Bug #15633
openLimiters applied to OpenVPN interface do not apply for download traffic
0%
Description
There is an issue appeared after recent pfsense updates (which ?)
Limiters applied to shape traffic on OpenVPN (configured as server) interface apply only for client uploads.
Previously the limiters were properly applied to both download and upload traffic (in/out on the interface)
The only way to apply the download limiter is now on WAN interface.
However, you cannot limit specific OpenVPN clients by their IP from there !
The only solution I found and that it still works is to Tag the rule on OpenVPN interface and shape it on the floating tab using "Match" and the tagged string
Is this by design or it is a bug in current pfsense release ?
Updated by dylan mendez 7 days ago
Unable to replicate this on pfSense Plus 23.08 devel.
Setup: OpenVPN Server with a firewall rule with Limiters In/Out of 5Mbps.
In Limiter is setup with Source Address as Mask.
Out Liumiter is setup with Destination Address as Mask.
5Up/5Down client limited without issues.
Also tested on 2.7.2 with the same result, unable to replicate.
Updated by Phil Wardt 3 days ago
dylan mendez wrote in #note-1:
Unable to replicate this on pfSense Plus 23.08 devel.
Setup: OpenVPN Server with a firewall rule with Limiters In/Out of 5Mbps.
In Limiter is setup with Source Address as Mask.
Out Liumiter is setup with Destination Address as Mask.5Up/5Down client limited without issues.
Also tested on 2.7.2 with the same result, unable to replicate.
Ok, I further tested :
I started again with new limiters, set like you noted
If applied on the common OpenVPN
interface, the limiters work in fact. Also my old set limiters with the queue
However, if applied to the interface of only that OpenVPN server, only the upload limiter works. The download (out) is not applied
I am sure it was properly working on version 2.6.x when I set it up first and never verified it until I noticed some abuse a few weeks ago
Since the global OpenVPN interface rules are processed first, this is not a workaround for me as I'd need to setup all my rules on this same interface instead of segmenting them on the different OpenVPN servers interfaces