0

Currently we are using pfsense latest version and I want to assign download speed upto 1Mbps per host (download+Upload) using pfsense and also setup squid proxy which working on bridgh mode in pfsense box.

Anyone have idea to setup this ?

Nullpointer
  • 164
  • 8

1 Answers1

1

You have no control over incoming traffic from the public Internet. How would you propose to tell a server on the Internet, over which you have no control, to limit the speed of the traffic being sent to you? By the time your router gets the traffic, the bandwidth has already been used.

You may be able to rate limit from your router to a host on your network, but you can only control outbound traffic on your WAN link, not incoming traffic.

Ron Maupin
  • 3,158
  • 1
  • 11
  • 16
  • I want to set limit on pfsense for my network's machine – Nullpointer Dec 23 '15 at 09:09
  • To what point? Typically, you would want to limit downloads to preserve the WAN bandwidth for fairness among the hosts on your network, but you can't do that. A single host could still use all the incoming WAN bandwidth, whether or not your router actually delivers all the traffic to the host. – Ron Maupin Dec 23 '15 at 09:12
  • Simply controlling outbound traffic on your LAN link towards the client machine(s) will eventually control the amount of data coming in at the WAN link due to TCP's flow control mechanisms – the-wabbit Dec 23 '15 at 09:25
  • You can create an inbound Limiter for each client which will limit (police) the inbound traffic to the limit that you set, but this will in no way actually limit the WAN bandwidth used, it will only limit the bandwidth actually delivered to the client from the router. "_Limiters are setup by creating them under Firewall > Traffic Shaper, on the Limiters tab._" [Limiters](https://doc.pfsense.org/index.php/Limiters) – Ron Maupin Dec 23 '15 at 09:26
  • @the-wabbit, that is true to a certain extent for TCP, although hitting a specific target speed would be a problem. It really doesn't work like that for UDP streams unless the application is performing its own error control/windowing. – Ron Maupin Dec 23 '15 at 09:30
  • @RonMaupin if I set Traffic Shaper and set 1mb then 1Mb is for each host or total 1mb download is for network ? – Nullpointer Dec 23 '15 at 09:33
  • You need a Limiter for each client. I still think this is completely pointless. Let's say you have 10 Mb on the WAN link, and you limit all 10 hosts to 1 Mb each. Host 1 decides to download 10 Mbps. Your WAN link incoming will be completely blocked by Host 1, causing problems for the rest of the hosts. The limiter won't fix that. – Ron Maupin Dec 23 '15 at 09:34
  • @RonMaupin "the application" usually does (except for multicast streams) - the majority of the stuff is meant to work over the Internet where varying bandwidths are rather the norm than the exception. For all practical purposes, controlling outbound LAN bandwidth will be sufficient. – the-wabbit Dec 23 '15 at 09:38
  • @the-wabbit, I understand that, but you still have real problems with setting a maximum download for each client, and a client could have multiple streams working at once which further exacerbates the problem. I have a lot of experience with designing and implementing QoS, and this question comes up all the time. You have no real control over what is coming across your WAN link to you unless you involve the ISP. That's why DoS is such a problem. – Ron Maupin Dec 23 '15 at 09:42
  • 1
    DoS is likely outside of this question's scope. The bloke just wants to know how to prevent his users to suck up all the bandwidth available. For HTTP, squid delay pools will do nicely. I do not know enough about pfSense to answer the question authoritatively, but under Linux, you could use classifiers along with a suiting queueing discipline to get an overall aggregation and limit for traffic based on your specifiers - e.g. a client's IP address (or a hashbucket thereof). – the-wabbit Dec 23 '15 at 09:49
  • @the-wabbit, that is one thing, but there is a lot more to the Internet than HTTP. The point is that QoS works very well for anything outbound because you can use queuing and shaping, but inbound all you can do is police, and the bandwidth is already used by the time you get it. This is where a close relationship with the ISP helps because the ISP can police this for you so that you never receive the traffic in the first place, freeing your WAN bandwidth. – Ron Maupin Dec 23 '15 at 09:55