Posted: Thu Jul 15, 2010 16:34 Post subject: [SOLVED] HELP - Scripting Bandwidth Limit
I have spent 2 full days trying to limit the bandwidth of a vwlan with issues and I'm requesting some help and I'm at a loss...
I'm setting up a 610v1 with K26 14473 BIG loaded. wl0 is a NG-Mix with vwlan and the wl1 is a N-5Ghz network. The vwlan is going to be separate bridge (br1) from the local network (br0) with the possibility to also limiting the Bandwidth to 2Mbit on the br1 network.
I have used the "generator" which is very limited and did some editing to create a script for the br1 network. I did get the limiting to work but at the cost of loosing the local wireless wl0 after someone connects to wl0.1. I did read that QoS should be disabled but I need it for the br0 network's devices and ports.
Here's the firewall script that I'm using (with some changes to mask the SSH port):
#
#
iptables -N rate_limit
iptables -F rate_limit
iptables -A rate_limit -p tcp --dport (ssh port) -m limit --limit 1/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p ! ICMP -j LOG --log-prefix " Port Request Dropped!! "
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rate_limit -j DROP
iptables -I INPUT -p tcp --dport (ssh port) -m state --state NEW -j rate_limit
# BR1 for Web Only Access
# START
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o `nvram get wan_iface` -j ACCEPT
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
# END
iptables -t nat -I PREROUTING -p udp -s 10.81.1.128/25 --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -p tcp -s 10.81.1.128/25 --dport 53 -j DNAT --to 208.67.222.222
# --------------------------------------------
# WRT54 Script Generator v1.02
# (C) 2006-2007 Robert "Robson" Mytkowski
# Limit 10.81.10.xxx download to 2048kbps
# --------------------------------------------
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 4500kbit
tc class add dev br1 parent 1:1 classid 1:10 htb rate 1024kbit ceil 2048kbit prio 3
tc filter add dev br1 parent 1:0 prio 3 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -m iprange --dst-range 10.81.10.2-10.81.10.254 -j MARK --set-mark 10
TIA!!! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Posted: Fri Jul 16, 2010 13:31 Post subject: Re: HELP - Scripting Bandwidth Limit
The script generator is incredibly old and has many flaws which I explained on the QoS wiki. For instance, the iprange matcher is not included in any broadcom build so you have to use netmasks instead, but it seems that you're trying to match the entire range for br1 so you don't need it at all really... This code should do what I think you want to do in the simplest way and it's fine to turn on the default QoS with this.
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 2048kbit _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Posted: Fri Jul 16, 2010 20:21 Post subject: Re: HELP - Scripting Bandwidth Limit
phuzi0n wrote:
The script generator is incredibly old and has many flaws which I explained on the QoS wiki. For instance, the iprange matcher is not included in any broadcom build so you have to use netmasks instead, but it seems that you're trying to match the entire range for br1 so you don't need it at all really... This code should do what I think you want to do in the simplest way and it's fine to turn on the default QoS with this.
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 2048kbit
phuzi0n, tried it and no luck, br1 gets full bandwidth.
Things mess up with:
iptables -t mangle -A POSTROUTING -m iprange --dst-range 10.81.10.2-10.81.10.254 -j MARK --set-mark 10
Can you re-write the code from iprange to br1?
TIA!!! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Today, I started to look into the download throttling script for the wireless guest network on BR1. After hours of script testing I have the script working without effecting BR0 and QoS GUI. The script is tested with build EKO K26 Build 15337 Std-nokaid-small on the 610v2 Gateway Router. In the script below limits BR1 downloads to 1024KBit/s and uploads are limited in the QoS GUI.
# Limit br1 download speed
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1:1 classid 1:10 htb rate 1024kbit ceil 1024kbit prio 3
tc filter add dev br1 parent 1:0 prio 3 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -m iprange --dst-range 10.81.10.0-10.81.10.255 -j MARK --set-mark 10
EDIT: Since I'm using the whole subnet to be throttled the same, I changed:
iptables -t mangle -A POSTROUTING -m iprange --dst-range 10.81.10.0-10.81.10.255 -j MARK --set-mark 10
to:
iptables -t mangle -A POSTROUTING -d 10.81.3.0/24 -j MARK --set-mark 10 _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531