In order to ensure that users or devices within your network cannot consume all available bandwidth, you can limit the amount of bandwidth a host utilizes by setting up dedicated limiters as an alternate method of traffic shaping.
pfSense is an open source firewall/router software distribution based on FreeBSD and can be used to implement per-IP address or per-network bandwidth rate limits. Limiters in pfSense are based on dummynet a traffic shaper, bandwidth manager and delay emulator in FreeBSD.
To configure bandwidth throttling in pfSense you need to:
- setup limiters in pairs (one for incoming and one for outgoing traffic)
- assign traffic to the limiters
Before setting up the limiters you need to know how much effective bandwidth you can use in total. This can be estimated by using Internet Speed Test tools like testmy.net or speedtest.net. If you would like to create an average baseline, you should run multiple test on different days respectively at several times a day. Based on this outcome you can calculate your bandwidth limits for your limiters.
Create a limiter for incoming traffic:
Navigate to Firewall > Traffic Shaper and create a “New Limiter” on the Limiters tab. Set a proper amount for your upload bandwidth and set the Mask to “Source Addresses“:
Create a limiter for outgoing traffic:
Navigate to Firewall > Traffic Shaper and create a “New Limiter” on the “Limiters” tab. Set a proper amount for your download bandwidth and set the “Mask” to “Destination Addresses“:
Assign specific traffic to the limiters:
In and Out are from the perspective of the respective interface on the firewall!
Using limiters on the LAN interface, Out is for download traffic (NIC to LAN) and In is upload traffic (LAN to NIC).
Navigate to Firewall > Rules and add a “Rule” on the corresponding “LAN” tab. If you want to limit each device on your LAN, scroll down to the “Source” section and enter “LAN net” as source.
Instead of choosing the whole “LAN net” you can also choose “Single host or alias” as source. Aliases can be used as useful placeholders for hosts. Make sure you have added these hosts as alias under Firewall > Aliases. The given name of an alias can be entered in the “Source” section of the firewall rule instead of single IP addresses:
Scroll down to the “In / Out pipe” section and choose your upload limiter as “In pipe” and your download limiter as “Out pipe“.
Keep the default settings for all other options unless you need to change them on purpose.
Once everything is in placed and saved, you can do your Internet Speed Tests again from a host which is either part of the “LAN net” or of an alias. You should recognize the results immediately.
Inspirational credits thanks to Chucks Basix:
https://youtu.be/CWPViySdX0g