Captive Portal Per User Bandwidth limiter

Started by remonboonstra, June 10, 2015, 10:53:16 PM

Previous topic - Next topic
Hi all,

comming from m0n0wall, I would like to enable Per-User Bandwidth limitation for Captive Portal Users.

Any way to achieve this in OpnSense?
Can't find any documentation on Traffic Shaping in OpnSense, making it hard to figure out.

If it's not possible I might need to switch to pfSense :(

thanks,

Remon

June 11, 2015, 08:56:46 AM #1 Last Edit: June 11, 2015, 09:27:28 AM by jschellevis
@remonboonstra and all who are searching for more information on the newly implemented traffic shaper..

Yes you can, but it work different as the feature is not tied to the Captive portal functionality.

Here is what you can do:

(TIP: For larger version of the images just see the attachments and click or download)

Assumptions
interface conntected to the internet is called: WAN
interface connetced to your captive portal is: LAN
we want to limit the traffic passing between LAN/WAN to 1Mbps per user

STEP 1
Open the Trafficshaper page located at Firewall->Trafficshaper


STEP 2
Now add a pipe by clicking on the icon below the tabel.
2a to see all options and help toggel the button on top of the edit dialog (advanced mode and full help)
2b enter the required user bandwidth, we choose 1 here
2c as bandwidth metric we will use Mbit/s
2d as we want each user to get 1Mbps we need to mask the traffic based on the source
2e enter a description so you know what it is



STEP 3
3a select to the tab Rules
3b click on the icon below the table to add a new rule
3c Enter a sequence (per example choose 1 here)
3d select the interface connect to internet ( WAN )
3e select the interface 2 to match only traffic going between the captive portal an the wan ( LAN )
3f select the target (the pipe we just created)
3g enter a description and save



STEP 4
Apply the new configuration by pressing apply



Done!, now you have limited the traffic on a per user base to 1Mbps




Wow!

What great that you replied that complete. I will take a look at it as soon as I get a change and reply if it works as expected!

Thank you!

Remon

You are welcome  :)

Looking forward to your feedback.

Hi,

tested it, it works. But to be honest it is not as obvious to configure as I expected.

I wanted to limit download on 2Mbit, and upload on 300Kbit.
created 2 pipes -> clear, no doubt about that.

The rules tab:
- interface1, interface2
- source, destination
- direction (in, out)

all being the same in some point, I got lost there getting the above fixed.
solution I used now:

rule1
- interface1: LAN
- source: 192.168.x.x/24
- direction: both
- target: 300kbit pipe

rule2
- interface1: LAN
- destination: 192.168.x.x/24
- direction: both
- target: 2mbit pipe

(advantage: I got multiple WAN ports, so I only need a single entry here).

Is this correctly configured? If so we can close this post.

I will create another related to this (sharing total bandwidth equally).

Thanks for the help!

Remon

Hmmm,

without Captive Portal it works this way. With Captive Portal enabled only the upload limit works?

Any reason for that to change when Captive Portal is enabled?

Regards,

Remon

I am not sure why that does not work as expected.. but I think it may be related to the fact that both the captive portal and the traffics shaper use ipfw...maybe a rule order issue.

Can you list your ipfw rules and share them ?
(ipfw list)

Hi,

this is the list (currently changes some settings on the rules tab, to test. still no result. It only caps the upload(300kbit)?)


00100 allow pfsync from any to any
00110 allow carp from any to any
00120 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200 skipto 60000 ip6 from ::1 to any
00201 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 skipto 60000 ip6 from any to ::1
00203 skipto 60000 ip4 from any to 127.0.0.0/8
01002 skipto 60000 udp from any to 192.168.5.1 dst-port 53 keep-state
01002 skipto 60000 ip from any to { 255.255.255.255 or 192.168.5.1 } in
01002 skipto 60000 ip from { 255.255.255.255 or 192.168.5.1 } to any out
01002 skipto 60000 icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0
01002 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8
03021 skipto 12001 ip from table(7) to any via em0
03022 skipto 12001 ip from table(7) to any via em0
03023 skipto 12001 ip from table(9) to any via em0
03024 skipto 12001 ip from table(9) to any via em0
03025 skipto 12001 ip from table(11) to any via em0
03026 skipto 12001 ip from table(11) to any via em0
05002 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in via em0
05002 allow ip from any to any dst-port 80 via em0
06002 skipto 60000 ip from any to any via em1
06003 skipto 60000 ip from any to any via em2
06200 allow tcp from any to any out
06201 skipto 65534 ip from any to any
12001 count ip from any to any via em0
12998 skipto 30000 ip from any to any via em0
12999 deny ip from any to any not via em0
30000 count ip from any to any
30001 count ip from 192.168.5.100 to any
30001 count ip from any to 192.168.5.100
60000 return ip from any to any
60001 pipe 10000 ip from any to 192.168.5.0/24 recv em1 xmit em0
60001 pipe 10000 ip from any to 192.168.5.0/24 xmit em1 recv em0
60002 pipe 10001 ip from 192.168.5.0/24 to any recv em0 xmit em1
60002 pipe 10001 ip from 192.168.5.0/24 to any xmit em0 recv em1
65533 allow ip from any to any
65534 deny ip from any to any
65535 allow ip from any to any


hope this helps, can't fully read it myself :)

Thanks!

Can you also do a:ipfw -t list so I can see the accounting?


Hereby, thanks!

00100     0        0 allow pfsync from any to any
00110     0        0 allow carp from any to any
00120     0        0 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130     0        0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140     0        0 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150     0        0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200     0        0 skipto 60000 ip6 from ::1 to any
00201     0        0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202     0        0 skipto 60000 ip6 from any to ::1
00203     0        0 skipto 60000 ip4 from any to 127.0.0.0/8
01002   753    78720 skipto 60000 udp from any to 192.168.5.1 dst-port 53 keep-state
01002   870    94151 skipto 60000 ip from any to { 255.255.255.255 or 192.168.5.1 } in
01002  1394   999423 skipto 60000 ip from { 255.255.255.255 or 192.168.5.1 } to any out
01002     0        0 skipto 60000 icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0
01002     0        0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8
03021 26233  3268501 skipto 12001 ip from table(7) to any via em0
03022     0        0 skipto 12001 ip from table(7) to any via em0
03023     0        0 skipto 12001 ip from table(9) to any via em0
03024     0        0 skipto 12001 ip from table(9) to any via em0
03025     0        0 skipto 12001 ip from table(11) to any via em0
03026     0        0 skipto 12001 ip from table(11) to any via em0
05002    32     3434 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in via em0
05002     0        0 allow ip from any to any dst-port 80 via em0
06002 78303 55511507 skipto 60000 ip from any to any via em1
06003     0        0 skipto 60000 ip from any to any via em2
06200 42796 50779537 allow tcp from any to any out
06201   732   698156 skipto 65534 ip from any to any
12001 26233  3268501 count ip from any to any via em0
12998 26233  3268501 skipto 30000 ip from any to any via em0
12999     0        0 deny ip from any to any not via em0
30000 26233  3268501 count ip from any to any
30001 14637  2489707 count ip from 192.168.5.100 to any
30001     0        0 count ip from any to 192.168.5.100
60000     0        0 return ip from any to any
60001     0        0 pipe 10000 ip from any to 192.168.5.0/24 recv em1 xmit em0
60001     0        0 pipe 10000 ip from any to 192.168.5.0/24 xmit em1 recv em0
60002 26206  3265473 pipe 10001 ip from 192.168.5.0/24 to any recv em0 xmit em1
60002     0        0 pipe 10001 ip from 192.168.5.0/24 to any xmit em0 recv em1
65533 81347 56688289 allow ip from any to any
65534   732   698156 deny ip from any to any
65535    61    31949 allow ip from any to any

Ok, it is certainly an issue with the rule processing.
It does not match the download pipe rule...

At the moment I am not sure why.. it looks like it hits the "skipto 60000" rule and then on the return just starts processing from rule 06003.

So maybe the the skipto should be to rule 60001.

You can try to change it manually in /usr/local/etc/ifpw.rules
change rule 06002 to:

add 6002 skipto 60001 all from any to any via em1

then reload the rules with:

service ipfw restart

Ok,

I tried: no results.

I reconfigured my rules to :
rule1
- interface1: LAN
- source: 192.168.x.x/24
- direction: both
- target: 300kbit pipe

rule2
- interface1: LAN
- destination: 192.168.x.x/24
- direction: both
- target: 2mbit pipe

and applied, tried: no result.

modified ipfw.rules again and restarted again: no results.

I have currently my WAN2 not connected, does that matter in this case?

Thanks for your input!

Remon

Just to add the note:

When I disable captive portal the rules work. So it's surely related to the Captive Portal (rules)...

Thank you,

Remon