Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.1 Legacy Series
»
Captive Portal Per User Bandwidth limiter
« previous
next »
Print
Pages: [
1
]
Author
Topic: Captive Portal Per User Bandwidth limiter (Read 36677 times)
remonboonstra
Newbie
Posts: 16
Karma: 3
Captive Portal Per User Bandwidth limiter
«
on:
June 10, 2015, 10:53:16 pm »
Hi all,
comming from m0n0wall, I would like to enable Per-User Bandwidth limitation for Captive Portal Users.
Any way to achieve this in OpnSense?
Can't find any documentation on Traffic Shaping in OpnSense, making it hard to figure out.
If it's not possible I might need to switch to pfSense
thanks,
Remon
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Captive Portal Per User Bandwidth limiter
«
Reply #1 on:
June 11, 2015, 08:56:46 am »
@remonboonstra and all who are searching for more information on the newly implemented traffic shaper..
Yes you can, but it work different as the feature is not tied to the Captive portal functionality.
Here is what you can do:
(TIP: For larger version of the images just see the attachments and click or download)
Assumptions
interface conntected to the internet is called:
WAN
interface connetced to your captive portal is:
LAN
we want to limit the traffic passing
between LAN/WAN
to
1Mbps per user
STEP 1
Open the Trafficshaper page located at Firewall->Trafficshaper
STEP 2
Now add a pipe by clicking on the icon below the tabel.
2a
to see all options and help toggel the button on top of the edit dialog (advanced mode and full help)
2b
enter the required user
bandwidth
, we choose
1
here
2c
as
bandwidth metric
we will use
Mbit/s
2d
as we want each user to get 1Mbps we need to
mask
the traffic based on the
source
2e
enter a
description
so you know what it is
STEP 3
3a
select to the
tab
Rules
3b
click on the icon below the table to add a new rule
3c
Enter a
sequence
(per example choose
1
here)
3d
select the
interface
connect to internet (
WAN
)
3e
select the i
nterface 2
to match only traffic going between the captive portal an the wan (
LAN
)
3f
select the
target
(the
pipe we just created
)
3g
enter a
description
and
save
STEP 4
Apply
the new configuration by pressing apply
Done!, now you have limited the traffic on a per user base to 1Mbps
«
Last Edit: June 11, 2015, 09:27:28 am by jschellevis
»
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #2 on:
June 11, 2015, 09:54:56 am »
Wow!
What great that you replied that complete. I will take a look at it as soon as I get a change and reply if it works as expected!
Thank you!
Remon
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Captive Portal Per User Bandwidth limiter
«
Reply #3 on:
June 11, 2015, 10:40:34 am »
You are welcome
Looking forward to your feedback.
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #4 on:
June 17, 2015, 12:47:07 pm »
Hi,
tested it, it works. But to be honest it is not as obvious to configure as I expected.
I wanted to limit download on 2Mbit, and upload on 300Kbit.
created 2 pipes -> clear, no doubt about that.
The rules tab:
- interface1, interface2
- source, destination
- direction (in, out)
all being the same in some point, I got lost there getting the above fixed.
solution I used now:
rule1
- interface1: LAN
- source: 192.168.x.x/24
- direction: both
- target: 300kbit pipe
rule2
- interface1: LAN
- destination: 192.168.x.x/24
- direction: both
- target: 2mbit pipe
(advantage: I got multiple WAN ports, so I only need a single entry here).
Is this correctly configured? If so we can close this post.
I will create another related to this (sharing total bandwidth equally).
Thanks for the help!
Remon
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #5 on:
June 17, 2015, 01:13:59 pm »
Hmmm,
without Captive Portal it works this way. With Captive Portal enabled only the upload limit works?
Any reason for that to change when Captive Portal is enabled?
Regards,
Remon
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Captive Portal Per User Bandwidth limiter
«
Reply #6 on:
June 17, 2015, 01:46:11 pm »
I am not sure why that does not work as expected.. but I think it may be related to the fact that both the captive portal and the traffics shaper use ipfw...maybe a rule order issue.
Can you list your ipfw rules and share them ?
(ipfw list)
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #7 on:
June 17, 2015, 02:00:14 pm »
Hi,
this is the list (currently changes some settings on the rules tab, to test. still no result. It only caps the upload(300kbit)?)
00100 allow pfsync from any to any
00110 allow carp from any to any
00120 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200 skipto 60000 ip6 from ::1 to any
00201 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 skipto 60000 ip6 from any to ::1
00203 skipto 60000 ip4 from any to 127.0.0.0/8
01002 skipto 60000 udp from any to 192.168.5.1 dst-port 53 keep-state
01002 skipto 60000 ip from any to { 255.255.255.255 or 192.168.5.1 } in
01002 skipto 60000 ip from { 255.255.255.255 or 192.168.5.1 } to any out
01002 skipto 60000 icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0
01002 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8
03021 skipto 12001 ip from table(7) to any via em0
03022 skipto 12001 ip from table(7) to any via em0
03023 skipto 12001 ip from table(9) to any via em0
03024 skipto 12001 ip from table(9) to any via em0
03025 skipto 12001 ip from table(11) to any via em0
03026 skipto 12001 ip from table(11) to any via em0
05002 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in via em0
05002 allow ip from any to any dst-port 80 via em0
06002 skipto 60000 ip from any to any via em1
06003 skipto 60000 ip from any to any via em2
06200 allow tcp from any to any out
06201 skipto 65534 ip from any to any
12001 count ip from any to any via em0
12998 skipto 30000 ip from any to any via em0
12999 deny ip from any to any not via em0
30000 count ip from any to any
30001 count ip from 192.168.5.100 to any
30001 count ip from any to 192.168.5.100
60000 return ip from any to any
60001 pipe 10000 ip from any to 192.168.5.0/24 recv em1 xmit em0
60001 pipe 10000 ip from any to 192.168.5.0/24 xmit em1 recv em0
60002 pipe 10001 ip from 192.168.5.0/24 to any recv em0 xmit em1
60002 pipe 10001 ip from 192.168.5.0/24 to any xmit em0 recv em1
65533 allow ip from any to any
65534 deny ip from any to any
65535 allow ip from any to any
hope this helps, can't fully read it myself
Thanks!
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Captive Portal Per User Bandwidth limiter
«
Reply #8 on:
June 17, 2015, 02:22:14 pm »
Can you also do a:
Code:
[Select]
ipfw -t list
so I can see the accounting?
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Captive Portal Per User Bandwidth limiter
«
Reply #9 on:
June 17, 2015, 02:22:57 pm »
sorry I meant:
Code:
[Select]
ipfw -a list
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #10 on:
June 17, 2015, 02:34:52 pm »
Hereby, thanks!
00100 0 0 allow pfsync from any to any
00110 0 0 allow carp from any to any
00120 0 0 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200 0 0 skipto 60000 ip6 from ::1 to any
00201 0 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 0 0 skipto 60000 ip6 from any to ::1
00203 0 0 skipto 60000 ip4 from any to 127.0.0.0/8
01002 753 78720 skipto 60000 udp from any to 192.168.5.1 dst-port 53 keep-state
01002 870 94151 skipto 60000 ip from any to { 255.255.255.255 or 192.168.5.1 } in
01002 1394 999423 skipto 60000 ip from { 255.255.255.255 or 192.168.5.1 } to any out
01002 0 0 skipto 60000 icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0
01002 0 0 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8
03021 26233 3268501 skipto 12001 ip from table(7) to any via em0
03022 0 0 skipto 12001 ip from table(7) to any via em0
03023 0 0 skipto 12001 ip from table(9) to any via em0
03024 0 0 skipto 12001 ip from table(9) to any via em0
03025 0 0 skipto 12001 ip from table(11) to any via em0
03026 0 0 skipto 12001 ip from table(11) to any via em0
05002 32 3434 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in via em0
05002 0 0 allow ip from any to any dst-port 80 via em0
06002 78303 55511507 skipto 60000 ip from any to any via em1
06003 0 0 skipto 60000 ip from any to any via em2
06200 42796 50779537 allow tcp from any to any out
06201 732 698156 skipto 65534 ip from any to any
12001 26233 3268501 count ip from any to any via em0
12998 26233 3268501 skipto 30000 ip from any to any via em0
12999 0 0 deny ip from any to any not via em0
30000 26233 3268501 count ip from any to any
30001 14637 2489707 count ip from 192.168.5.100 to any
30001 0 0 count ip from any to 192.168.5.100
60000 0 0 return ip from any to any
60001 0 0 pipe 10000 ip from any to 192.168.5.0/24 recv em1 xmit em0
60001 0 0 pipe 10000 ip from any to 192.168.5.0/24 xmit em1 recv em0
60002 26206 3265473 pipe 10001 ip from 192.168.5.0/24 to any recv em0 xmit em1
60002 0 0 pipe 10001 ip from 192.168.5.0/24 to any xmit em0 recv em1
65533 81347 56688289 allow ip from any to any
65534 732 698156 deny ip from any to any
65535 61 31949 allow ip from any to any
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Captive Portal Per User Bandwidth limiter
«
Reply #11 on:
June 17, 2015, 03:14:23 pm »
Ok, it is certainly an issue with the rule processing.
It does not match the download pipe rule...
At the moment I am not sure why.. it looks like it hits the "skipto 60000" rule and then on the return just starts processing from rule 06003.
So maybe the the skipto should be to rule 60001.
You can try to change it manually in /usr/local/etc/ifpw.rules
change rule 06002 to:
Code:
[Select]
add 6002 skipto 60001 all from any to any via em1
then reload the rules with:
Code:
[Select]
service ipfw restart
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #12 on:
June 17, 2015, 04:26:29 pm »
Ok,
I tried: no results.
I reconfigured my rules to :
rule1
- interface1: LAN
- source: 192.168.x.x/24
- direction: both
- target: 300kbit pipe
rule2
- interface1: LAN
- destination: 192.168.x.x/24
- direction: both
- target: 2mbit pipe
and applied, tried: no result.
modified ipfw.rules again and restarted again: no results.
I have currently my WAN2 not connected, does that matter in this case?
Thanks for your input!
Remon
Logged
remonboonstra
Newbie
Posts: 16
Karma: 3
Re: Captive Portal Per User Bandwidth limiter
«
Reply #13 on:
June 17, 2015, 08:10:53 pm »
Just to add the note:
When I disable captive portal the rules work. So it's surely related to the Captive Portal (rules)...
Thank you,
Remon
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.1 Legacy Series
»
Captive Portal Per User Bandwidth limiter