[pfSense] 2 LANs and time based limits

Adam Thompson athompso at athompso.net
Fri May 11 07:51:08 EDT 2012

> So am I correct with this scenario :
> 1 - Create the 7a.m. to 6p.m. schedule
> 2 - Create a single limiter, say 20 Mbits/s, with no other option,
> to dedicate 20 Mbits/s to classrooms (so appartments will use the
> remaining bandwidth that is still available when this limiter
> applies)
> 3 - When creating a rule, I add this rule only to the "classrooms"
> interface, and use the single limiter's name in both the IN and OUT
> drop down lists in the "Advanced features" of rule creation. Then I
> put this rule with "PASS" mode at the top for it to be evaluated
> first (or is it important at all where I put it wrt other rules) ?
> Am I correct ?
> Thanks for your feedback, I've never used limiters before and since
> I'll do this on the production system I'd like to not make too much
> mistakes.
> Thanks in advance for your help

That looks right, BUT...

QoS on ADSL is notoriously difficult, and does not usually work quite as 
expected.  There are implementation issues to blame, as well as a 
theoretical/logical problem.

When you configure your system as described, you will rarely - if ever - 
get exactly the results you expected.  Aim for "good enough", instead of 
"perfect" and you will likely succeed.

First and foremost: you do not directly control what data is being 
transmitted to you.  You have indirect control over it, at most.  To fully 
control the downstream (i.e. towards you) traffic flow, you would need to 
have a device sitting at the ISP end of the connection implementing your 
I have this problem as an ISP; the best traffic shaper in the world can 
only *indirectly* affect what comes back down the pipe towards me.  I can 
easily drop packets once they arrive at my network (and artificially limit 
what each client receives), but at that point, why bother, because they've 
already consumed the scarce resource: incoming bandwidth.

You *will* be able to control outgoing bandwidth - as long as you never 
saturate the ADSL modems' buffers.  This means capping the outbound 
bandwidth at around 95% of your theoretical upstream; this needs to be 
done on the last device before the modem, so I hope your load-balancer can 
do this!  Depending on how your load-balancer works, the bandwidth you 
need to limit to at the pfSense gateway might not be obvious - some 
experimentation may be required.

(BTW: for a more detailed explanation of why you need to cap outbound 
bandwidth, read 

Assuming you aren't hosting publicly-available services (e.g. a public 
webserver or FTP site) standard traffic-shaping tools like what pfSense 
provides will probably be good enough for your purposes.

-Adam Thompson
 athompso at athompso.net

More information about the List mailing list