How to Limit Download Speed on a WAN

Hi, been a Peplink engineer for years but this issue has always baffled me, I’ve never gotten it to work properly but so far it had never been a real problem until now I hope someone knows how do this.

Router: Balance One HW3
Firmware: 8.2.0

Basically from several hours of reading forums and other sites I’ve found the following

I can:
Throttle PER individual bandwidth on all wans
Add Group Bandwidth RESERVATION for groups on all wans

But there’s nothing on how to add Group Bandwidth LIMITS on all wans, much less PER WAN

Basically we have a customer with several DSL lines in a rural location, the carrier does not support layer 2 IPs, so were forced to double NAT, the DSL lines are limited to 10mbs down and 1mb up, they work relatively well until… someone downloads something, the crappy ISP modems just do not do proper QoS and just murder any packets exceeding the limit, causing all kinds of havoc on our links, basically if anyone downloads anything and exceeds the cap, all internet is gone, on all machines, instantly, 100% packet loss on every other computer except the computer and socket downloading the 10 megabits until its done what ever it is its doing, and at 10 mbps that’s a couple of months.

We cannot change this, so we have to limit the upload and download on the wans to make sure we do not upload more than the crap modems can handle or the whole location goes down, I’ve been reading and searching the forums and found out I can limit the upload using the wan page (awesome! super simple!, thnx guys!), but not the download as this is always maxed and cannot be changed (why?, why not make it consistent?).

The only workaround I was able to find was to put yet ANOTHER balance one behind the one handling the links (triple NAT FTL!), and doing Individual bandwidth limits on the only device the main router with the links sees. that way I could limit the total bandwidth sent to the other Peplink using the PER USER limits so all traffic comes from one device only and it works great.

The reason for this is because if I set individual bandwidth limits on the main router, and there’s more than one user, when the first user downloads all is great but the second TWO people download its 9.5mbps PER user and that’s when the fecal matter hits the rotary ventilation apparatus.

So unless I’m missing something here can anyone tell me how to do this?, it seems like a straightforward thing to do firmware wise, just make it so what ever we set to be the upload and/or download on the WAN page its always respected, if this is a problem (because of the QoS thing) maybe add a “hidden” enable feature inside the help buttons to enable respecting set limits?

I hate to be “that guy” but on a cisco it takes 8 seconds to type the 1 line command and hit enter to do this (adding traffic shaping to the wan interface using the command “shape average 9500”) , there’s gotta be a way to do it on the Peplinks that’s just as easy (I hate cisco), maybe using the CLI?

Any help would be appreciated, I’m at my wits end here.

PS, the reason I mentioned Cisco is because the resident IT guy supervising our work here is one of those “Cisco is god, anything else is crap, why are you selling/forcing me to install me these weird odd brand routers I’ve never heard off and even though I’ve never seen/used them I hate them already with a passion because my boss overrode my recommendation when I told him to use Cisco and forced me to work with you anyway because he liked your sales pitch” kind of guy, you know… a Tuesday… those kinds of guys we always seem to find everywhere.

He keeps CONSTANTLY yapping about “if these were Cisco’s wed be done 3 days ago” and I hate that he’s right, we would have been done 3 days ago haha, we cant let him win, we gotta show him Peps own Ciscos every time… help me out here!.

Hi @Alvaro_Cortes

You can set the maximum upload and download bandwidth per WAN. Select the WAN and then enter the speeds - you need to change the default from 1 Gb/s (options are Kbps, Mbps and Gbps):-

I hope this helps,


Setting the bandwidth parameters seems (at least in one case) not to limit the download bandwidth.

I did a quick experiment with a B380 HW6 with a 1 Gbps symmetric connection. With the cap set at 1 Gbps the speed reported by speedtest was 900/600 Mbps (down/up).

With the cap set at 100Mbps the report was 880/95 Mbps (down/up).

Employing the QoS settings works well, on the other hand: Assign the client(s) to a particular user group, and limit that group to 100/100 Mbps (for our experiment) and the bandwidth is indeed capped in both directions.



Hi @SteveTaylor, thanks for the response

Indeed as Zegor said, this only works for the UPLOAD, the DOWNLOAD is not restricted and this is by design from Peplink, someone from Peplink in another post here in the forums confirmed it, im not sure why they decided only the upload would be restricted instead of allowing both, im guessing because “usually” ISPs give you the upload you pay for but never the download or something along those lines, it would be nice though if the setting was consistent for both since its very unintuitive and confusing and why I’m here asking for help haha.

Now as far as what Zegor said, yes, setting the a bandwidth limit on a usergroup would definitely do the job, the problem is I do no not see an option to do that, I can only bandwidth limit specific users within a group but not the group itself, the only options for groups are bandwidth RESERVATION which is not the same as LIMIT, all my tests when I do this just let them download the whole speed it does not limit, how are you getting a group to speed limit?

Also worth nothing (and very important in this case) if i were to limit the group to 10mb, yes it would fix the problem but also would not allow the group to use all the wans speed, we have 2 10mb links, setting that in that manner would cap that groups speed at just using one link at 10 (0/10) or 5/5 instead of 10/10 which is essentially loosing 1/2 the speed, this is why its important to limit the WAN itself not the actual group, but at this point if I can get it to limit SOMEHOW ill consider this a win and move on.

Thanks for the replies

Ok I found the post where Ron_Case from the Peplink team admits that not limiting the WAN download speed (traffic shaping) and just limiting the upload from the wan upload/download limits page is by design. (again not sure why they decided it should only respect one of the values instead of both, but they probably know better than me why)

So any help accomplishing this would be greatly appreciated, I mean I’m only asking to be able to do basic traffic shaping on a WAN, its a basic SD function on nearly all post 2008 routers, not some wild crazy feature haha, there has to be a way to accomplish this through maybe a workaround?, or CLI?, I’ve seen these things do literal magic, not sure why this is so complicated.

I do not have experience using this feature, so please bear with my speculative ruminations.

The explanation provided in the QOS > Bandwidth Control panel is

You can define a maximum download speed (over all WAN connections) and upload speed (for each WAN connection) that each individual Staff and Guest member can consume. No limit can be imposed on individual Manager members.

I read that as limiting each client, individually (presumably by client IP address). Thus if you identify a particular CIDR segment as “guest” and then put a bandwidth limit (say 100/100 from my example above) on the guest group, then each client computer is limited.

In other words, don’t look at the reservation pane, employ the individual bandwidth limit together with the group definition feature:

Peplink provides the features that they think people need… You see time and time again that they ask for the business use case for them to develop a new feature. There are no magic features in the CLI.

Now you could put a cisco/juniper L2 firewall between the WAN and each DSL modem, and shape each of the DSL links there… no NAT, just passive firewall with only the traffic shaping enabled. an entry level SRX should handle it.

that “download” parameter would be where you would set your limit (at like 9500kbit). But they didn’t implement it… perhaps convince them it is required.

Now, traffic shaping downloads is quite difficult, oh, you can put a cap on a bad actor, but trying to allow everyone to use up 100% but not 101% isn’t really possible. The right place to put in QOS is at the sending side. The problem with throttling a link on the receiving side is that the packets already have to be sent and transit the congested link and then be thrown away, just to tech the client device to give it a rest. So to make that work correctly you have to set the limit lower than the link capacity, as the TCP session will keep trying to go from its limit to 1-2% over, and that overage can’t actually fill up the link or you get the bad problems back.

Now I confiigured group bandwidth reservation and put everyone in “staff” and then kept staff to 90% of the link… That seemed to work, but we want more than 90%, so you will again need to convince Peplink to let us set “manager” and Guest to < 5% of the traffic if we aren’t using them.

Why are you double NAT? I would also think that a FusionHub would let you bond the bandwidth and also might give us some return channel control…

Peplink has been known to change features or make special firmwares.

@zegor_mjol Thanks for responding

Yeah I tried this but the problem is when you specify a network as a CIDR it still treats every IP within that network as an Individual not a group so the individual limit is applied to every IP independently not all as one group :confused:

@Paul_Mossip I understand there’s no magic features in the CLI, but this is not a “new” feature per-se, the unit already does this on the upload, so it would be expected the feature is there, just not enabled on the download side, I’ve had peplink settings changed using the CLI (mostly on the radios) that do not appear on the console or options but can be set on the terminal (power in mW for example)

As for putting a unit in the middle, yes you are correct, if I Place a cisco Infront of that balance one it works perfectly, or even if i put another balance one in front, since I can tell the peplink to limit the bandwidth on a specific IP (the other balance one) and it works because its only one IP that peplink sees, the downside is double NAT, I could use a cisco/juniper like you said and set it to throttle and it would work, but then again that would be admitting that a cisco would have done the job and why did we sell them peplink in the first place, they would just tell us to remove the peps and install a cisco solution entirely, which is clearly what no one but the IT guy wants.

I understand what you are saying about capping someone from sending from the outside, but curiously enough when i do double nat and set the speed on the second pep it works great, so the limiter does work, i just cant set it “per wan”

As for what you say about lowering the link capacity you are correct, I am limiting it at 9,250, which is the highest I can set it before random spikes cause all kinds of problems, if I set it anywhere near 10,000 it just doesn’t work.

As for the group bandwidth reservation, I’ve tried that, I wouldn’t mind leaving it at 90% if it worked, however sadly it doesn’t for limiting, basically what it does is it RESERVES bandwidth not limits it, so if two people fight over a connection it will allocate 90% of if (what ever “it” is) to the specified group but it will not “cap” it per se, so yes if the connection was congested between two users downloading files it would work great but if even one user is using the link it will use “all” of it and it it causes the problem

The double NAT is because we cannot control the carrier, the DSL line we were given does not support switching it into “bridge mode” or PPTP, the modem is locked and we cannot touch it, the carrier does not allow tampering with any of the settings and its the ONLY carrier in this rural area.

As for the firmware’s thing, i ask here because peplink has been known to issue quick fix firmware’s sometimes if the problem is a simple settings or a config, I was hoping that might be the case here.

In short:

  • Fix A: If they can enable the download limits on the wan screen to work the same as the upload limits do, the problem is fixed
  • (Pseudo)Fix B: if they can allow us to limit the bandwidth of an entire group, as a group, and not every individual within the group, that does not fix the problem entirely but good enough, it allows me a good enough “stopgap” fix so that we don’t loose this customer, I can set the limit of the group at 9,250kbps and it will work at least on one link at a time, wasting 1/2 the speed from the other link but ill take what I can get at this point
  • Fix C: If they can allow us to set the limit bandwidth of an entire group, as a group, per wan, that would be basically xmass but one can only dream haha, i think this is a similar problem to what @mystery had on his post, he also wanted to limit users speed on different wans.

Peplink’s are good at what they are designed to accomplish. multi WAN, embedded cellular and Speedfusion. anything else… It depends. I tried to get a Juniper SRX to do failover (possible) and load balancing (impossible at the scale and granularity of a peplink’s Outbound Policy)… After 4-5 weeks of trying to get it work, I just put in a B20X and everythging worked out of the box…

I am really thinking about putting a generic linux firewall with CAKE as a layer2 in front of the peplink. but CAKE really wants known bandwidth and both Celluar and Starlink are variable bandwidth. I’ve been running a PFsense VM to get ipv6 since that support is non existent, but that is FreeBSD based and CAKE only has linux development.

If we had true SSH and root access like Junipers and other firewalls I’m sure we could drop in a rate limiter in moments.

Now I went and dialed down my WAN network to only have 20Mbits of download… Then ran single and dual speed tests on a system set as Group reservation “staff 90%”… the 2 downloads kept the average download at 18Mbits for the entire transfer, but I did see some spikes to 25Mbits on the real time transfer graph. You might try that again, and set the available download on the link to be a bit less. (my test link had 100+mbits available. ) I think you do need to set the limit lower than 9.2… Try setting it at 8… and then slowly raise it until you find the performance limit.

The idea that the bandwdith is “reserved” isn’t what I am seeing this is actual limiting in the vicinity of the requested Reservation limits… and open a ticket asking why the download speed limit isn’t enforced as an option.

Yeah with starlink QoS is out the window, its one of my pet peeves with peplink but its not their fault, i just wish QoS would be intelligent to always dynamically adjust to available bandwidth (like when it detects many retransmissions auto lower the QoS until they lower down

Whenever I set the unit on this side with those settings it ignores the download limit completely and just downloads the max, the only thing that seems to work is setting the individual limit.

I was positing here before submitting a ticket in case someone else had ran into this problem.

maybe download limits are broken on balance one core only?

This was actually an answer to a problem I came here to find. The limit function working weirdly by respecting limiting only the upload is actually a perfectly sensible feature for my use, and this is why: we have a lot of clients with DIA fiber connections. If your CIR (committed information rate… Basically your purchased bandwidth) is not equal to the interface rate, the customer is required to apply (upload only) shaping to ensure you don’t push data higher than your CIR, otherwise traffic may be randomly dropped if it tries to exceed that rate.

So if I have a 1gpbs interface and a 500mbps CIR, the in peplink I go to WAN settings and put 500mbps for speed. The upload shaping is my responsibility, the download shaping is the carriers responsibility. Knowing how peplink engineers work, I can guarantee this is why it’s that way. But… Like some other things in our routers, it needs more and clearer documentation.