Bug #15770
open
Limiter Limits Whole Gateway instead of Single IP
0%
Description
When Using an Trafic Limiter in combination with an gateway Group the limiter limits the whole gateway instead of the singel client individual. Works correctly at home in CE 2.7.1.
Files
| Screenshot from 2025-07-08 12-34-46.png (54.9 KB) Screenshot from 2025-07-08 12-34-46.png | Firewall rule | ||
| Screenshot from 2025-07-08 12-35-46.png (10.8 KB) Screenshot from 2025-07-08 12-35-46.png | Resulting limiters | ||
| Screenshot from 2025-07-08 12-36-23.png (56.5 KB) Screenshot from 2025-07-08 12-36-23.png | Limiter Config |
Updated by Danilo Zrenjanin 11 months ago
Hello Marius,
Kindly provide detailed information regarding your setup. We require clear, step-by-step instructions to replicate the reported behavior.
Updated by Ivan Konash 2 months ago
- File Screenshot from 2025-07-08 12-34-46.png Screenshot from 2025-07-08 12-34-46.png added
- File Screenshot from 2025-07-08 12-35-46.png Screenshot from 2025-07-08 12-35-46.png added
- File Screenshot from 2025-07-08 12-36-23.png Screenshot from 2025-07-08 12-36-23.png added
I believe I have the same issue when running 2.8
It looks like the limiter masks are applied after NAT when using a gateway group.
If I set up a limiter with a source mask (e.g. /24) and apply it the 'in' direction of a LAN rule that also has a gateway group, the limiter it creates is for the WAN IP of the connection that packet goes out of, NOT based on the IP of the device on the LAN. If I remove the gateway group from the rule, it creates limiters as I'd expect
Also described here
https://forum.netgate.com/topic/197993/limiter-source-mask-now-after-nat-when-using-gateway-groups-2-8-change
Updated by Marcos M 27 days ago
- Status changed from Incomplete to Confirmed
- Affected Architecture All added
- Affected Architecture deleted (
amd64)
I am able to replicate this on 25.11 as well using limiters. In the example below, limiter 0001 is for upload (50Mb) and 00002 is for download (100Mb) - 10.0.5.1 is the gateway.
Without route-to:
##########
# Limiters
##########
Limiters:
00001: 50.000 Mbit/s 0 ms burst 0
q65537 50 sl. 0 flows (1 buckets) sched 1 weight 1 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x1 256 buckets 1 active
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
100 ip 10.0.50.50/0 0.0.0.0/0 3 180 0 0 0
00002: 100.000 Mbit/s 0 ms burst 0
q65538 50 sl. 0 flows (1 buckets) sched 2 weight 1 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x1 256 buckets 1 active
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
50 ip 0.0.0.0/0 10.0.50.50/0 3 180 0 0 0
Schedulers:
00001: 50.000 Mbit/s 0 ms burst 0
sched 1 type WF2Q+ flags 0x1 256 buckets 0 active
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
00002: 100.000 Mbit/s 0 ms burst 0
sched 2 type WF2Q+ flags 0x1 256 buckets 0 active
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
########
# States
########
vmx1 icmp 9.9.9.9:8 <- 10.0.50.50:1 0:0
age 00:00:02, expires in 00:00:09, 2:2 pkts, 120:120 bytes, anchor 1, rule 84, dummynet pipe (1 2)
vmx0 icmp 10.0.5.99:30653 (10.0.50.50:1) -> 9.9.9.9:8 0:0
age 00:00:02, expires in 00:00:09, 2:2 pkts, 120:120 bytes, anchor 2, rule 78, allow-opts
#######
# Rules
#######
@84 pass in quick on vmx1 inet from any to 9.9.9.9 flags S/SA keep state (if-bound) label "id=1756220433" label "tags=user_rule" label "descr=Test" ridentifier 1756220433 dnpipe(1, 2)
@78 pass out route-to (vmx0 10.0.5.1) inet from 10.0.5.99 to ! 10.0.5.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000003711
With route-to:
##########
# Limiters
##########
Limiters:
00001: 50.000 Mbit/s 0 ms burst 0
q65537 50 sl. 0 flows (1 buckets) sched 1 weight 1 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x1 256 buckets 1 active
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
198 ip 10.0.5.99/0 0.0.0.0/0 29 1740 0 0 0
00002: 100.000 Mbit/s 0 ms burst 0
q65538 50 sl. 0 flows (1 buckets) sched 2 weight 1 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x1 256 buckets 1 active
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
50 ip 0.0.0.0/0 10.0.50.50/0 29 1740 0 0 0
Schedulers:
00001: 50.000 Mbit/s 0 ms burst 0
sched 1 type WF2Q+ flags 0x1 256 buckets 0 active
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
00002: 100.000 Mbit/s 0 ms burst 0
sched 2 type WF2Q+ flags 0x1 256 buckets 0 active
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
########
# States
########
vmx1 icmp 9.9.9.9:8 <- 10.0.50.50:1 0:0
age 00:00:02, expires in 00:00:10, 3:3 pkts, 180:180 bytes, anchor 1, rule 84, dummynet pipe (1 2)
vmx0 icmp 10.0.5.99:64595 (10.0.50.50:1) -> 9.9.9.9:8 0:0
age 00:00:02, expires in 00:00:10, 3:3 pkts, 180:180 bytes, anchor 2, rule 78, allow-opts, dummynet pipe (1 2)
#######
# Rules
#######
@84 pass in quick on vmx1 route-to (vmx0 10.0.5.1) inet from any to 9.9.9.9 flags S/SA keep state (if-bound) label "id=1756220433" label "gw=WAN_STATIC" label "tags=user_rule" label "descr=Test" ridentifier 1756220433 dnpipe(1, 2)
@78 pass out route-to (vmx0 10.0.5.1) inet from 10.0.5.99 to ! 10.0.5.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000003711
The limiter configuration used (/tmp/rules.limiter) is:
pipe 1 config bw 50Mb queue 25 delay 1 mask src-ip6 /128 src-ip 0xffffffff droptail sched 1 config pipe 1 mask src-ip6 /128 src-ip 0xffffffff type wf2q+ pipe 2 config bw 100Mb queue 25 delay 1 mask dst-ip6 /128 dst-ip 0xffffffff droptail sched 2 config pipe 2 mask dst-ip6 /128 dst-ip 0xffffffff type wf2q+