# Throttling specific users behind nat with PF



## Pushrod (Feb 2, 2009)

I have a very typical home LAN setup: one IP from a cable modem, and everyone is serviced by NAT. The router in this case is a FreeBSD machine with PF.

I need to control the outbound (to inet) rate from certain specific machines on the LAN. I've spent time trying to set it up with ALTQ before, but I had no success.

It appears that the NAT takes place before any ALTQ stuff can, so there is no way of throttling specific machines, because all of the packets will appear as being from the gateway itself.

So, can it be done? Are there any workarounds? Working examples would be great (trust me, I've read the handbook and faq etc).


----------



## ctaranotte (Feb 4, 2009)

The trick is to tag a packet before the NATing.

Assuming 
* 192.0.0.2 is the IP you want to throttle
* $ext_if is the external interface (the NATed one), 
* queue_throttled is the queue for 192.0.0.2,
* queue_ack is the queue for TCP ACKs, 

then add in your pf.conf:



> nat on $ext_if from 192.0.0.2 to any *tag throttled_traffic *-> ($ext_if)



and something like



> pass out quick on $ext_if inet proto {tcp,udp) from 192.0.0.2 to any *tagged throttled_traffic *flags S/SA modulate state queue (queue_throttled, queue_ack) label "Throttled Traffic"


----------



## Pushrod (Feb 6, 2009)

Thanks, that totally worked. I had no idea about the whole tagging thing.

I now have the setup I've wanted for years. The other folks can torrent all they want, and I can still surf the web at speed.


----------

