Scheduled Throttling with pfSense

This is an old post!

This post is over 2 years old. Solutions referenced in this article may no longer be valid. Please consider this when utilizing any information referenced here.

Apple has launched a new Photos App for OS X, along with the ability to upload your entire library to iCloud. And with prices that are so cheap, there’s almost no reason not to. $3.99 a month is cheap insurance to know that every photo I’ve ever taken of my family won’t be wiped out in a tornado.

But with this comes a problem - namely, how do you upload a 150 gigabytes of photos over a 5 megabit network connection? Well, you wait a really long time for it to upload. Which is fine, really, because I’m not in any particular hurry to finish. But, once I started the upload, I noticed that surfing the web became pretty much impossible because the upload to iCloud was saturating my upstream bandwidth.

What I needed was a way to throttle the iCloud upload. I really don’t care if that adds a couple more hours or days to the upload. I just need to be able to surf from other devices without problems. But at the same time, I’m not using my connection in the middle of the night. There’s no reason it could’t go full bore overnight.

And this is where pfSense comes in.

Start by creating a schedule:

  1. Go to Firewall -> Schedules. Add a new schedule.
  2. Give it a name. I called mine “Nighttime.”
  3. Click the headers of each day of the month in the calendar. This will apply it to every day.
  4. Set the start time to 8:00 and the end time to 23:59. This means I want the schedule to be active between 8am and about midnight, which mirrors my usage patterns. You can adjust this as needed.
  5. Click “Add Time”.
  6. Click “Save”.

Next, create a limiter:

  1. Go to Firewall -> Traffic Shaper. Click the Limiter tab. Click “Create a new limiter”.
  2. Click “Create a new limiter”.
  3. Check “Enable limiter and its children”.
  4. Give it a name. I called my first one “3mb-source” (limit outbound to 3 megabit).
  5. Under bandwidth, set it to whatever you want the limit to be (in my case, 3 and Mbit/s) and select the schedule you just created from the dropdown.
  6. Under mask, set “Source addresses”.
  7. Click “Save.”

Now, apply the rule.

  1. Go to Firewall -> Rules. Select the LAN tab. Create a new rule. Configure it as follows:
    • Interface: LAN
    • Source: Single host or alias, and the IP address of your uploading machine.
  2. Under “Advanced”, click “In/Out”. In the first dropdown, select the limiter you made above.
  3. Click “Save.”
  4. Now, you need to order the rules so that this rule is applied first. Check the box next to the rule you just created, then click the little left-pointing arrow next to the top rule, right underneath the anti-lockout rule.
  5. At the top, click “Apply Changes”.

That’s it! Your upstream bandwidth from the uploading machine is now limited to whatever you set it to, but only during the hours specified by your schedule.

Now, if you want extra credit, you could try to identify the upstream server’s IP address and craft a rule that only applies the limit to outbound packets to iCloud. Another approach would be to use QoS and de-prioritize packets from the machine. But that was overkill for me. This solution was “good enough” for a temporary measure to keep my network working while the uploading occurs.

Comments (0)

Interested in why you can't leave comments on my blog? Read the article about why comments are uniquely terrible and need to die. If you are still interested in commenting on this article, feel free to reach out to me directly and/or share it on social media.

Contact Me
Share It
HOWTO
Stop! Do not do this! I am leaving this here for the reference and posterity, but for a variety of reasons, I no longer recommend doing this. It is a neat hack, but tends to be a bit of a pain to live with as you end up having to troubleshoot or reinstall it every time you update pfSense or Unifi. When you can install it on a Raspberry Pi for less than $50, there's really no need to do this.I personally have switched to running this on a stock Ubuntu system that runs a few other network services in my house. This is a short tutorial on how to install the Ubiquiti Networks’ UniFi Enterprise Wifi controller software on pfSense 2.2. These directions are derived from these directions for 2.1-RC, but have been updated to work on 2.2. Note that this is a somewhat advanced tutorial. If you are not comfortable working in a Unix command line or editing system files, this is probably not the best thing you could do. But I’m putting it out here in case it will help others.
Read More
pfSense
In the year 2021 there are a lot of things that you just take for granted. Remember when you used to have to use jumpers to set things on your computer? Or worrying about IRQ conflicts? Or whether you could get the the drivers you needed to work? These are all parts of the “bad old days” of computers that I don’t miss very much. These days if I plug things into my computer - any of them - I expect them to “just work.” And very often, surprisingly, this is the case. Especially common, well supported things like network cards. So it is notable when I encounter something where that isn’t the case. But first, let’s back up a little bit.
Read More
Parenthood
Well, here we are five months later and COVID-19 is still a thing. And like many parents we are facing the need to continue our daughter’s education at home. Our local school district has stated that all learning will be conducted online for at least the first nine weeks. And even if they allow for students to return, we will probably opt to keep her at home for awhile longer until things are more stable. Now, our daughter is seven and will be turning eight in a couple months. So she’s at that age where she’s old enough to do some things independently. But, as most of us know, the Internet is not a safe place for a seven year old and we as parents need to exercise some level of control over the things they can access. And while the best solution is a set of eyes, we obviously can’t be everywhere at all times. So this is the solution I came up with.
Read More