Last Updated on December 30, 2024 by Thiago Crepaldi
On pfSense’s documentation own words, “the basic idea of traffic shaping is raising and lowering the priorities of packets or keeping them under a certain speed. This concept seems simple, however, the number of ways in which this concept can be applied is vast.” pfSense supports “Traffic shaper” and “Limiter” (and they can be used simultaneously), but on this post we will focus on “Limiters”. I’ll show you how to limit the speed of a certain VPN client/VPN server interfaces, the speed of Guests/IoT Wi-Fi networks and even specific PCs!
The way Limiters is implemented is a simple 2 steps process:
- Define Limiters, which describe the speed limits you want to impose
- Assign Limiters through Firewall rules
Defining Limiters
Limiters are like water pipes and their diameters define how much throughput it can handle. We can create a single pipe for both traffic directions (up and down), but pipe sharing causes them to work half-duplex. Because of that, we will create one pipe per direction, which gives a finer control and a full-duplex kind of throughput. The direction is from the perspective of the interface, so if using limiters on LAN, the inbound queue is upload towards “Internet” direction and the outbound queue is download “from Internet”.
For the next sections, I will describe how to limit bandwidth on a Guest Wi-Fi network as a concrete example, but later we will discuss more applications
Example: Limiting Guest Wi-Fi bandwidth
If you followed my post on Isolating wifi traffic using VLANs, you should have a VLAN100 interface on your pfSense. We will use that as an example, but you can expand this concept to any other interface, including LAN
Creating upstream pipe
Navigate to Firewall >> Traffic Shaper >> Limiters and click on New limiter and do as follows:
- Limiters
- Enable: checked
- Name: VLAN100_Up
- Use an intuitive name such as this, which refers the interface and direction, etc
- Bandwidth:
- Bandwidth: 5
- Bw type: Mbps
- Schedule: None
- Mask:
- Mask: Source address
- We usually set “source address” for up direction
- IPv4 Mask bits: 32
- IPv6 Mask bits: 128
- Mask: Source address
- Description: Internet upload speed for VLAN100 (guest wifi)
You can leave both Queue and Advanced option in their default values. Click Save and Apply changes to create this pipe.
Creating downstream pipe
Repeat the same process as before, but now for the downstream direction:
- Limiters
- Enable: checked
- Name: VLAN100_Down
- Bandwidth:
- Bandwidth: 5
- Bw type: Mbps
- Schedule: None
- Mask:
- Mask: Destination address
- We usually set “destination address” for down direction
- IPv4 Mask bits: 32
- IPv6 Mask bits: 128
- Mask: Destination address
- Description: Internet upload speed for VLAN100 (guest wifi)
You can leave both Queue and Advanced option in their default values. Click Save and Apply changes to create this pipe.
Assigning limiters to firewall rules
At this point, you have created at least one pair of pipes (up and down) that you want to enforce. Now we have to modify firewall rules to start using those limiters
Example: Limiting Guest Wi-Fi bandwidth
Continuing our Guest Wi-Fi bandwidth limiting, navigate to Firewall >> Rules >> VLAN100 to list all your rules. If you followed my post, there will be a “Default allow Internet-only rule” rule that allow internet connection. Click on Edit (pencil icon).
Scroll down to Extra Options section and click on Display Advanced button until you reach the In / Out pipe parameter. This is where we assign the pipes we created before:
- In: VLAN100_UP
- Out: VLAN100_Down
Click Save and Apply changes. To test your limiter, connect to your wifi guest network and use perform a speed test. You can use https://speedtest.net
More scenarios…
In the previous sections we discussed how to limit guest wireless speeds, but applications are endless because limiters are applied to firewall rules individually. Each firewall rule can have their own set of pipes. In the next sections I will briefly mention examples, but not necessarily a step-by-step instructions. Let me know if you need specific examples and I can try to help!
Limiting Internet speeds for specific IPs
In overall words, you need to split LAN traffic (through RFC1918 firewall IP alias) in several firewall rules as opposed to have a single “Default allow all” rule.
Make sure you have a set of rules that allow traffic with local destination without limiters (e.g. Destination is RFC1918). We all love our super fast local network.
Next, make sure you have rules that handle Internet traffic. You probably need one rule for Internet incoming traffic (Source is “not RFC1918”) and another for outcoming traffic (Destination is “not RFC1918”). Those internet rules are the ones that you have to set the In/Out pipes!
Limiting Internet speed for IoT, OpenVPN Server, etc
Just like we did for guest wi-fi, we can create a pair of pipes for the IoT VLAN interface or OpenVPN server interfaces.
Schedules (time based rules)
So far we have been tackling rules that are applied to either individual IPs or subnets (through interfaces). But you can also add time-based limiters. Going back to the Guest wifi example, you can apply speed limit only to specific days and/or time! How? You create a schedule and when assigning the pipes to the firewall rules, you also set the previously created schedule. That simple!
To create a schedule, go to Firewall >> Schedules and click on Add, give it an intuitive schedule name and description and pick your combination of month, date and time to enforce. Click Save and Apply changes to finish, as usual. Now, you can edit your firewall rule and select your schedule along with the In / Out pipes!
Final words..
Always test speeds later to make sure you are 1) limiting what you want and 2) not limiting what you don’t want to limit! It is easy to test if the limit works for the IPs/interfaces and equally easy to make sure that unexpected devices are affected by an incomplete configuration! One importante note is that the schedule is applied to the firewall rule, not to the limiter. Because of that, if you are applying a limiter on a schedule and want to allow unlimited traffic when the schedule is not in action, duplicate the rule you are limiting on a schedule. The rule above is the one with the limiter and schedule. The identical one below does not have limiter and schedule. Now, when the schedule is in effect, the first rule will match first and apply limiter. When the schedule is not in effect, the second rule will match and allow traffic without any bandwidth limitation. Without the second identical rule, you could have no traffic at all – which might be something you want to do 🙂
Have (un)limited fun!
this was really helpful, thank-you.