Posted: Sun Feb 21, 2010 3:09 Post subject: rate limiting with WAP only
I've been attempting to rate-limit by MAC address, and having no luck with scripts. I'm wondering if perhaps it's because I've got my wireless router set up as a WAP. (The wireless router is connected via LAN port to a wired router that handles WAN, DHCP, etc. Wireless router WAN port is disconnected & my connection type set to "disabled".)
As a test, I telnet'ed in, and tried this:
Code:
iptables -I FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j DROP
(MAC address deleted from the above, obviously.) But the computer with that MAC was still able to reach the internet. So I listed the FORWARD chain:
Code:
iptables -L FORWARD -v
and all the packet and byte counts were 0.
I take this to mean that there's no actual routing going on. Is there a way to keep this config (wired router handles WAN, NAT, etc.), but still get iptables control of wireless clients through dd-wrt?
I've tried both in "gateway" and "OSPF router" mode. Doesn't seem to make a difference - both modes allow wireless clients access to the network, but can't block or rate limit.
WAP's bridge/switch, they do not route. Routing requires going from one subnet to another, but all it's doing is extending the main router's subnet.
Set the QoS interface to LAN&WLAN, only enter the uplink value which will actually affect both directions with this method, and add insmod ebtables to your firewall script. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thanks for the quick reply. I took a look at the QoS page & help. Am I understanding correctly that this method will only *prioritize* one MAC over another - rather than applying a hard rate limit? The latter is what I'm attempting.
If that's the case, should I be investigating how to set up the WAP as a router on its own subnet instead? (I'm a bit new to serious networking stuff, but eager to learn, I suppose.)