Limiters in PFSENSE
The limiter feature allows you to setup Dummynet pipes. Dummynet was designed to be able to simulate any kind of network connection. You can simulate a dialup connection, a T1, a T1 run through a microwave oven, or a satellite connection to the Moon. A side effect of being able to simulate any type of network connection is that you can use them to limit the amount of bandwidth a host or group of hosts have access to. Both the packet shaper and limiters can be used at the same time so you can shape your traffic as a whole, and also limit certain traffic to a certain amount of bandwidth. There are 2 basic steps to setting up a limiter to control bandwidth. Setup the limiters you will be using. Assign traffic to those limiters.
Setup Limiters
Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab. You can use just one pipe for both inbound and outbound traffic, but that would mean you are simulating a half-duplex connection. The recommended method is to create 2 pipes, one for inbound traffic and one for outbound traffic. The direction is from the perspective of the interface. If using limiters on LAN, the inbound queue is your upload and the outbound queue is your download. You should name the pipes so that you will easily remember which one is which, such as InLimitLan and OutLimitLan.
Dynamic queue creation
Dummynet pipes have a feature called dynamic queue creation which allows you to have a unique queue based on the uniqueness of a connections source protocol, ip, source port, destination ip or destination port. They can also be used in combination. pfSense currently only allows setting the source address or the destination address as the mask, meaning that you can give each host behind your firewall its own set of pipes so that each node is restricted to using a certain amount of bandwidth. To do this you would give your In pipe a Source Address mask, so that each host sending packets gets it's own dynamic pipe for uploading. You would give your Out pipe a destination address mask, so that each host receiving packets gets it's own dynamic pipe for downloading.
Assign Traffic
Once you setup a limiter pipe, the next step is to assign traffic to it by setting the "in/out" option in a firewall rule. Remember that in and out are from the perspective of that interface on the firewall. If you're choosing limiters on the LAN interface, "out" is download speed (traffic from the LAN NIC into the LAN) and "in" is upload speed (traffic from the LAN into the LAN NIC). Simply creating the limiters does not do anything, you must assign them on a firewall rule for them to be used.
Limiter status
The bandwidth usage and other limiter information is available under Diagnostics>Limiter Info.
Captive Portal Notes
Captive portal can automatically setup its own pipes for each logged in user, no need to set this up manually. Take a look at the captive portal setup page to set this up.
Using Limiters for Bandwidth Guarantees
If you want to use limiters to guarantee a certain amount of bandwidth instead of limit, you can do so by making four limiters:
- Bandwidth to guarantee upload
- Bandwidth to guarantee download
- Total bandwidth upload (less guaranteed above)
- Total bandwidth download (less guaranteed above)
Ensure that you do not set the Mask to anything other than "none". It must be "none" for these to work properly. So if you have 8Mb down and 2Mb up, and you want to guarantee 512Kb/s for service X, you'd have queues sized like so:
- 512 Kb/s
- 512 Kb/s
- 1536 Kb/s
- 7680 Kb/s
Then direct the guaranteed service traffic into the first two limiters, and everything else into the "total" limiters.
UnOfficial Directions:
Go to the Firewall>>>Traffic Shaper option
Create a new limiter, make sure Enable is checked, name it "500dest", set bandwidth to 500Kbit/s, set mask to destination. Save it.
Create another limiter, make sure Enable is checked, name it "500src", set bandwidth to 500Kbit/s, set mask to source. Save it.
Make sure to apply changes.
Create an alias with all the ip's you want in Firewall>>> Aliases
Name it, save it.
Apply changes.
Go to firewall>>>Rules>>>LAN
Create a new rule. Protocol type ANY, Set the alias(or ipaddress) as the source, scroll down click advanced next to in/out, set the first to 500src, the second to 500dest. Make sure your new rule is higher than any default allow out.
Apply changes and test it out.
Alternatively you could edit the LAN default allow out and add the In/Out option there and it would apply to every host on the LAN individually (each host individually limited to 500Kbps/500Kbps).