you have 2 rules…

      rule one allows TCP 80 to everything and is unlimited.
      rule two allows TCP 80 to youtube.com and is limited to 1Gbps (or whatever).

      The effective rule would be rule one and the youtube.com traffic would _not_ be limited as you intended. If you reverse the rule order then the youtube.com rule matches first and that traffic is limited while the wider internet is matched later with an unlimited pipe. This is of course a massive oversimplification, but as Devryguy pointed out rule order is very important.

      -matt

  3. ahmadj
    April 4th, 2012 at 02:13
    Quote | #6

    many thanks Devryguy81, it works fine for me.

  4. Roy
    April 24th, 2012 at 04:21
    Quote | #7

    Excellent and useful info… There a couple of other questions I have:

    * Could you please explain the use of the “Mask” option? I think that is what I’m looking for, but not sure how to use it.

    * When do you think “children” limiters could be necessary or useful?

    Thanks again.
    Roy

  5. matthew.mattoon
    April 24th, 2012 at 07:18
    Quote | #8

    The mask option allows us to instead of creating a single static pipe, we can create multiple dynamic pipes, based on the source or destination IP address. So if the goal is to limit the total aggregate traffic to 1Mbps then mask is unnecessary. However if the goal is to limit any particular user to 1Mbps then mask is what you are looking for.

    As for child limiters, I have not used them, so I do not fully understand them.

    -matt

  6. John
    June 21st, 2012 at 22:57
    Quote | #9

    This is by far the best How to…Traffic Limiting with PfSense v2.x. Thank you for the post.

Comments are closed.