On Fri, Jul 23, 2010 at 6:53 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: > Hello, > > Elison Niven a écrit : >> >> I have an ARM based board with 2 ethernet interfaces eth0 and eth1. >> eth0 - LAN interface. 192.168.2.149 >> eth1 - WAN interface. 192.168.1.149 >> I have setup a simple router using iptables that allows PCs on the LAN >> to browse the internet via the WAN. >> I want to limit incoming bandwidth on the LAN interface to about >> 8mbit/s as when there are massive data transfers initiating from the >> PCs on the LAN, the system is under heavy load and is not able to >> execute any applications. >> >> I tried to limit the bandwidth using tc's tbf and ingress but it isn't >> really working well. >> For example from a PC on the LAN (ip 192.168.2.13, default gw >> 192.168.2.149) >> # ping -f -s 1000 192.168.1.3 >> This is correctly limited and ping results show the loss. >> >> # ping -f -s 1 192.168.1.3 >> Here the system is under heavy load and is not able to execute any >> applications. No loss in ping. > > This result may indicate that the router's load depends more on the packet > rate than the bandwidth, which makes sense. So it may be more efficient to > limit the packet rate instead of the bandwidth. > >> Also when I create a udp socket from this PC to an address on the WAN, >> the rate is not limited. >> #./udpclient 20000 192.168.1.3 20000 1000 >> This utility sends 20000 packets of 1000 bytes each to 192.168.1.3. >> Here also the rate is not limited. > > I did not understand well whether you want to limit incoming (WAN to LAN) or > outgoing (LAN to WAN) traffic. The ping test above does not tell whether > incoming (echo reply) or outgoing (echo request) traffic is limited. > > Also, remember that by definition received traffic rate cannot be directly > controlled. All you can do is drop incoming packets. Due to TCP > acknowledgement and congestion control mechanism, the sender will interpret > the packet loss as congestion and reduce the sending rate. But UDP has no > such mechanism. Anyway, does this really matter ? If the heavy data > transfers use TCP, it should work. Did you test it ? > > > Thanks for the reply, I will test with tcp and send the relevant iptables and tc rules that i have used. Regards, Elison -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html