1
18.1 Legacy Series / [Feature Request] - Per destination IP accounting and dynamic rules
« on: February 26, 2018, 08:08:37 am »
I have an OPNsense firewall running as a GW into my server farm. I want to have the ability to track traffic on a per LAN host basis and trigger a deny all when total bandwidth in a configured time period hits a configured level.
I have a total BW package with my service of 4 tb per month. I have 4 clients on web servers behind the firewall and I'd like to be able to ensure that no single client can use up the total BW for the month by themselves.
Since OPNsense tracks IPs and, with netflow, BW used per IP. I would think it wouldn't be too hard to have a rule where if host X goes over, say 1TB then the rule defaults to drop? Otherwise allow. Similar to hotelling but for servers hosted in the LAN side.
I would think the config wouldn't be too hard, Add a host, a BW limit and a time (week, month, X) and away it goes? With Netflow the BW used would be sustained across reboots (as opposed to rule counters).
I would be super useful and I've seen multiple requests for a similar feature on quite a few forums. It can be done with nftables and some fiddling. But having it in your edge firewall natively would rock.
Any thoughts?
I have a total BW package with my service of 4 tb per month. I have 4 clients on web servers behind the firewall and I'd like to be able to ensure that no single client can use up the total BW for the month by themselves.
Since OPNsense tracks IPs and, with netflow, BW used per IP. I would think it wouldn't be too hard to have a rule where if host X goes over, say 1TB then the rule defaults to drop? Otherwise allow. Similar to hotelling but for servers hosted in the LAN side.
I would think the config wouldn't be too hard, Add a host, a BW limit and a time (week, month, X) and away it goes? With Netflow the BW used would be sustained across reboots (as opposed to rule counters).
I would be super useful and I've seen multiple requests for a similar feature on quite a few forums. It can be done with nftables and some fiddling. But having it in your edge firewall natively would rock.
Any thoughts?