Bandwidth Limiting with the pfSense Limiter

October 17, 2013 by maximumdx 5 Comments

Creating a limiter in pfSense 2.1
Although we have covered a number of powerful features that are part of pfSenses traffic
shaping capabilities, we havent yet covered one of the most interesting and useful features: the
ability to limit users upload and download speed. In this article, I will describe how to use the
pfSense bandwidth limiter.
Using the Bandwidth Limiter
To invoke the bandwidth limiter, first navigate to Firewall -> Traffic Shaper, and click on the
Limiter tab. At this tab, click on plus to add a new limiter. Check the Enable limiter and
its children checkbox, and for the Name field, enter a name for the new limiter. At
Bandwidth, click on the plus button to add a bandwidth limit. There are four options:
Bandwidth, Burst, Bw type and Schedule. Bandwidth is the maximum transfer
rate, while Burst is the total amount of data that will be transferred at full speed after an idle
period and is apparently a new setting under pfSense 2.1. Bw type allows you to select
between Kbit/s, Mbit/s, Gbit/s, and bit/s. Schedule does not seem to have any options.
In the next nection, Mask, you can select Source address or Destination address in the
drop down box. If either one is chosen, a dynamic pipe with the bandwidth, delay, packet loss
and queue size specified in the Bandwidth section will be created for each source or
destination IP address encountered respectively. This makes it possible to easily specify
bandwidth limits per host. In the next two fields, you can specify the IPv4 and IPv6 mask bits. At
Description, you can enter a description, which will not be parsed.
Underneath Description is the Show advanced options button. Pressing this button reveals
some additional settings. Delay allows you to specify a delay before packets are delivered to
their destination (leaving it blank or entering 0 means there is no delay). Packet loss rate
allows you to specify the rate at which packets are dropped (e.g. 0.001 means 1 packet per 1000
gets dropped). Again, you can leave this blank. Queue size allows you to specify a number of
slots for the queue, and Bucket size allows you to set the hash size. Finally, press the Save
button to save the limiter or Delete virtual interface to delete it. Press Apply changes on
the next page to apply the changes.

Creating a firewall rule to limit upload bandwidth. Note that we are using the limiter created in
the previous step.
Now, the limiter that we just created should be available when we go to make or edit firewall
rules. As an example, we can use the limiter created in the previous step to limit the upload
bandwidth to 1 GB. Navigate to Firewall -> Rules, and click on the LAN tab. Press the plus
button to add a new rule. Leave the Action as Pass, the Interface as LAN, and the TCP/IP
Version as IPv4. The Source should be set to LAN subnet, and the Destination should
be left as Type: any. After entering a Description, scroll down to advanced features and press
the Advanced button next to In/Out, and set the In queue to the limiter created in the
previous step. Then press Save to save the rule and Apply changes on the next page.
Now, the upload bandwidth on the LAN interface should be limited to 1 Gb/sec. When you
navigate to Firewall -> Rules and click on the LAN tab, you should see a small purple circle
next to the newly-created rule, indicating that the rule invokes the limiter. If you wanted to
limited the download bandwidth, this could easily be done; just create another limiter specifying
the maximum download bandwidth, and set the Out queue in the rule to the new limiter (or if
you just want to make the upload and download bandwidth the same, use the original limiter).