How to set traffic-policy with group


I use vyos1.3.
This is my simplified network topology:

  1. vyos router has a download bandwidth 6Mbps totally.
  2. there are some cellphones connect to vyos router through wifi AP.
  3. these cellphones are grouped into 3 groups.
  4. groupA(CellphoneA1~CellphoneAx) has total 3Mbps bandwidth, and each cellphone in this group has 1Mbps.
  5. groupB(CellphoneB1~CellphoneBx) has total 2Mbps bandwidth, and each cellphone in this group has 512bps.
  6. groupC(CellphoneC1~CellphoneCx) has total 1Mbps bandwidth, and each cellphone in this group has 128kbps.
  7. all cellphones are in the same vlan and get ip from the vyos router’s dhcp service.
  8. I have a service to set traffic-policy rules when a cellphone connected or disconnected.

Can I use traffic-policy shaper to achieve my goals?

yes, you should use a traffic-shaper technique , in our documentation there are some eg:


In my case, there are two kinds of speedlimit(or shaper?).

One for groups, each group has a speedlimit.
another is for users in group, each user has a speedlimit.

pls tell me more, how to divide bandwidth into several small bandwidths, and then split them again?


Can I use traffic-shaper to achieve my goal?

Or I need to setup tc rules by my self?

is not necessary custom tc rules here, the requirements are supported using traffic sharper with the right technique to achieved it.

Maybe you can auth user with freeradius. with freeradius to limit network speed the freeradius option.

I will study traffic sharper again!


Could you give me more tips?

  1. If I want to apply bandwidth limit on eth1. Only one traffic-policy shaper can be set to eth1.
  2. In one traffic-policy shaper, I can set one total bandwidth and several classes.

How can I divide eth1’s total bandwidth into several groups, and each group has several classes?

Thanks in advance

Hello again,
Can anybody give me some instructions?


Setup vrf for eache of AP(Each of APs will setup as a network ranges(,,etc), then you can setup vrf to match each of APs with different network range.

No, that does not work out.
Users in one group come from different subnet.
Users in one subnet belong to different groups.

If you setup vrf interface ,there will be eth1.0. eth1.1. just like physical ethernet interface. Why shouldn’t it work, Can you tell me ? Did you do it. or Your just know nothing about vlan. If so. forget it and learn networking firstly for yourself.
With wpa2 enterprise auth can give each user for a different vlan , you know?

Thanks. I know vlan.

But in my case:

  1. There is only one SSID.
  2. Terminals(like smartphones) connect to wifi, get its ip address by DHCP.
  3. We redirect terminals’ http request to our portal server, users identyify themselves by cellphone number and SMS.
  4. Then, we decide this terminal’s group and bandwidth according to cellphone number.

So, I can not use vrf interfaces and different SSIDs to group terminals.

@echowings thats not vrf interface but vif interface aka tagged vlan.

Yes, thanks.

Do you have any idea to achieve my goal?

Thanks , Indeed I mean vif interface.

Turn the physical interface into vlan interfaces will solve the policy only apply 1 interface issue issue. At the same time with wpa2/wpa3 enterprise auth with radius to provide user auth with vlan tag will make the solution works.

Try to pass CCNA and CCNP, Then you will find the solution.