The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hi.
What I'm trying to do is to restrict the lan-port speed of the 4 lan ports (of my WRT54Gv2.2 with WR RC2) to 2MBit.
As far as I read therefor I need robocfg.
Is there any documentation/HowTo for robocfg? I couldn't find anything helpful...
And might it be possible to use robocfg for separating the 4 lan ports (like I tried here http://forum.openwrt.org/viewtopic.php?id=2407 without success)?
Thanks a lot!!
Sorry for reactivating this old thread but I still did not find any useful information about robocfg.
What I found about lan-port speed: http://forum.openwrt.org/viewtopic.php?id=1540. Is it integrated now?
Isn't there a HowTo?? How do all the others know how to configure robocfg?
How do all the others know how to configure robocfg?
The help (robocfg with no args) + trial and error. I'd suggest leaving one of the ports on vlan0 during t/e so you have a way in if you fu.
> use robocfg for separating the 4 lan ports
Put them on different vlans using nvram variables. Startup will use robocfg accordingly, but note that if you want to specify tagging you'll have to do it yourself in a startup script as I don't see anyway to spec this in vlanXports (would be nice). You might also need to create appropriate bridges or routes in your startup script so traffic flows.
- DL
(Last edited by dl on 16 Sep 2005, 09:22)
OK, so the worst case.
But it seems with robocfg the minimum transfer rate I can set is 10MBit HD. I'd need way less, like 1 or 2 MBit.
As far as I can remember with DD-WRT it was possible to set the rate down to about 0.5MBit.
Isn't that possible with OpenWRT?? (I really can't believe! 
)
I recently flashed over my last dd-wrt box so can't check, but I don't recall any speed controls on ethernet beyond perhaps 10/100 hd/fd (if that). I would be surprised if the chip even has that capability but have not looked up the datasheet. Maybe you just need a traffic shaper?
- DL
OK, then: How can I limit the bandwidth of the lan-ports (below 10MBit)?
Is there a script? A tool? A special option? Something I could look for?
I have written some basic documentation for robocfg, in an attempt to better spell out the functionality of robocfg in more clear of a manner.
First draft docs are in section 2.2.2 of the OpenWRT configuration guide:
GREAT work!!!
Thank you so much. I'll try that out as soon as I can.
Hopefully this will be a starting point for others to spread their knowledge about that too.
also have a look at tc; am using it here to limit uplink speed of the adsl modem to not overload the 256kbps limit.
line is a startup script in my case:
/rom/usr/sbin/tc qdisc add dev $IFNAME root tbf rate 226kbit latency 50ms burst 2048
where $IFNAME is the interface.
Copied it from another thread on openwrt, so check tc docs for adaptation to your case
OK, after some time (;)) I could figure out what tc, qdisc and tbf do.
But what I would need to do:
Limit upload bandwidth to 100kbit/s and download bandwidth to 1000kbit/s.
That means: two different speeds, depending on the 'direction'.
Is that possible? And how?
For each lan port I set up a different vlan, so it should be possible to set different upload/download-speeds for every lan port, right?
What did you do to just limit UPlink speed?:
/rom/usr/sbin/tc qdisc add dev $IFNAME root tbf rate 226kbit latency 50ms burst 2048
Once you've got the vlans set up with robocfg you can do some simple traffic shaping on the interfaces. See my recent posts in this thread for some samples....
http://forum.openwrt.org/viewtopic.php?id=1809
Greg
Hmm, but how do I limit the INCOMING traffic (=incoming to the lan interface = outgoing to the Internet = "upload bandwidth")?
All I could read about TBF was only dealing with traffic going OUT if the interface. Isn't it possible to simply limit incoming traffic??
I really don't need dynamic shaping, only a fixed rate/bandwidth...
And additionally: is it possible to set the maximum number of open connections per interface?
Hmm, but how do I limit the INCOMING traffic (=incoming to the lan interface = outgoing to the Internet = "upload bandwidth")?
All I could read about TBF was only dealing with traffic going OUT if the interface. Isn't it possible to simply limit incoming traffic??
Sure. But let's make sure we're talking about the same thing, because it's not clear to me at least, that we are. Your sentence confuses me because you say "INCOMING traffic", but then in the same sentence you say "outgoing to the Internet = upload bandwidth". So assuming you're talking about throttling the inbound traffic coming from the Internet, through the WRT into the LAN, that's described here and an example is at the very bottom of this configuration. The tc folks call it "policing" which is more an ATM term than an IP term in my opinion, but I digress... :-)
If you're instead talking about controlling outbound traffic coming from your LAN, through the WRT, going to the Internet, that's what I described in the other thread from my previous message, and what most people do to prioritize traffic for applications like VOIP (i.e. traffic shaping). You still use tc, but it requires a little more work for you to determine how you'd like to prioritize your traffic. I suppose you could just rate limit all traffic with equal priority, (i.e. egress filtering) but that doesn't really buy you much...
And additionally: is it possible to set the maximum number of open connections per interface?
I think this is possible with ip_conntrack, but I not sure what you mean by "open connections". Are you talking about simultaneous TCP sessions through a particular interface, or number of IP addresses connected at one time, or what? What exactly are you trying to do?
Greg
First of all: yes AND no. 
For each lan port I have set up a different vlan (=Interface), so the lan ports are totally independent from each other.
What I need to do: regulate the traffic for each lan port SEPARATELY, so e.g.: 100k UP 1000k DOWN for lan port 1, 200k UP 1200k DOWN for lan port 2, etc.
Since each lan port is virtually a different interface this should work with TC and TBF.
When I write "upload bandwidth" I mean traffic going out of a PC to one lan port of the WRT. From the WRT's point of view that is INcoming traffic (coming IN through a lan port / Interface).
"Download" is vice versa = OUTgoing traffic from the lan-interface's point of view.
I hope now it's clear
As far as I know ip_conntrack only handles the overall number of connections, right?
What I want is to adjust it for each interface separately.
E.g. if someone uses BitTorrent on one lan port this incredibly slows down the whole system even with the best traffic shaper. If I could restrict the maximum number of simultaneous connections for that port, only this particular port would slow down and all other lans would have enough resources left to run smoothly.
For each lan port I have set up a different vlan (=Interface), so the lan ports are totally independent from each other.
What I need to do: regulate the traffic for each lan port SEPARATELY, so e.g.: 100k UP 1000k DOWN for lan port 1, 200k UP 1200k DOWN for lan port 2, etc.
Since each lan port is virtually a different interface this should work with TC and TBF.
Ok. This is clear, but I never done this exact setup before. I'll take a stab at it anyway. :-)
When I write "upload bandwidth" I mean traffic going out of a PC to one lan port of the WRT. From the WRT's point of view that is INcoming traffic (coming IN through a lan port / Interface).
"Download" is vice versa = OUTgoing traffic from the lan-interface's point of view.
Ok, I understand the point you're making, but iptables doesn't "know" which interface is connected to the Internet. iptables simply cares about inbound and outbound traffic on an interface, and what you want to do with it. So you can still shape traffic on each of the vlans with the same concepts I listed in the other thread, only it gets a little more complicated. The reason being because I assume you want to throttle traffic going between any given vlan and the Internet, but not throttle traffic between two internal vlans (i.e. what's the point in having 100Mbit full duplex if you throttle it? :-)
So, I'd say you can do ingress filtering on each vlan port to 100kbps (controlling upstream traffic), and egress filtering on each vlan port to 1000kbps (controlling downstream traffic) but only where the source or destination isn't within your private address range. So to fit that last statement in, you'd have to do part of it on the PREROUTING chain of the mangle table. This rules out using the classify module, because classify only works on the POSTROUTING chain. This means you need to do marks with iptables and use tc to pick up those marks. (or do it all with tc and fight through the arcane sentax) A bit more cumbersome, but it works as shown in the lartc guide. Something like this might work:
iptables -t mangle -A PREROUTING -i vlan0 -p tcp -m tcp -d ! 192.168.0.0/16 --sport 22 -j MARK --set-mark 0x1
so this would set marks on all packets not bound for this class B private address range coming in on vlan0. You'd do similar things with the other vlans. You'd obviously need to have classes set up with tc and check for the marks with tc.
outbound postrouting on vlan0 you could probably use the classify module if you want, or stick with tc if you want to be consistent.
And of course, you can include using the ipp2p modules into the logic to pick up bittorrent traffic and whatnot since that seems to be what you're after.
I think this would work, but like I said I'm just brainstorming here, because I never done this kind of setup on a WRT, but the theory still applies. It just need to be thought out more. It gets complicated when you've created all the vlans. Maybe someone else can think of a more elegant way to do it?
Greg
Thanks!!
Yes, I think now it's clear
The reason being because I assume you want to throttle traffic going between any given vlan and the Internet, but not throttle traffic between two internal vlans
The traffic between the vlans doesn't care. It's blocked. The ports are 'separated'. 
What I'd prefer is the most simple solution using the least 'computing power'.
I simply want to HARD CUT the traffic-bandwidth, no special dynamic shaping or anything like that.
So the line
tc qdisc add dev $IFNAME root tbf rate 200kbit latency 50ms burst 1054seemed to be what I was looking for (short, simple and effective), but I don't know how to use that line to handle traffic going the other way.
I'd prefer not to use iptables if it could work with a simple 'tc' command like the above.
Any idea to do that this way?
Sure, you can do it all with tc, but the syntax is a PITA.
Here's an SSH marking example from http://www.knowplace.org/shaper/examples.html
"Creates a filter that classifies SSH packets:
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32\
match ip dport 22 0xfffe flowid 1:10"
So you'd need to set up a class for each vlan, and 4 classes for your external interface. Then tag all traffic outbound on each each vlan interface (inbound to your network) to each class for that vlan. And tag all traffic outbound on your external interface (outbound to the internet) where the source ip is from one particular vlan subnet, to it's appropriate class. Each class is throttled as you described, so the vlan classes have a ceiling of 1000kpbs, because outbound on those interfaces is really inbound traffic to your network, and the 4 classes on your external interface have a ceiling of 100 kpbs, because that's outbound traffic from the vlans to the internet. Quite simple, really, since you've said that all vlan's are 100% separate and there's no routing between them.
There's information on tc throughout the lartc guide, but I think you're looking for this section:
http://lartc.org/howto/lartc.adv-filter.html
Another good webpage here:
http://www.rns-nis.co.yu/~mps/linux-tc.html
The documentation on tc is somewhat incomplete, which is why most people use iptables...
Greg
The discussion might have continued from here.