Posted: Tue Mar 22, 2011 19:04 Post subject: throttle br1 traffic. how?
i am trying to throttle a vlan with a ip address of 192.168.10.2, but cant get it to throttle the spped for more then 2 days; after that the speed returns to 21Mbps from 350kbps. when i first created the script i did a backup of the router so after a day, i have to keep reverting back to the backup to make it work again. why is this happening.
i will note that this is a public network for my house and many people connect it. would it be possible to edit the script to allow users to get a guaranteed speed of 500kbps while the network is congested and a max speed of 700 when it isn't? i have tried to play with the ceiling values but cant get it to work.
Firmware: DD-WRT v24-sp2 (08/07/10) vpn
Code:
# Firewall Script Start
# Wait 10 seconds for Router startup
sleep 10
# br1 Web Access Only
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
# Limit br1 download speed
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1:1 classid 1:10 htb rate 350kbit ceil 350kbit prio 4
tc filter add dev br1 parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -d 192.168.10.0/24 -j MARK --set-mark 10
# Limit br1 upload speed
insmod imq
insmod ipt_IMQ
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1:1 classid 1:10 htb rate 200kbit ceil 200kbit prio 4
tc filter add dev imq0 parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -j IMQ --todev 0
#dns
iptables -t nat -A PREROUTING -i br1 -s 192.168.10.2/24 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -s 192.168.10.2/24 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
There isn't a lot of information on throttling. But I do have a working script with limitations. The limitations are with the "Limit BR1 Upload" script which are QOS must be disabled when using K2.4 builds and does not work with K2.6 builds; the last build I've tested this script with is K2.4 15508.
My working script with EKO K2.4 build 15508 with QoS Disabled....
Quote:
# Client K2.4 Firewall Script
# Wait 20 seconds for Router startup
sleep 20
# Load Modules
insmod imq
insmod ipt_IMQ
sleep 1
# br1 Web Access Only
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j logaccept
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
# Limit br1 download speed
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 2000kbit
tc class add dev br1 parent 1:1 classid 1:10 htb rate 300kbit ceil 2000kbit prio 4
tc filter add dev br1 parent 1:0 prio 3 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -d 192.168.10.0/24 -j MARK --set-mark 10
#Limit br1 upload speed
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 2: htb
tc class add dev imq0 parent 2: classid 2:1 htb rate 120kbit
tc class add dev imq0 parent 2:1 classid 2:20 htb rate 30kbit ceil 120kbit prio 4
tc filter add dev imq0 parent 2:0 prio 3 protocol ip handle 20 fw flowid 2:20
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -j IMQ --todev 0
I do use a modified script for enabled QoS for K2.4 & K2.6 builds that ONLY throttles BR1 download speed (just remove the "Load Modules" & "Limit BR1 Upload Speed" scripts).
Hope it helps... _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
You can use the built-in QoS and just create one rule to exempt your main subnet. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 16 Mar 2011 Posts: 111 Location: Saskatoon, SK, Canada
Posted: Thu Mar 24, 2011 18:06 Post subject:
phuzi0n wrote:
You can use the built-in QoS and just create one rule to exempt your main subnet.
I did something similar, but added a rule to make all traffic on br1's subnet to 'bulk'.
My reading indicated you should use 'exempt' sparingly, so I went the opposite direction instead. All I know is yesterday my neighbor was leeching wifi from my open VAP, torrenting something, and it didn't interefere with Netflix at all, so it must be doing it's job.
You can use the built-in QoS and just create one rule to exempt your main subnet.
In my case I do limit BR1 up/down speeds at bulk priority which the script does only with K2.4. I would like to use the "built-in" QoS for the main subnet (not exempt) without breaking BR1 upload. I have had zero success. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Joined: 16 Mar 2011 Posts: 111 Location: Saskatoon, SK, Canada
Posted: Thu Mar 24, 2011 19:29 Post subject:
mac913 wrote:
phuzi0n wrote:
You can use the built-in QoS and just create one rule to exempt your main subnet.
In my case I do limit BR1 up/down speeds at bulk priority which the script does only with K2.4. I would like to use the "built-in" QoS for the main subnet (not exempt) without breaking BR1 upload. I have had zero success.
Are you using a build with "broken" loopback that you've applied the fix from the sticky in this forum? If so, there's the caveat that badly written QoS scripts won't work...perhaps it's a combination of that?
I use the built in QoS and have my entire VAP subnet set to 'Bulk' and whenever my main LAN needs bandwidth, the VAP takes a back seat. Works flawlessly for me.
@bmupton - The whole idea of exempting the main subnet is so that only the guest network is affected by the QoS limits.
@mac913 - You can't mix the built in QoS with the script generator. You have to learn tc and iptables to write your own script if you want separate limits for the each. The paid special version might be able to do it but I don't know if it's coded properly to handle it.
@bmupton - My loopback fix won't break the bad QoS scripts, the bad QoS scripts can break the loopback fix though. The script generator produces these bad scripts that overwrite kernel marks. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 16 Mar 2011 Posts: 111 Location: Saskatoon, SK, Canada
Posted: Fri Mar 25, 2011 13:28 Post subject:
phuzi0n wrote:
@bmupton - The whole idea of exempting the main subnet is so that only the guest network is affected by the QoS limits.
Right, but doesn't QoS fail to work properly if one of your exempt devices is using more bandwidth than your QoS limits? My understanding of it (Granted, I've just started out with this stuff) is that if you're using all your available bandwidth for an exempt device, QoS isn't properly applied to the rest of your devices.
In my case as well, I have rules on my main subnet for newsgroups and torrents so that Netflix isn't affected when I'm also downloading something, so I can't exempt my main subnet entirely anyhow or that would stop working.
In any case, thanks for the information. I'll have to do more tinkering with QoS now. :-)
phuzi0n wrote:
@bmupton - My loopback fix won't break the bad QoS scripts, the bad QoS scripts can break the loopback fix though. The script generator produces these bad scripts that overwrite kernel marks.
.@mac913 - You can't mix the built in QoS with the script generator. You have to learn tc and iptables to write your own script if you want separate limits for the each. The paid special version might be able to do it but I don't know if it's coded properly to handle it.
phuzi0n, you have been a GREAT help with my firewall scripts, THANKS! But the tc scripts are over my head, it would be great to see a WIKI about this with working examples. I have read that the newer paid versions are having issues with upload bandwidth control too. But in any case I do have it working with work arounds. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
I have read that the newer paid versions are having issues with upload bandwidth control too.
There have been many claims made by tatsuya46 about QoS but the evidence from tc/iptables didn't always back up those claims. I don't have the special version so I can't say anything for sure about it. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
quote="phuzi0n"]You can use the built-in QoS and just create one rule to exempt your main subnet.[/quote]
phuzi0n, etal. Could you please provide an example "one rule" to exempt an IP address from the standard QoS rules? I would like total up/down bandwidth to be be limited (std QoS GUI) except one fixed client with unlimited up/down bandwidth.
I am running old firmware (9517) on a WHR-HP-G54 router. I prefer the vint drivers and this rev is quite stable and still works fine.
