Project

General

Profile

Actions
Copy link

Bug #15633

open

Limiters applied to OpenVPN interface do not apply for download traffic

Added by Phil Wardt 7 days ago. Updated 3 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Traffic Shaper (Limiters)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
amd64

Description

There is an issue appeared after recent pfsense updates (which ?)
Limiters applied to shape traffic on OpenVPN (configured as server) interface apply only for client uploads.
Previously the limiters were properly applied to both download and upload traffic (in/out on the interface)

The only way to apply the download limiter is now on WAN interface.
However, you cannot limit specific OpenVPN clients by their IP from there !
The only solution I found and that it still works is to Tag the rule on OpenVPN interface and shape it on the floating tab using "Match" and the tagged string

Is this by design or it is a bug in current pfsense release ?

Actions
Copy link
 #1

Updated by dylan mendez 7 days ago

Unable to replicate this on pfSense Plus 23.08 devel.

Setup: OpenVPN Server with a firewall rule with Limiters In/Out of 5Mbps.

In Limiter is setup with Source Address as Mask.
Out Liumiter is setup with Destination Address as Mask.

5Up/5Down client limited without issues.

Also tested on 2.7.2 with the same result, unable to replicate.

Actions
Copy link
 #2

Updated by Phil Wardt 3 days ago

dylan mendez wrote in #note-1:

Unable to replicate this on pfSense Plus 23.08 devel.

Setup: OpenVPN Server with a firewall rule with Limiters In/Out of 5Mbps.

In Limiter is setup with Source Address as Mask.
Out Liumiter is setup with Destination Address as Mask.

5Up/5Down client limited without issues.

Also tested on 2.7.2 with the same result, unable to replicate.

Ok, I further tested :
I started again with new limiters, set like you noted
If applied on the common OpenVPN interface, the limiters work in fact. Also my old set limiters with the queue

However, if applied to the interface of only that OpenVPN server, only the upload limiter works. The download (out) is not applied
I am sure it was properly working on version 2.6.x when I set it up first and never verified it until I noticed some abuse a few weeks ago

Since the global OpenVPN interface rules are processed first, this is not a workaround for me as I'd need to setup all my rules on this same interface instead of segmenting them on the different OpenVPN servers interfaces

Actions
Copy link

Also available in: Atom PDF