# Bandwidth Management

## slurpyx

Guys.. my boss told me to whoop something up.. Bandwidth Management.. 

Basically we want to throttle our bandwidth, limit a specific IP with a specific bandwidth.. Can I do this? What kind of gnu apps should I use to accomplish the task or somewhat do the same thing..

Is this possible?  And if so.. where do I start?

Tnx!

----------

## tuxamd

There are 2 different things you can use for this. You can utilize package shaping to limit bandwidth or prioritize different bandwidth, or there's an application that can limit bandwidth to a program on the computer it's running on. The program is called trickle and can be emerged from portage. It's super easy to use, for example you can do trickle -u 1 firefox ( hehe that would start firefox at painstaking less than dialup speeds  :Twisted Evil:  ). The first solution has a whole tutorial on it. Though I haven't tried the tutorial yet I would like to try it out within a few days. The tutorial can be found here:

http://gentoo-wiki.com/HOWTO_Packet_Shaping

Let me know how it works out  :Smile:  Hope that was helpful.

----------

## DeathAndTaxes

 *Quote:*   

> Basically we want to throttle our bandwidth, limit a specific IP with a specific bandwidth.. Can I do this? What kind of gnu apps should I use to accomplish the task or somewhat do the same thing.. 

 

This can get *very* complex.  I've seen this done in ipfw on a freebsd machine, but I've never managed to figure out how to get this to work elegantly in linux.  The freebsd machine dropped all traffic from unknown MAC addresses (except for dhcp requests) and then it only allowed traffic to pass to client machines that "ack'd" off the dhcp server.  The dhcp server set up a default deny policy and only allowed known MACs to ack by placing them in the dhcpd.conf.

In linux, I can easily limit per-ip, but I have to manually add the lines.  What we want is a way for us to say something like this:

for every IP on the subnet 192.168.2.0/24, limit outgoing bandwidth to 256kbits

for every IP on the subnet 192.168.5.0/24, limit outgoing bandwidth to 512kbits

Then you want to specify in your dhcpd.conf the MAC addresses for each client and put them on the corresponding subnet (I look at this from an ISP's perspective).

In order to get around people just hopping on your network with an address that's in one of the "good" subnets, you need to filter based on MAC address in the firewall as well.

If someone can come up with a really elegant solution, I'd love to hear it.  But until that happens, I think it's gonna get *way* out of control trying to add all the tc lines you need on a per-host basis using the u32 filter (or however you decide to discriminate).

I guess you could build a little script that would ask you for a MAC address, then just run the corresponding programs to set everything up (dhcpd.conf, iptables, tc, ip, etc.).

Sorry I couldn't help you more.

----------

## slurpyx

Tnx Guys!

Am Gonna dig it up.. and see what i can do.. am gonna try that wiki, tnx!

----------

## Nossie

Do you want to limit incomming traffic (download) or outgoing traffic (upload) ?

If you want to limit outgoing traffic, you can use QoS. You have to enable all the QoS stuff in the kernel, emerge iproute2 and configure the rules.

I use http://nossie.addicts.nl/qos.txt <-- that script.

Hope this helps...

----------

## msalerno

This is what I use to limit people who do bad things on my network.

eth0 is the adapter on my internal segment.

So, if I run this on my gateway machine, their internet connections will be limited to 50bps

tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100mbit

tc class add dev eth0 parent 1: classid 1:1 cbq rate 50bps allot 1500 prio 5 bounded isolated

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.xxx flowid 1:1

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.xxx flowid 1:1

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.xxx flowid 1:1

----------

## DeathAndTaxes

 *msalerno wrote:*   

> This is what I use to limit people who do bad things on my network.
> 
> eth0 is the adapter on my internal segment.
> 
> So, if I run this on my gateway machine, their internet connections will be limited to 50bps
> ...

 

Aren't those last three lines all identical?  I'm guessing it was a pasting mistake.  Anyways, doesn't this limit all the clients in 192.168.10.xxx to ONE 50bps pipe?  Or is it that they EACH get their own 50bps pipe?

----------

## msalerno

Yes the lines are identical, I guess that I should have given a real example.

tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100mbit 

tc class add dev eth0 parent 1: classid 1:1 cbq rate 50bps allot 1500 prio 5 bounded isolated 

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.214 flowid 1:1 

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.252 flowid 1:1 

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.108 flowid 1:1

And yes, this limits them all to a 50bps pipe.

You could setup a new class for each address if you wanted to allot them their own 50bps pipe.

tc class add dev eth0 parent 1: classid 1:101 cbq rate 50bps allot 1500 prio 5 bounded isolated

tc class add dev eth0 parent 1: classid 1:102 cbq rate 50bps allot 1500 prio 5 bounded isolated

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.252 flowid 1:101

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.10.108 flowid 1:102

----------

## DeathAndTaxes

Yeah, that's what I was afraid of.  This is very similar to how I set some stuff up, but it's no a very elegant solution.  I really want something that will automatically build the pipes dynamically as they are needed.  IOW, when someone acks and they are in a certain subnet (specified in dhcpd.conf), then the system automatically builds the pipe for them.  I guess a person could just write a script that build leafs for each IP that's possible, but it seems all very messy.  When you try to add traffic shaping and policing to this, you can see that having several lines for tc in each direction, and several lines of iptables for marking traffic can quickly bloom beyond manageability.

Anyone got a better way to do dhcp + trafshape + limiting/policing-per-ip?

----------

