Manage your Bandwidth
PFSense is by far one of the best gateway solutions out there in my opinion. I am going to show you one of the many reasons why I think this product is best of breed and that is the Bandwidth limiter. PFSense uses Free BSD as it base, it has included the DummyNet software project which allows you to simulate/enforce queues and bandwidth limitations, delays, packet losses, and multipath effects, it also implements a variant of Weighted Fair Queueing called WF2Q+. Now that may sound like a lot of reading to get up to speed with but I assure you it is quite easy to set up and maintain, let me show you how.
First off I will take a bandwidth test to see what I get as unregulated bandwidth. I have a cable service from Brighthouse that is 50Mb download and 5 Mb upload.
The image tells the tale, I am getting 50/5 as and result of my speed test using Brighthouse’s Speed test. Now let’s get started with our limiting, we will need to create a Upload and a Download limit we want to apply to each system on the LAN then create one Firewall rule to force the systems on the LAN to follow the limits.
Lets get started:
First we need to find our Limiter Web GUI area in PFSense. This is located under the Firewall Tab -> Traffic Shaper, the 3rd tab is called Limiter.
Next we are going to select Create new limiter , Let’s call it LimitUPLan
- Click Enable
- Set name to LimitUpLan
- Set Bandwidth allowed (1mb)
- Mask Source Address
- Give a description
- Save
- Click Enable
- Set name to LimitDownLan
- Set Bandwidth allowed (3Mb)
- Mask Source Addresses
- Add Description
- Save
- Action Pass
- Interface LAN
- Protocol Any
- Source LAN Subnet
- Destination Any
- Description
Select the Advance button under the In/Out feature, from the drop down menus select the 2 queues you created (In = Uploads) and (Out = Download). Save and apply the firewall rule and re-test your bandwidth usage.
Bandwidth Now Limited
That’s the whole process from start to finish. At this point you should have a rate limit of 3mb per LAN user downstream and 1 MB per LAN user upstream.
That is part of the power built-in to PFSense and the BSD platform. Now go off and limit someone today!
Cubert 😎
Nice write-up on the traffic limiter! I’ve been thinking about setting up a bandwidth limitation for my torrent box, mostly so it doesn’t saturate all of my upstream bandwidth.
We’ve just started using this software to portion out bandwidth for all our users at our Business Park. Problem is, users inside the LAN get limited fine, however if you commence an upload from outside – example access a site CCTV camera or connect to an onsite VPN and upload to yourself – you get the full bandwidth of the connection. I am still searching for a solution to this.
I am actually wondering if using this traffic shaping will raise the latency inside the LAN. I run an internet cafe, these gamers are militant little so and so’s 🙂 I have FTTN service 25/8 … 22 stations. I want it so that no one station will pull more than 2mb and push more than 800kb …Right now updates can and do pull all the bandwidth raising the otherwise stellar latency to 60 or 70 ms.
this is working! but it does not limit the torrents…
Thank you a lot, it was ver usefull for me.
I’m working in a school, trying to limit bandwith data comes from our Wifi accespoint.
Using the same way you describe it works, just by replacing in the firewall rule: source -> single host and enter IP of AP.
Thanks!
Hi Julien, does limiting the bandwidth of the WiFi AP distributes the bandwidth evenly? what i mean is, if you limit it to 2Mbps, then 2 users using it at the same time will share that 2Mbps, like 1Mbps per user? or both of them will have 2Mbps limit?
Each IP address on LAN get 2mb up or down based on in/out rule.
Doesn’t setting any destination also limits local LAN traffic speeds too?
I’d like to limit ISP bandwidth to specific users on my home LAN, but I don’t want to limit local traffic in any way, as they’ll be using a fileserver too.
How can i share bandwidth among users equally so that if i have 4mb/1mb with 4 users, each will have 1mb/256kbps. If i have 2 users, each will have 2mb/512kbps.
I guess that if i limit bandwidth according to this guide, say limiting each user to 1mb/256kbps, then even if i have only one user on the internet, the user will not be able to utilize the whole bandwidth rather will be limited to 1mb/256kbps.
Chuks,
Sounds like you need more advanced queuing. That is outside of this scope which is bandwidth limiters. Since you asked I will put together a basic Quality of Service How-to using PFSense that describes how to use queues and percentages to control the amount of bandwidth people and or services can use.
One of the nice things about using queues to manage traffic is that if the traffic is low then queuing does not happen. When using PFSense Traffic control queue the queues do not kick in until there is an actual shortage of bandwidth. When this shortage is seen the queues kick in and start to control how much bandwidth a user or service can use and how.
The process is different from the common limiter you see described here. The limiter here is not discriminate on who it limits, all IP addresses are limited to the same amount of bandwidth and if you have 10 IP addresses trying to access a 5MB line and a limit of 2MB for each IP, you will still saturate you ISP service and have users that can not reach their limits. Queuing can allow users of one services to exceed bandwidth limits while other users of other services get squashed.
Come back shortly and I will have an article up that walks you through the process.
Cubert
Orisai,
Bandwidth limiters on PFSense only effect traffic traveling from the LAN to the WAN interface. It does not effect LAN traffic staying on LAN.
Hi, nice tutorial. I would like to ask if its possible to apply this limiter but not affecting cached objects from squid? And how?
Well if you are running squid on pfsense, you could set a rule above the limit rules that all traffic from pfsense to ignore limiter or if squid is an internal system add an allow rule for its IP address above the limit rule. This will cause the proxy to bypass limiter.
I hope I understood your question correctly.
Cubert
Thanks for the reply Cubert,
I’ve been trying to do that before, but your answer gives me an idea. Will try it here. thanks!
Hi Cubert, squid is on pfsense as a package not on a separate machine, what IP address as a source should I put in the allow rule? I tried putting the loopback address as that is what I can see in the firewall states. But it’s not working.
This is what I can see in the firewall states when accessing a cached object: client -> some external address -> 127.0.0.1
Try anything to or from LAN interface IP address. See if that give you proxy speeds above limiter.
Hello Cubert, Just for update I did these steps:
1. Source pfSense LAN IP, destination lan subnet. – no good
2. Source lan subnet, destination pfSense LAN IP. – no good
3. Source 127.0.0.1, destination lan subnet – no good
4. opposite of #3. – no good
5. Made alias(combination of LAN IP and 127.0.0.1) and replaced it as values for the steps above – no good
6. Made all of the above specifying port 80. no good
I did all those steps above a limiter rule in the LAN interface tab resetting the firewall state each time I made the changes. Should I try in the Floating tab?
Im on a testing environment with pfsense on a vm and an xp client also on vm. Caching is working well. The limiter is also working well.
This is the limiter rule:
Proto: TCP
Source: Lan Net
Port: any
Destination: any
Port: any
IN/OUT: 128/512
I’m having fun testing these and trying to achieve something but it’s not just working. Any ideas? thanks!
Thanks, the guide was perfect
[…] PFSense 2.0 – Limiting users Upload and Download Speeds by Limiting Bandwidth at http://www.squidwork… […]
Cubert,
Great guide…. Did you ever make your more advanced guide on “how to use queues and percentages to control the amount of bandwidth people and or services can use.” I too am interested in dividing bandwidth evenly between all connected users, but only limiting them when there is contention for bandwidth.
Dean
Help with limiting torrent users please!
thanks for this
The described setup establishes a fixed limited bandwidth per user. My related question is how to set up a prioritized but not fixed bandwidth distribution (both up and down) based on local IP address. Traffic types are not relevant for prioritization. Computers 1& 2 have equal highest priority for ALL traffic if they are active. Computers 3 & 4 have next highest equal priority. Computers 5, 6, 7 & 8 have equal lowest priority. Assume 10 Mbit service. Computers 1 & 2 equally share 5 Mbit/s when they require it, leaving 5 Mbit/s for all other machines. Similarly, computers 3 & 4 equally share 50 % of the leftover 2.5 Mbit/s when they require it, leaving 2.5 Mbit/s to be equally shared amoung computers 5, 6, 7 & 8.
Addendum to my comment above: I didn’t state it clearly but the intention is if higher priority machines don’t need the available bandwidth, lower priority machines will make use of it in their assigned priority level.
how do i whitelist certain IPs from this limiter?
i have a half dozen IPs which need to be limited to 1.1mbit/112kbit and another 2 IPs which need to have no limits.
im on a 16/1 adsl2+ connection with no datacap.
Any rule placed above limiter rules will bypass limits. So if you want 1 ip to be wide open and without limits make a rule that allows either all ports or just the ports you want for host IP address to be a simple pass rule
Mati, you want a full CBQ setup then. That’s a whole different bear and not a process of limiting any or all users. Ins a CBQ queue by default all bandwidth is available to anyone until contention is met. Then queuing takes over and prioritizes the traffic.
I would suggest a solid read of docs before beginning
Cubert;
Thank you for your reply. So it sounds like no canned solution is available. I am new to all this. Could you suggest where I should start reading? Also, what does CBQ stand for?
The LimitDownLan mask needs to be set to destination not source. You are affectively limiting each unique source connection with source being set. Which in your testing would appear fine. But this is why people are saying it is not limiting torrent downloads and such, because that is more than one connection from a local computer. If you set that limter to destination that would resolve it, limiting all download connections on each computer to 3Mb.
Thanks for finally talking about >PFSense 2.0 – Limiting users Upload and Download Speeds by Limiting Bandwidth.
| Squid Works <Loved it!
Travis K wrote
“The LimitDownLan mask needs to be set to destination not source”
+1
If multiple people download from the same source website they will share the limit. Probably not what you want.
Thanks
Great article. worth more than a ton.
Thanks!!!
Great write up, can same be achieved if I make an alias and add multiple users so each user will be limited or the whole alias will be limited ??
In your example, you create a LAN rule above all others on which to apply the limits. Except for the rate limits, this rule would appear identical to the very last rule you have, which allows access to everything. This rule is above two rules which I am guessing by their descriptions block connections to Africa and Asia. By placing it above these two “blocking” rules, would it not override the “blocking” rules and make them ineffective?
How can i limit per User Upload/Download speed along with Captive portal ??
I tried and it did limit …. problem was I have to have the testing web page already open …. once it is done cannot open testing web page or cnn or msn…. I was able to open yahoo.com. If I create a rule above the limiting rule allow my computer or stop the rule every thing is ok …. if the speed testing web page was already open speed is limited.
Problem on the webpage said timed out ….
How can i divide 5.5mbps into 10 computer how to limit that help me pls Email me
hi.
i have a question that we have a connection 7/1.
the problem is that its data capped.
after using the data allowance which is 70gb it will be 2.1 mbps max.
i m using pfsense with limiter but sometimes cannot change the limiters on time, so, is there any other option like percentage in limiters so automatically it will reduce the bandwidth as it reaches to 2.1mbps automatically the limiters will reduce.
is there is any way to limit all rules at once using limiters. i am talking about setting bulk action to all rules for a specific limiter
Thanks for such a great solution
Finally !! After many tries, this tutorial ist the first working one on traffic shaping for me. A lot of thanks to the autor !!
In my situtaion i want to limit just some lan hosts. I created an alias “hosts-to-be-limited”. In the firewall create step in this tutorial, i entered as source not the whole lan subnet but the alias and now only the aliased hosts get limitet. This is exactly what i want. Many thanks again ! 🙂
Very easy to follow. This is exactly what I was trying to do. I look at a few different sites and they didn’t explain things well. This got me through it perfectly and now I can set up limiters on each of the ports for the pfsense firewall just like I want.