# fair traffic queuing for a small network router

## phajdan.jr

I've set up the following qdiscs for a small network router (eth0 is the LAN interface, and eth1 is the WAN interface, 256kbit/s upload):

```

tc qdisc add dev eth0 root sfq perturb 10                                                                                                                        

tc qdisc add dev eth1 root tbf rate 256kbit latency 50ms burst 1540

```

My goal is to prevent bandwidth monopolization by one user uploading or downloading a large file. I don't want to explicitly set different priorities for some protocols, and the general idea is to keep it simple.

Does the above script look correct? What would you change in it? Do you know some tricks that could help here?

----------

## PaulBredbury

Edit: Oops, duplicate post  :Embarassed: Last edited by PaulBredbury on Sat Oct 15, 2011 10:28 am; edited 1 time in total

----------

## PaulBredbury

Setting up rules to prioritize e.g. ACK packages can make all the difference to responsiveness, when e.g. trying to use SSH while uploading a large file. Here's a snippet that I use:

```
   # Flush existing rules

   iptables -F -t mangle

   for iface in eth0 ppp0 wlan0 ; do

      if [[ -e /sys/class/net/$iface ]] ; then

         MAX=800

         if [[ $iface == ppp0 ]] ; then MAX=33 ; fi

         if [[ $iface == wlan0 ]] ; then MAX=5000 ; fi

         tc qdisc del dev $iface root 2>/dev/null

         tc qdisc add dev $iface root handle 1: htb default 40

         tc class add dev $iface parent 1: classid 1:1 htb rate ${MAX}kbit

         for i in 1 2 3 4 ; do

            tc class add dev $iface parent 1:1 classid 1:$[$i*10] htb rate $[$MAX/4]kbit ceil ${MAX}kbit prio $[$i-1]

            tc qdisc add dev $iface parent 1:$[$i*10] handle $[$i*10]: sfq perturb 10

            iptables -t mangle -A POSTROUTING -o $iface -p tcp --tcp-flags ALL ACK -m length --length 0:128 -j CLASSIFY --set-class 1:$[$i*10]

         done

         # time-critical traffic

         CLA=10

         iptables -t mangle -A POSTROUTING -o $iface -p tcp --tcp-flags ALL FIN,ACK -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p tcp --tcp-flags ALL SYN,ACK -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p tcp --tcp-flags ALL RST,ACK -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p tcp --syn -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p udp -j CLASSIFY --set-class 1:$CLA

         # critical traffic

         #CLA=20

         #iptables -t mangle -A POSTROUTING -o $iface -p ipv6 -j CLASSIFY --set-class 1:$CLA

         # high-priority interactive traffic

         CLA=20

         # 2152 is my SSH port

         iptables -t mangle -A POSTROUTING -o $iface -p tcp -m multiport --dport 22,123,53,2152 -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p tcp -m multiport --sport 22,123,53,2152 -j CLASSIFY --set-class 1:$CLA

         # low-priority interactive traffic

         CLA=30

         iptables -t mangle -A POSTROUTING -o $iface -p tcp -m multiport --dport 80,443,25,110,5222,20,21,194 -j CLASSIFY --set-class 1:$CLA

         iptables -t mangle -A POSTROUTING -o $iface -p tcp -m multiport --sport 80,443,25,110,5222,20,21,194 -j CLASSIFY --set-class 1:$CLA

         # non-critical traffic

         CLA=40

         iptables -t mangle -A POSTROUTING -o $iface -p icmp -j CLASSIFY --set-class 1:$CLA

      fi

   done
```

I don't use ipv6, so that line is commented out, and of course I've used a different number for my custom SSH port  :Wink: 

Edit: See discussion for my better version.

----------

