Limiting Hyper-V Bandwidth using pfSense

In my labs I frequently use bandwidth control to simulate different customer environments, allowing me to mimic distributed environments spanning over multiple locations.

While Hyper-V itself does support bandwidth limiting, it can only do that on outgoing (outbound) traffic which is not really a real-world scenario where you have routers and WAN links limiting the traffic in both directions. Well, pfSense to the rescue.

Configuring outbound bandwidth limits on a ConfigMgr DP.

Traffic shaping in pfSense

pfSense supports multiple options for Traffic shaping, or network Quality of Service (QoS), which simply put is a way of prioritizing network traffic. While pfSense supports the elegant ALTQ traffic shaping, I found that instead using its Limiters feature is very effective to mimic ConfigMgr environments spanning over multiple locations, plus it does not require special support from the network driver like ALTQ does.

An important note about using limiters is that you always use them in pairs: One for incoming (inbound) traffic and one for outgoing (outbound) traffic. Also worth noting is that Limiters work with IPv6, but it requires separate IPv4 and IPv6 rules to apply limiters correctly.

To learn more about Traffic Shaping in pfSense, see their official docs on the topic: Traffic Shaper | pfSense Documentation (netgate.com)

Note: Make sure to use pfSense 2.5.x versions for Hyper-V. Version 2.6 has serious performance issues with Hyper-V Vms, and I haven't had the chance to test the 2.7.x versions.

Create Limiters in pfSense

In this guide you learn how to limit one of your network segments to only use 155 mbps (mbit per second, not megabyte per second). In my example I will limit the Chicago1 network, which is the 192.168.24.0/24 subnet. You will configure two limiters:

  • Lan_Up_155mbit. Limits incoming traffic to 155 mbps.
  • Lan_Down_155mbit. Limits outgoing traffic to 155 mbps.

I assume you have setup a pfSense virtual router as a VM with multiple network card. If you need a guide on how to do that, check this post on how to set up one: Using pfSense Community Edition as a virtual router for your lab environment

in pfSense, to create a new limiter, navigate to Firewall / Traffic Shaper / Limiters, and click New Limiter. Then configure the following settings, click Save, and then click Apply Changes.

Enable: Select the Enable limiter and its children check box
Name: Lan_Up_155mbit
Bandwidth: 155
Bw type: Mbit/s
Schedule: none
Mask: None
Queue Management Algorithm: Tail Drop

Creating the Lan_Up_155mbit limiter

Repeat the preceding step, but name the limiter Lan_Down_155mbit. You should now have one limiter named Lan_Up_155mbit, and one named Lan_Down_155mbit.

Assign Limiters in pfSense

The final step is to assign the limiters you created to the interface for the network segment you want to limit bandwidth for. In pfSense, limiters are assigned using firewall rules.

To assign a limiter, navigate to Firewall / Rules, and select your interface. In my example I used the Chicago1 interface (again, used for the 192.168.24.0/24 subnet).

Select your firewall rule, scroll down and select the Display Advanced button. Then configure the following settings, and click Save.

In / Put pipe (In): Lan_Down_155mbit
In / Put pipe (Out): Lan_Up_155mbit

Verifying Limiters

To verify that the limiters works, you can simple copy a file in between your virtual networks. In the below example I copied a file from a DP in New York (192.168.1.0/24), to a ConfigMgr client in Chicago1.(192.168.24.0/24), and as you can see the pfSense router throttled the bandwidth nicely, and kept it below155 mbps (19 MB/s).

Note: Traffic shaping is not an exact science, and it depends on which algorithm you selected, but for lab and test purposes I found this feature very useful.

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Doug
Doug
10 months ago

Helpful post, thank you!


>