Hi,

I know this can somehow be done with a lot of tc commands, but before I learn that much, is there an easy solution to this (or perhaps can someone who already knows the tc command well do this)?

What I have:

I have a home server (and all other PC's) connected to my internet router. It only has an ethernet interface eth0 to connect to both the internet and the WLAN network. In the (W)LAN network, all IP's start with "192.168.178."
I installed Debian on it because I think it's a good and reliable distro for servers.

What I intent to do:

I want to limit the bandwith for my home server, but only for connections to (and, if possible, also from) the internet.
I know that the tool "wondershaper" limits input and output for a NIC in user-friendly way (uses tc), but I would want exceptions for these limitations on the 192.168.178.0/255.255.255.0 network (not experienced with IP+mask stuff, hope it's right), or if exceptions for ports are more easy, just an exception for one port (SSH).
[FYI: when I set a reasonable upload limit for my DSL internet connection with 'wondershaper', the "top" command lags, which is very inconvenient, especially if you consider that I want to do other stuff than monitor processes as well).


Now, is there an easy solution or do I have to study the tc command?

Thank you for your answers.

Those two aren't mutually exclusive you know...


Since you have no control over inbound traffic the Wondershaper only addresses outbound traffic. To shape traffic it uses the mangle table, directing all traffic in POSTROUTING to the SHAPER chain. Inside the SHAPER chain all traffic is --set-mark'ed. All traffic that is not marked gets assigned a default priority.
Excluding traffic from marking makes proper bandwidth calculations impossible so IMHO it would be illogical to make an exclusion for your 192.168.178.0/24. What you could do is make all LAN traffic use the highest priority (lowest flowid) and assign it a minimal usable bandwidth (e.g.: if CHAN=$[$BANDWIDTH/4], then if HALFCHAN=$[$CHAN/2], you could have a WIDECHAN=$[$CHAN+$HALFCHAN]) but how you do it exactly (in terms of iptables -t mangle -A SHAPER rules) depends on what you filter for (src/dst ports, nets, owner, et cetera). You could also subject everything not destined for your LAN range to specific filtering rules and let everything else be assigned the default, then make the default be the highest prio. A simple way to assess what traffic gets assigned which mark is to watch iptables output as in ' watch '/sbin/iptables -n -t mangle -L SHAPER -v -x | sort -bgrk 1 | nl | column -t' '.

Thank you for your reply, but ...
I don't understand why exceptions when marking traffic for shaping are illogical (except if the software is so that you can only shape traffic on a NIC, not traffic that goes through a mark). But I just got another idea:

Maybe I should make a bridge and route all input everything except TCP port 22 (SSH) to it, then use that bridge for internet connections and use wondershaper on it. I'll try that now (google will help me research again), suggestions, opinions etc. are welcome, of course.

If you except part of the traffic flowing through that pipe then you just can't act on it, that's all. Then again I forgot the exception would be for only LAN traffic so that's OK ;-p
If you don't have the SHAPE chain then you prolly dropped the "R" :-]

RATS I FU...NNILY GOT IT WORKING

Sorry for exclamation, but that's how I feel after fuddling a few days with tools like vconfig, brctl, wondershaper and tc. (tc was the right tool, after all)

Here's the script that makes it work like I want (shape only outgoing internet traffic on a 192.168.178.* network connected via eth0) [I translated and changed the comments for LQ]:
man, what a pain... but worth it
I mainly consulted chapter 9 in the LARTC howto.
PS: also adapt the rate limits

Well done!