2
0
mirror of https://github.com/opnsense/docs synced 2024-11-15 06:12:58 +00:00
opensense-docs/source/manual/how-tos/shaper_limit_per_user.rst
2021-12-22 10:28:14 +01:00

246 lines
12 KiB
ReStructuredText

====================================================
Limit maximum internet bandwidth users can consume
====================================================
For this example we will divide the internet Download traffic between the connected
users in such manner that each user will receive up to a maximum of 1 Mbps.
.. nwdiag::
:scale: 100%
:caption: Simple network diagram
nwdiag {
span_width = 90;
node_width = 180;
Internet [shape = "cisco.cloud"];
pc [label="Connected PC's",shape="cisco.pc"];
pc -- switchlan;
network LAN {
switchlan [label="",shape = "cisco.workgroup_switch"];
label = "LAN OPNsense";
address ="192.168.1.x/24";
fw1 [label="OPNsense",address="192.168.1.1/24"];
}
network WAN {
label = ".WAN OPNsense";
fw1 [label="OPNsense", shape = "cisco.firewall", address="172.10.1.1/32"];
Internet;
}
}
To start go to :menuselection:`Firewall --> Shaper --> Pipes`.
Step 1 - Create download and upload pipes
-----------------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Download
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 1 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** destination *Dynamic pipe per downloading client*
**description** PipeDown-1Mbps *Free field, enter something descriptive*
====================== ================ ================================================
Create Pipe For Upload
====================== ================ ================================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 1 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** source *Dynamic pipe per uploading client*
**description** PipeUp-1Mbps *Free field, enter something descriptive*
====================== ================ ================================================
.. Note::
Always create separate pipes for download and upload limiting to avoid
undefined behaviour when mixing bidirectional traffic in a single pipe.
Step 2 - Create rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Create a rule for traffic coming from the internet (download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown-1Mbps *Select the 1 Mbps download pipe*
**description** ShapeDownload *Enter a descriptive name*
====================== ================= =====================================================
Create a rule for traffic going to the internet (upload).
====================== ================= =====================================================
**sequence** 22 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** 192.168.1.0/24 *The source IP to shape, select LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination address, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeUp-1Mbps *Select the 1 Mbps upload pipe*
**description** ShapeUpload *Enter a descriptive name*
====================== ================= =====================================================
.. Note::
If you want to limit traffic for a specific IP addresses then just
enter the IP addresses in the destination field instead of the full
LAN network range.
Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s3.png
:width: 100%
-----------------------
Prioritize using Queues
-----------------------
By utilizing queues we can influence the bandwidth within a pipe and give certain
applications more bandwidth than others based on a weighted algorithm.
The idea is simple:
Let presume we have a pipe of 10 Mbps and 2 applications for instance smtp (email)
and http(s). The http(s) traffic will get a weight of 1 and the smtp traffic a
weight of 9, then when all capacity of our pipe is in use the email traffic will
get 9x more bandwidth than our http(s) traffic, resulting in 1 Mbps for http(s)
and 9 Mbps for smtp.
For our example we only look at download traffic, but the exact same can be done
for the upload traffic.
+----------------+--------+-------------------+
| Application | Weight | Minimum Bandwidth |
+================+========+===================+
| SMTP (port 25) | 9 | 9 Mbps |
+----------------+--------+-------------------+
| HTTP (80) | | |
+----------------+ 1 | 1 Mbps |
| HTTPS (443) | | |
+----------------+--------+-------------------+
To start go to :menuselection:`Firewall --> Shaper --> Pipes`.
Step 1 - Create Download Pipe
------------------------------
On the **Pipes** tab click the **+** button in the lower right corner.
An empty **Edit Pipe** screen will popup.
Create Pipe For Download (10 Mbps)
====================== ================= ===============================================
**enabled** Checked *Check to enable the pipe*
**bandwidth** 10 *Numeric value of the desired bandwidth*
**bandwidth Metric** Mbit/s *Metric to use with the numeric value*
**mask** (empty) *Leave empty*
**description** PipeDown-10Mbps *Free field, enter something descriptive*
====================== ================= ===============================================
Step 2 - Create Queues
----------------------
On the **Queues** tab click the **+** button in the lower right corner.
An empty **Edit queue** screen will popup.
Create Queue for SMTP
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**pipe** PipeDown-10Mbps *Select our Pipe*
**weight** 9 *Weight to use with the numeric value*
**mask** (empty) *Leave empty*
**description** Queue-SMTP *Free field, enter something descriptive*
====================== ================== ================================================
Create Queue for HTTP
====================== ================== ================================================
**enabled** Checked *Check to enable the pipe*
**pipe** PipeDown-10Mbps *Select our Pipe*
**weight** 1 *Weight to use with the numeric value*
**mask** (empty) *Leave empty*
**description** Queue-HTTP *Free field, enter something descriptive*
====================== ================== ================================================
Step 3 - Create Rules
----------------------
On the **Rules** tab click the **+** button in the lower right corner.
An empty **Edit rule** screen will popup.
Create a rule for smtp download traffic (email)
====================== =================== =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** smtp *The source port to shape, smtp or 25*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-SMTP *Select the SMTP queue*
**description** ShapeSMTPDownload *Enter a descriptive name*
====================== =================== =====================================================
Create a rule for HTTP download traffic
====================== =================== =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** http *The source port to shape, http or 80*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-HTTP *Select the HTTP queue*
**description** ShapeHTTPDownload *Enter a descriptive name*
====================== =================== =====================================================
Adding an extra rule for HTTPS traffic is simple as we can use the same HTTP queue if we like:
====================== ==================== =====================================================
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** https *The source port to shape, https or 443*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-HTTP *Select the HTTP queue*
**description** ShapeHTTPSDownload *Enter a descriptive name*
====================== ==================== =====================================================
This way HTTP and HTTPS traffic will be treated the same (total max of 1 Mbps).
Now press |apply| to activate the traffic shaping rules.
*Screenshot Rules*
.. image:: images/shaping_rules_s4.png
:width: 100%
.. |apply| image:: images/applybtn.png