On Tue, 2010-12-28 at 12:12 +0100, J Webster wrote: > I have a setup where uisers connect by VPN and are given IP addresses in the > range 10.8.0.xxx I can't advise on the VPN aspects of this, but see below for some general comments. > I would like to limit their bandwidth to 1.5Mbps per IP address. However, I > don't want to limit the incoming connection. > For example, they access the VPN server by it's WAN IP 200.xx.xx.xx and are > given a local IP of 10.0.8.x > User 1 goes to www.youtube.com and starts streaming videos, this should be > limited to 1.5Mbps. > User 2 goes to www.youtube.com and starts downloading a video, this should > also be limited to 1.5Mbps but the > server connection to youtube should have unlimited bandwidth to allow for > multiple users, in this sinstance at least 3Mbps. Please clarify - you state that you don't want to limit the incoming connection, but then state that you want to limit the download limit per IP address to 1.5Mbps. Do you mean that you don't want to limit the overall inbound connection but want to limit per destination IP address? > I tried the tc example below but am not sure whether I should apply the > filter to the tun0 network 10.0.8x or to the entire iptables connections. Not sure I'm afraid. <snip> > > # The network interface we're planning on limiting bandwidth. > IF=eth0 # Interface Is eth0 your internet side interface or your local network side? > # IP address of the machine we are controlling > IP=216.3.128.12 # Host IP > > # Filter options for limiting the intended interface. > U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32" > > $TC qdisc add dev $IF root handle 1: htb default 30 > $TC class add dev $IF parent 1: classid 1:1 htb rate $DNLD > $TC class add dev $IF parent 1: classid 1:2 htb rate $UPLD > $U32 match ip dst $IP/32 flowid 1:1 > $U32 match ip src $IP/32 flowid 1:2 I *think* that you'll need a separate leaf class for each client on your network. I think you'll also need an overall rate limit for the root (which is kind of what you've already got above). If you want to avoid rate limiting the overall interface, then don't set a default and only filter by destination IP address. I'm a bit confused about what you want to control (see comment above), as you have references to upload and download limits. If you only want to limit the download stream, then you can't do this by ingress on the source interface. You'll have to either do it as egress on the outbound interface, or use an IFB interface. That said, I don't know how a VPN affects this and whether that makes a difference. So, in summary: - Use a root qdisc with an overall limit on the correct interface - Add a leaf class for each client - Filter into each leaf class based on IP address Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html