Per host QoS (rate limit)

In our earlier section, we explained traffic shaping on a per network or per application basis (see details).

But sometimes it’s desirable to control per host bandwidth. Because per network bandwidth is referring to the available bandwidth, shared by all hosts coming from the network. But sometimes some “bursty” users can exhaust the entire backhaul, cause congestions to the upstream, especially during virus/storm outbreak, and leave the legitimate users unable to access.

So it is very important to be able to control per user or per host bandwidth so that all users or applications within the network can fairly share the available upstream pipe. This is particularly important in public Wi-Fi networks, where attacker could use the free network (with huge backhaul) to launch DDoS attack against another victim networks.

In this section, we will talk about how to control bandwidth on a per IP host basis.

Per host bandwidth control basically limits (or rate limiting) maximum bandwidth per IP host based on the configured policies.

!firewall-limit <rule_no> bps <bandwidth> inbound/outbound/all src/dst <Proto/Port or IP or subnet> !


    • firewall-limit is also a type of firewall-access but it supersedes all other access list. It’s also processed “top-down” based on the <rule_no>.
    • There’s an implicit “permit” for each firewall-limit rule, eg. all traffic matching a limit rule will be permitted to pass through as the allowed <bandwidth> rate. Use “show firewall access-list all” to verify the ordre of all ACLs, use “show firewall limit-list” to verify detail policy of each configured rate-limit setting.
    • if the rule is for src, we typically are trying to limit upload; likewise it its dst, we are limiting download.
    • For <Proto/Port or IP or subnet>, if we use specific IP host, this rule is just limiting the particular hosts; if we use subnet, we are applying the same rule to all hosts within the subnets; We can even be more specific to fine-tune up to applications, based on protocol (tcp/udp) and port numbers (eg, http/80 etc).

For example, if we configure below rules, it means “each host within subnet will be rate-limited to 2Mbps upload and download, for all applications, going through all interfaces.”

!firewall-limit 10 bps 2048000 all src 11 bps 2048000 all dst!

If we configure below rules, it means “each host within subnet will be rate-limited to 2Mbps upload and download, for http traffic only, going through all interfaces.”

!firewall-limit 10 bps 2048000 all tcp src dport 80firewall-limit 11 bps 2048000 all tcp sport 80 dst!


It is possible to combine per network bandwidth control with per host rate limiting. For example, we can set a total bandwidth for a network, then further limit per host bandwidth within that network. In this example, we are trying to achieve both objectives:

    • subscribed backhaul bandwidth is 100Mbps
    • network (LAN-eth1) is allocated total 50Mbps
    • per host is capped at 2Mbps upload/download

!interface eth0description "Link to WAN/Internet"enableip address dhcptraffic-shape 100000000 100000000 class 1 50000000 50000000 match fwmark 110!interface eth1description "connection to LAN-eth1"enableip address 50000000 50000000 class 1 50000000 50000000 match fwmark 110!ip name-server!ip dhcp-server!firewall-limit 10 bps 2048000 all src remark "limit upload LAN-eth1"firewall-limit 11 bps 2048000 all dst remark "limit download LAN-eth1"!firewall-snat 10 overload outbound eth0!