Limit the speed of a network interface.

exodist · 04-12-2008, 01:27 PM

I am setting up a linux router, It routes to 2 different networks, one is a full internal lan, the other exists only for a wireless router to connect to. I will explain my reasons for this after my question:

I do nto want to limit the speed of any other interface, however 'eth1' the interface that connects directly to a wireless router (and provides that wireless router w/ it's internet connection) needs to be limited. I am going to open up that wifi for people to connect to freely, and I do not want it to suck up all my bandwidth.

I am hoping to avoid using complicated traffic shaping to accomplish this, I would like to just be able to point at the interface and say hey, no more than 128kbps either direction, or possibly specify a slightly higher download but that upload.

The setup:
The router has 5 network cards, 1 is connected to a static ip on a dsl router, the other has a static ip on a cable router. I have configured the system to use load balancing to utilize both connections (3/4 connections use cable, 1/4 use the dsl). I then route this into 2 seperate internal networks, one exists solely to provide internet to my public wifi router, the other is a full internal network with several stations. The final interface is used to directly connect with another station and has no routing configured for it.

The bandwidth limiting on a specific interface is the only part that I do not have covered.

fuubar2003 · 04-12-2008, 06:21 PM

I don't really have the answer, but I saw this post and decided to reply since I have to do the same thing on Monday for a lab test for a customer. (I have to limit bandwidth to mimic a 512K WAN link to test an application.) I've done some research so far and found the following info just doing google searches and reading some forum posts. I think I am going to try 'tc' first since 'tc'. Here is some links to check out:

Wondershaper:
http://lartc.org/wondershaper/

rshaper:
http://freshmeat.net/projects/rshaper/

tc cbq:
http://lartc.org/howto/lartc.qdisc.c...l.html#AEN1072

http://www.knowplace.org/pages/howto...x/examples.php

http://www.experts-exchange.com/Netw..._20819743.html

linux traffic shaper:
http://lwn.net/1998/1119/shaper.html

exodist · 04-12-2008, 07:35 PM

Thank you, I also found the last link you listed, thats the one I think meets my needs th ebest, of course in the newest kernel that module is listed as obsolete :-(

exodist · 04-13-2008, 09:57 PM

http://lartc.org/howto/lartc.qdisc.c...l.html#AEN1072

This was most useful, initally I followed the stuff at the bottom, then on other pages.

Just a tip for you, you can only throttle packets leaving your system, so if you want to limit both directions you need to limit the outgoing (easy by the bottom of that page) but then you need to limit the outgoing on the internet facing interface as well, if you do not want to limit all internet traffic, only that being routed to the internal network (as I did) then you can mark the packets comming in from the internal interface using ip tables then specify a different rule/filter thingy for them when they exit the internet interface VS other traffic leaving the interface.

The guide is nto the most clear, but the information is all there, if you have trouble w/ it though let me know and I will give you a commented copy of my script for details.

jomen · 06-19-2008, 05:26 AM

exodist
The thread is old - I just found it and thought this could be useful:
http://wiki.leipzig.freifunk.net/Tra...ochens_Version
The site is in german only - sorry.
If you are interested - I made a version with english comments too.
The first script there is made for a Wireless Home Router like WRT54GL and does not shape but merely prioritize traffic to the internet - you put yourself (your IP) in the highest priority - and whenever you access the net - you are the first to get served.
That way I share my connection with others - without even noticing that I do so.
The project is a wireless mesh network to provide (among other more important goals) access to the net for people who do not have the opportunity to have their own line.
One alone rarely ever uses the bandwidth of a highspeed line.

I would be interested to see your approach - is it available somewhere?
PM?

exodist · 06-19-2008, 09:26 AM

I have since changed my setup and no longer use throttling, and the completed and working script is lost. However I checked and I have atemp copy of the script that I did not delete. I am not sure if it works as is, there may be a typeo or an invalid command somewhere in it I was debugging, however it will show you what need to be done. Keep in mind this script also has 2 other features that can make it confusing when everything is thrown together. The other features are ethernet bonding, and dual internet connections. As well there are 2 or 3 internal networks...

Code:

#!/sbin/runscript

start() {
        ebegin "Configuring Network"

        #Make sure we do not already have a default route to mess w/ us.
        /sbin/route del default

        #Variables to avoid typos
        CABLE="eth1"
        CABLE_IP="[removed]"
        CABLE_MASK="255.255.255.248"
        CABLE_NET="[removed]/29"
        CABLE_ROUTE="[removed]"
        CABLE_TABLE="4"
        CABLE_DEFUP="3mbit"
        DSL="eth2"
        DSL_IP="[removed]"
        DSL_MASK="255.255.255.248"
        DSL_NET="[removed]/29"
        DSL_ROUTE="[removed]"
        DSL_TABLE="3"
        DSL_DEFUP="2mbit"
        LOCAL="eth0"
        LOCAL_SLAVEA="eth0"
        LOCAL_SLAVEB="eth3"
        LOCAL_IP="192.168.0.1"
        LOCAL_MASK="255.255.255.0"
        LOCAL_NET="192.168.0.0/24"
        LOCAL_TABLE="2"
        LOCAL_UPLIM="128kbit burst 5k"
        LOCAL_DNLIM="3mbit burst 5k"
        LOCAL_CLASS="20"
        LOCAL_MARK="7"
        LOCAL_NETLIM="1024mbit"
        WIFI="eth3"
        WIFI_IP="192.168.1.1"
        WIFI_MASK="255.255.255.0"
        WIFI_NET="192.168.1.0/24"
        WIFI_UPLIM="64kbit burst 5k"
        WIFI_DNLIM="128kbit burst 5k"
        WIFI_CLASS="10"
        WIFI_MARK="6"
        INET_MARK="9"

        #Configure the bonded internal network that most systems will connect to.
        echo "Establishing LOCAL ${LOCAL}..."
        /sbin/ifconfig ${LOCAL} ${LOCAL_IP} netmask ${LOCAL_MASK}
        /sbin/ip route add ${LOCAL_NET} dev ${LOCAL} src ${LOCAL_IP} table ${LOCAL_TABLE}
        /sbin/ip rule add from ${LOCAL_IP} table ${LOCAL_TABLE}
        #/sbin/ifenslave ${LOCAL} ${LOCAL_SLAVEA} 
        #/sbin/ifenslave ${LOCAL} ${LOCAL_SLAVEB} 

        #Configure the other internal network that will be used for a wifi hot spot
        echo "Establishing WIFI ${WIFI}..."
        /sbin/ifconfig ${WIFI} ${WIFI_IP} netmask ${WIFI_MASK}

        #Configure the DSL connection
        echo "Establishing DSL ${DSL}..."
        /sbin/ifconfig ${DSL} ${DSL_IP} netmask ${DSL_MASK}
        /sbin/ip route add ${DSL_NET} dev ${DSL} src ${DSL_IP} table ${DSL_TABLE}
        /sbin/ip route add default via ${DSL_ROUTE} table ${DSL_TABLE}
        /sbin/ip rule add from ${DSL_IP} table ${DSL_TABLE}

        #Configure the cable connection
        echo "Establishing CABLE ${CABLE}..."
        /sbin/ifconfig ${CABLE} ${CABLE_IP} netmask ${CABLE_MASK}
        /sbin/ip route add ${CABLE_NET} dev ${CABLE} src ${CABLE_IP} table ${CABLE_TABLE}
        /sbin/ip route add default via ${CABLE_ROUTE} table ${CABLE_TABLE}
        /sbin/ip rule add from ${CABLE_IP} table ${CABLE_TABLE}

        #Round robin the 2 internet connections w/ wight
        echo "Round-Robin default gw...."
        /sbin/ip route add default scope global nexthop via ${DSL_ROUTE} dev ${DSL} weight 1\
                                                nexthop via ${CABLE_ROUTE} dev ${CABLE} weight 3

        #Create resolv.conf and populate it.
        echo "Creating Resolv.conf...."
        echo "nameserver ${CABLE_ROUTE}" > /etc/resolv.conf
        echo "nameserver ${DSL_ROUTE}" >> /etc/resolv.conf

        #Limit the speed of traffic from the server to the WIFI hot spot
        echo "Limiting WIFI ${WIFI}..."
        /sbin/tc qdisc add dev ${WIFI} root handle 1: htb default 1
        /sbin/tc class add dev ${WIFI} parent 1: classid 1:1 htb rate ${WIFI_DNLIM}

        #Limit the speed of the traffic from the server to the internal network
        echo "Limiting LOCAL ${LOCAL}..."
        /sbin/tc qdisc add dev ${LOCAL} root handle 2: htb default 1
        #Set the limit for connections to the server's services very high
        echo 1
        /sbin/tc class add dev ${LOCAL} parent 2: classid 2:1 htb rate ${LOCAL_NETLIM}
        #Set the internet download limit to something reasonable
        echo 2 
        /sbin/tc class add dev ${LOCAL} parent 2: classid 2:10 htb rate ${LOCAL_DNLIM}
        #Make sure internet traffic is directed to the currect limit.   
        echo 3
        /sbin/tc filter add dev ${LOCAL} protocol ip parent 2:0 prio 1 handle ${INET_MARK} fw flowid 2:10

    #Limit the speed at which the server routes data from the internal networks to the internet.

        #Limit the dsl w/ a catch all default
        echo "Limiting DSL ${DSL}"
        /sbin/tc qdisc add dev ${DSL} root handle 3: htb default 1
        /sbin/tc class add dev ${DSL} parent 3: classid 3:1 htb rate ${DSL_DEFUP}
        #Limits for both internal networks are set here
        /sbin/tc class add dev ${DSL} parent 3:1 classid 3:${WIFI_CLASS} htb rate ${WIFI_UPLIM}
        /sbin/tc class add dev ${DSL} parent 3:1 classid 3:${LOCAL_CLASS} htb rate ${LOCAL_UPLIM}
        #Make sure we direct packets to the correct limits.
        /sbin/tc filter add dev ${DSL} protocol ip parent 3:0 prio 1 handle ${WIFI_MARK} fw flowid 3:${WIFI_CLASS}
        /sbin/tc filter add dev ${DSL} protocol ip parent 3:0 prio 1 handle ${LOCAL_MARK} fw flowid 3:${LOCAL_CLASS}

        #Limit the cable connection w/ a catch all default
        echo "Limiting CABLE ${CABLE}"
        /sbin/tc qdisc add dev ${CABLE} root handle 4: htb default 1
        /sbin/tc class add dev ${CABLE} parent 4: classid 4:1 htb rate ${CABLE_DEFUP}
        #Limits for both internal networks are set here
        /sbin/tc class add dev ${CABLE} parent 4:1 classid 4:${WIFI_CLASS} htb rate ${WIFI_UPLIM}
        /sbin/tc class add dev ${CABLE} parent 4:1 classid 4:${LOCAL_CLASS} htb rate ${LOCAL_UPLIM}
        #Make sure we direct packets to the correct limits.
        /sbin/tc filter add dev ${CABLE} protocol ip parent 4:0 prio 1 handle ${WIFI_MARK} fw flowid 4:${WIFI_CLASS}
        /sbin/tc filter add dev ${CABLE} protocol ip parent 4:0 prio 1 handle ${LOCAL_MARK} fw flowid 4:${LOCAL_CLASS}


        #Clear existing iptables settings if any
        echo "Starting Firewall..."
        iptables -F
        iptables -t nat -F
        
        #Drop all by default
        echo "Drop all by default..."
        iptables -P INPUT DROP
        #Accept from lo and LOCAL by default
        echo "Accept all from lo and LOCAL ${LOCAL} by default..."
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A INPUT -i ${LOCAL} -j ACCEPT
        #Accept established and related packets
        echo "Accept established and related..."
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

        #Allow connections to the server 
        echo Allow the following ports: 
        for PORT in '80' '8080' '20' '21' '22' '25' '110' '113' '118' '156' '194' '220' '443' '465' '989' '990' '993' '995'; do
                echo -n "${PORT} "
                iptables -A INPUT -p tcp --dport ${PORT} -m state --state NEW -j ACCEPT
                iptables -A INPUT -p udp --dport ${PORT} -m state --state NEW -j ACCEPT
        done
        echo "."

        echo "Extra rules for WIFI ${WIFI}"
        iptables -A INPUT -i ${WIFI} -p UDP --dport domain -m state --state NEW -j ACCEPT
        iptables -A INPUT -i ${WIFI} -d 192.168.1.0/24 -j DROP
        iptables -A INPUT -i ${WIFI} -d 192.168.0.0/24 -j DROP
        iptables -A INPUT -i ${WIFI} -j ACCEPT

        #Configure forwarding rules
        echo "Drop all forward requests by default."
        iptables -P FORWARD DROP
        echo "Allow forwarding from LOCAL ${LOCAL} to DSL ${DSL}, CABLE ${CABLE}, and WIFI ${WIFI}..."
        iptables -A FORWARD -i ${LOCAL} -o ${DSL} -j ACCEPT
        iptables -A FORWARD -i ${LOCAL} -o ${CABLE} -j ACCEPT
        iptables -A FORWARD -i ${LOCAL} -o ${WIFI} -j ACCEPT
        echo "Allow forwarding from WIFI ${WIFI} to DSL ${DSL}, and CABLE ${CABLE}"
        iptables -A FORWARD -i ${WIFI} -o ${DSL} -j ACCEPT
        iptables -A FORWARD -i ${WIFI} -o ${CABLE} -j ACCEPT
        echo "Allow forwarding from WIFI ${WIFI} to LOCAL ${LOCAL} if established or related"
        iptables -A FORWARD -i ${WIFI} -o ${LOCAL} -m state --state ESTABLISHED,RELATED -j ACCEPT
        echo "Allow forwarding fo established and related from CABLE ${CABLE}, and DSL ${DSL} to WIFI ${WIFI} and LOCAL ${LOCAL}..."
        iptables -A FORWARD -i ${CABLE} -o ${LOCAL} -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i ${DSL} -o ${LOCAL} -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i ${CABLE} -o ${WIFI} -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i ${DSL} -o ${WIFI} -m state --state ESTABLISHED,RELATED -j ACCEPT

        #Make sure ECN is never enabled, it is bad.
        echo "Kill ECN..."
        if [ -e /proc/sys/net/ipv4/tcp_ecn ]
        then
                echo 0 > /proc/sys/net/ipv4/tcp_ecn
        fi

        #Tell the kernel that ip forwarding is OK
        echo "Allow Forwarding..."
        echo 1 > /proc/sys/net/ipv4/ip_forward
        for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

        #Respond to blocked connections properly.
        echo "Proper responces to blocked ports...";
        for NIF in ${CABLE} ${DSL}; do
                iptables -A INPUT -p tcp -i ${NIF} -j REJECT --reject-with tcp-reset
                iptables -A INPUT -p udp -i ${NIF} -j REJECT --reject-with icmp-port-unreachable
        done
        
        #Masquerading
        echo "Enable masquerading / nat..."
        iptables -t nat -A POSTROUTING -o ${CABLE} -j SNAT --to ${CABLE_IP}
        iptables -t nat -A POSTROUTING -o ${DSL} -j SNAT --to ${DSL_IP}

        #Mark packets from the internal networks so we know where they came form when
        #directing to the limiters
        echo "Packet Marking..."
        iptables -A PREROUTING -t mangle -i ${WIFI} -j MARK --set-mark ${WIFI_MARK}
        iptables -A PREROUTING -t mangle -i ${LOCAL} -j MARK --set-mark ${LOCAL_MARK}

        #Mark packets from the internet.
        echo "More Packet Marking..."
        iptables -A PREROUTING -t mangle -i ${DSL} -j MARK --set-mark ${INET_MARK}
        iptables -A PREROUTING -t mangle -i ${CABLE} -j MARK --set-mark ${INET_MARK}

        eend 0

}

restart() {
svc_stop
svc_start
}

stop() {
        for i in 0 1 2 3 4; do
                ifconfig eth${i} down
        done
        /sbin/tc class del dev eth4 parent 1: classid 1:1 
        /sbin/tc qdisc del dev eth4 root handle 1: 
}

jomen · 06-24-2008, 01:45 AM

Thank you for digging it out - I see what it did (knowing the background) as such a thing is always specially made to suit a need.

AVT · 08-15-2008, 09:02 PM

Hi, I've like to do something very similar, however, firstly, I'd like to apologize, as I am very new to Linux, so this is probably a very simple question:

How would I limit only the upload of a specific interface?

My network setup:

Internet: eth0
LAN: br0 (eth1,eth2,ath0)

The interface I'd like to limit is ath0, which is the wifi.

estabroo · 08-15-2008, 10:37 PM

the tc command from the iproute2 package has some great filters for specify bandwidth usage (like the tbf filter).