pfSense Limiters
(More info at:
https://superuser.com/a/1210164/257859 )
How to set a max B/W per client or max B/W per Interface
If you want each host on your LAN to be limited to a max amount of upload and/or download bandwidth follow these steps:
Go to
Firewall > Traffic Shaper > Limiters and create 2 limiters, one for inbound traffic (
LanUploadLimit) and one for outbound traffic (
LanDownloadLimit). In the limiters the only thing you need to set is the B/W limit you want to enforce.
Under each Limiter create a queue(AKA pipe) named like
LanUploadQueue,
LanDownloadQueue.
To limit to a certain amount of X Mbps per client (each and every client using the line is limited to
X Mbps so
N clients will use
N_* _X Mbps)
On
LanUploadQueue (the inbound pipe) you can set the
Mask to
Source Address, if you want each host sending packets to get
it's own pipe with it's own limit.
To limit the total available B/W for all clients (
N clients using the line are limited to
X Mbps in total, each one gets
X/N Mbps)
Leave the Mask unset.
Likewise for
LanDownloadQueue (the outbound pipe) but set the
Mask to
Destination address.
Lastly on
firewall > rules > LAN create a rule that matches the traffic you want to limit (usualy everything) and scroll down to the In/Out option of the rule.
Out should be set to
LanDownloadQueue (traffic going out from the LAN NIC
out to the LAN) and
in to
LanUploadQueue (traffic from the LAN
into the LAN NIC).
The limits you set only affect traffic if it matches this firewall rule.
Quick reference
If you get used to these procedures and just want a quick reference in order not to mix up the the settings here it is:
Pipe | Direction | Queue mask
-----+------------+--------------------
In | Upload | Source Address
Out | Download | Destination Address
[OLDER NOTES] Using flexible limiters
Go to
firewall > Traffic Shaper > Limiters Create a
New Limiter[8] for the
download of WAN1 named like
LimWan1Down. Just set its Bandwidth to a bit[5] bellow the
download BW of your WAN[3] (preferably[1] in multiplies of 64kbps). Don't go bellow 256Kbps[6]
Save the limiter and click the option to
Add a New Queue[7] to create a queue named like
QueWan1Down and just set its mask to "
destination addresses".
Create another Limiter for the
upload of WAN1 named like
LimWan1Up. Just set its Bandwidth to a bit bellow the
upload BW of your WAN* (preferably in multiplies of 64kbps). Don't go bellow 256Kbps[6]
Save the limiter and click the option to
Add a New Queue to create a queue named like
QueWan1Up and just set its mask to "
source addresses".
Finally go to
firewall > rules > LAN and find the rule[2] that pass trafic to WAN1. Click edit and go to
advanced settings > In / Out pipe and specify your
Upload Queue in the
first (In) part and your
Download Queue in the
second (Out) part[9].
Don't forget to click
Apply Changes.
Now the limiters will keep the total upload or download BW from all of your clients limited so that we avoid unwanted buffering at the ISP side while the queues distribute that limited BW evenly between all the LAN clients (LAN IPs to be precise).
To test immidiately you must first go to
Diagnostics > States > Reset States and click
Reset but beware that
everybodys TCP connections we'll be reset (that includes your connection to the WebUI).
Now go start some downloads/uploads and check
Diagnostics > Limiter Info.
This method keeps your RTT times low by limiting your total download and upload bandwidth (thus preventing buffering at the ISP) and shares that BW evenly between you LAN clients. You get a decent browsing/skype/RDP/ssh experience when a lot of users have maxed out your WAN(s), yet it still allows one client to get the full BW when nobody else needs it.
Notes:
(1): not sure if this is important.
(2): not sure if it works the same when there are many rules because I've only tested with one rule.
(3): if you have multiple WANs you do the above for every WAN but I
believe that things get tricky because on your firewall each LAN rule that passes traffic should be dealing with a specific WAN(4). in my case when I had 2 WANs I splitted the LAN IPs in even and odd ones and each group was using a specific WAN(with fail over of course). A bit hacky I know. Keep in mind that drakontas doesn't share my worries. He states that "The limiters described here work as expected when used in combination with Gateway Groups (i.e. Multi-WAN) without any additional modification as long as the firewall rules include the Gateway Group as the Gateway (under Advanced)."
(4): I'm 99% sure this is the case but have never tested.
(5): here's how to find how much it's a bit: find a bad day/time for you line where it downloads/uploads at its worst rate. Before enabling anything begin a massive download/upload and look at your ping times going of the roof. Try a setting for the download/upload limit. If your ping times go off the roof you need to lower the limit.
(6) I haven't tested it but I've read this logic: the max size of an IPv4 packet is 64KBytes i.e. 256kbits. So if you go lower the limiter may have to cut packets apart, which results in higher latency, lower throughput, and a poor user experience.
(7) pfsense's UI is a little glitchy at this point. Finish your limiter, save it, click on it's name again and then try to click Add New Queue
(8) the terminology is a little confusing. In this text I've used the terms with caution but you may see the terms limiter, pipe and queue used interchangably.
(9) think of the packets flows from the perspective of the LAN interface. Packets flowing from the local network into the LAN interface will become WAN upload and vice versa.
Advanced material
These are some advanced notes copied directly from the drakontas reddit post (see credits):
-
If using Floating firewall rules instead of per-interface rules, you must have two rules -- one applied to "In" traffic and one applied to "Out" traffic (direction is specified in the rule).
-
If you have many users (for example, thousands of devices sharing a relatively small uplink), you will want to increase the advanced "Queue Size" option on each Pipe and Queue (default is 50 if no value is indicated). This allows cleaner handling of user traffic during high congestion periods.
-
The advanced "Queue Size" option can be set to a maximum of 100. This is not documented or indicated on the GUI, but if you try to set this value >100, the limiters will throw an error and will not be correctly applied. This can slow down a reboot and also can be a totally hidden error when applied on a running system (the only indication that something is wrong is that the Diagnostics > Limiter Info page will not reflect the new settings, even after resetting states).
-
Remember that for TCP flows where ACK responses are required for data integrity, upload is necessary even while downloading (and vice versa). In my tests, restricting upload to 512kbps results in a maximum real-world download speed of 50-60mbps; restricting upload to 256kbps results in a maximum download speed of 20-30mbps (and of course, YMMV) For UDP flows this is irrelevant
Credits
This article is based on foxale08 series of posts with screenshots
on the pfsense forum (you must login to see the screenshots) and from
the excelent drakontas reddit post