Limit traffic per client ip?

Question

Hi,
I'm searching for a way to limit the bandwidth per user.
I found that rateclass gives me an "over all" limit on a VS, but still a single client can grab all bandwidth and let other users starve.
So it would be interesting to limit the rate that a client IP would get, unfortunately I don't see a way...

We're delivering pretty small files and a rate of 100k/s would be more than plenty for a user. And this would allow several thousand users before our pipe is filled.

Yes, I know that there are larg(ish) proxys out there and that this wouodn't be fair for their users. But this isn't a rosegarden...

Any hints on how to archieve this?

Besz regards

hoolio · Answer

Here is some related info (stolen from AdamA): 
&nbsp;  
&nbsp;  
&nbsp; There is a very common misconception that assigning a rate class in an iRule places that connection in a pool with other connections that are assigned the same rate class.  In fact when a rate class is assigned within an iRule it is enforced per-connection (just like if we assigned a snat pool, or a node, etc.). 
&nbsp;  
&nbsp; So this means that you cannot really do a ‘per user’ rate class, but you can do a per connection rate class with only one rate class definition.    You could use table commands to keep track of how many concurrent connections you have from a single user and assign multiple rate classes.   You could possibly reassign the high throughput rate class to the next connection once the first connection closes (ie 1mbps for first connection, 10kbps each additional). 
&nbsp;  
&nbsp;  
&nbsp; Aaron

madeye_80512 · Answer

Hi, 
 I tried to assign the rate class with a simple irule: 
  when CLIENT_ACCEPTED {
    log local0. "[IP::client_addr] being handled by rateclass class1"
    rateclass class1
} 
 class1 limits at 80kbps 
  
 The irule hits: 1 download is limited to 10kByte/s and I get an according log entry. 
 the 2nd download is a new connection (I get a new log entry!) and both downloads settle at each 5kByte/s. 
 the 3rd download result in each getting 3.3kByte/s. 
  
 This is exactly the same as if I'd assigned the rateclass directly to the VS without an irule. 
 Unfortunately this is not what I'd have hoped for (each connection being traffic shaped "individually" to 10kByte/s). 
  
 So what did I wrong? 
 Best regards 
 madeye

otihck_106939 · Answer

l

otihck_106939 · Answer

Hi:  
&nbsp;  
&nbsp; It was possible to achieve this?. I'm trying to do the same and in my test the behavior for the rateclass is the same, the first connection get the whole traffic for the class, then the traffic is divided with the next connection and so on, I want to assign it in a dynamic way, based on the ip address or connection fixed traffic for each connection.

madeye_80512 · Answer

Hi Omar, 
&nbsp; like I wrote, I wasn't able to get it working as intended.  
&nbsp; I had some discussion with a F5 presales person afterwards who told me that it  would work if you'd dynamically create a rate class per connection and tear it down afterwards.  
&nbsp;  
&nbsp; Unfortunately he wasn't able to enlighten me about the impact on the loadbalancer (how computationally intensive this would be in real world) and I didn't have the time to do a full test in the lab. 
&nbsp;  
&nbsp; Sorry 
&nbsp; Madeye

Forum Discussion

Limit traffic per client ip?

6 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

which virtual server will be hit?

Questions on device trust

Restore configuration to GTM Sync Group device

Viprion End of Software Support (EoSS)

BIG‑IQ: Adding rSeries/Velos Devices through the REST API

Related Content

F5 Distributed Cloud - Traffic Steering based on Client IP Address

AI Token Limit Enforcement

Rate Limiting SSL VPN User Traffic

Limit Connections From Client

Rate limiting WebSocket messages for Agents

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS