Re: Limiting bandwidth on router

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jul 24, 2010 at 9:19 PM, Elison Niven <elison.niven@xxxxxxxxx> wrote:
> On Fri, Jul 23, 2010 at 6:53 PM, Pascal Hambourg
> <pascal.mail@xxxxxxxxxxxxxxx> wrote:
>> Hello,
>>
>> Elison Niven a écrit :
>>>
>>> I have an ARM based board with 2 ethernet interfaces eth0 and eth1.
>>> eth0 - LAN interface. 192.168.2.149
>>> eth1 - WAN interface. 192.168.1.149
>>> I have setup a simple router using iptables that allows PCs on the LAN
>>> to browse the internet via the WAN.
>>> I want to limit incoming bandwidth on the LAN interface to about
>>> 8mbit/s as when there are massive data transfers initiating from the
>>> PCs on the LAN, the system is under heavy load and is not able to
>>> execute any applications.
>>>
>>> I tried to limit the bandwidth using tc's tbf and ingress but it isn't
>>> really working well.
>>> For example from a PC on the LAN (ip 192.168.2.13, default gw
>>> 192.168.2.149)
>>> # ping -f -s 1000 192.168.1.3
>>> This is correctly limited and ping results show the loss.
>>>
>>> # ping -f -s 1 192.168.1.3
>>> Here the system is under heavy load and is not able to execute any
>>> applications. No loss in ping.
>>
>> This result may indicate that the router's load depends more on the packet
>> rate than the bandwidth, which makes sense. So it may be more efficient to
>> limit the packet rate instead of the bandwidth.
>>
>>> Also when I create a udp socket from this PC to an address on the WAN,
>>> the rate is not limited.
>>> #./udpclient 20000 192.168.1.3 20000 1000
>>> This utility sends 20000 packets of 1000 bytes each to 192.168.1.3.
>>> Here also the rate is not limited.
>>
>> I did not understand well whether you want to limit incoming (WAN to LAN) or
>> outgoing (LAN to WAN) traffic. The ping test above does not tell whether
>> incoming (echo reply) or outgoing (echo request) traffic is limited.

Here I need to limit the outgoing (LAN to WAN) traffic by dropping
incoming packets at the LAN interface.
Also the WAN to LAN traffic (ex. users of PCs on the LAN network
downloading files from the internet available by WAN) should also be
limited to 8mbit/s.

>> Also, remember that by definition received traffic rate cannot be directly
>> controlled. All you can do is drop incoming packets. Due to TCP
>> acknowledgement and congestion control mechanism, the sender will interpret
>> the packet loss as congestion and reduce the sending rate. But UDP has no
>> such mechanism. Anyway, does this really matter ? If the heavy data
>> transfers use TCP, it should work. Did you test it ?

I still have to test for TCP.
Here are the iptables rules I have set up for the router:

LAN=eth0
WAN=eth1
WAN_IP="192.168.1.149"
# Flush everything
iptables -t filter -F
iptables -t filter -F INPUT
iptables -t filter -F OUTPUT
iptables -t filter -F FORWARD
iptables -t nat -F
iptables -t nat -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# Forwarding
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Postrouting
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $WAN_IP

And here are the tc rules:
# tbf on WAN
tc qdisc add dev $WAN root tbf rate 8mbit latency 50ms burst 1500
# ingress on LAN
tc qdisc add dev $LAN handle ffff:ingress
tc filter add dev $LAN parent ffff: protocol ip prio 50 \
u32 match ip src 0.0.0.0/0 \
police rate 8mbit burst 1k \
drop flowid :1

Thanks,
Elison
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux