Limit bandwith for indivindual ip's on 1.2.5?

Hi,

I am struggling with limiting bandwidth with traffic-policy based on src ip.

I have set up a simple lab in kvm:

interfaces {
     ethernet eth0 {
         address dhcp
     }
     ethernet eth1 {
         address 172.25.1.1/24
     }
     loopback lo {
     }
 }
 nat {
     source {
         rule 100 {
             outbound-interface eth0
             source {
                 address 172.25.1.0/24
             }
             translation {
                 address masquerade
             }
         }
     }
 }

If we want to limit the “users” / ip’s on 172.25.1.0/25 to 10mbit / ip, where should I set the traffic-policy?

I have tried lots of different configs but I can’t get the policy to match the ip.
I only get the default bandwith settings


Is the limiter the way to go on eth1 in and shaper on eth0 out?

Anyone that could push me in the right direction?

–
Regards Falk

Hi @falkowich,

I think you want to apply a Shaper policy to eth0 out.

For the incoming traffic I would not apply it to eth1, but to eth0 in, and would shape it through IFB, instead of using Limiter.

Did you have a look at the QoS documentation?
If you did and you still need help, let us know.

Hallo there if you check my Thread you will see i have a example there
 The example at the bottom limits the user to 1800kbps


set traffic-policy shaper CLIENT_QOS class 100 bandwidth ‘35%’
set traffic-policy shaper CLIENT_QOS class 100 burst ‘2kb’
set traffic-policy shaper CLIENT_QOS class 100 ceiling ‘100%’

set traffic-policy shaper CLIENT_QOS default bandwidth ‘65%’
set traffic-policy shaper CLIENT_QOS default burst ‘2kb’
set traffic-policy shaper CLIENT_QOS default ceiling ‘100%’
set traffic-policy shaper CLIENT_QOS class 100 queue-type ‘fq-codel’

set traffic-policy shaper EGRESS_QOS bandwidth ‘1800kbit’

set traffic-policy shaper EGRESS_QOS class 100 bandwidth ‘35%’
set traffic-policy shaper EGRESS_QOS class 100 burst ‘2kb’
set traffic-policy shaper EGRESS_QOS class 100 ceiling ‘100%’
set traffic-policy shaper EGRESS_QOS class 100 match CLIENT1 ip source address ‘192.168.4.70/24’
set traffic-policy shaper EGRESS_QOS class 100 queue-type ‘fq-codel’
set traffic-policy shaper EGRESS_QOS default bandwidth ‘65%’
set traffic-policy shaper EGRESS_QOS default burst ‘2kb’
set traffic-policy shaper EGRESS_QOS default ceiling ‘100%’
set traffic-policy shaper EGRESS_QOS default queue-type ‘fq-codel’

set interfaces ethernet eth0 traffic-policy out ‘EGRESS_QOS’

Hi @skoenman What is the question?
I can see in your configuration the limit is 1800kbit.

By the way, your CLIENT_QOS policy misses the general bandwidth for the link and the matching conditions for class 100.

Ok so he wanted to linit a certain ip 
 and adding the class by ip does this 


Ah, ok, sorry @skoenman, I thought you were the one who initiated the thread : )

Hi,

I have been offline for a few days, but now I’m back in business :slight_smile:

I have tried to understand the QOS documentation, but am struggling with the nomenclature :slight_smile:

Lets say that I want to ratelimit a /25 on a subnet for the sake of the lab.

172.25.1.0/24 is the network
172.25.1.0/25 should be ratelimited to 5Mbit / ip number.
172.25.1.128/25 should user the default bandwith on the interface, in this lab 10Mbit

vyos@vyos# show interfaces 
 ethernet eth0 {
     address dhcp
     duplex auto
     hw-id 52:54:00:ed:ee:f1
     smp-affinity auto
     speed auto
     traffic-policy {
         out EGRESS-LAB
     }
 }
 ethernet eth1 {
     address 172.25.1.1/24
     duplex auto
     hw-id 52:54:00:cc:06:f7
     smp-affinity auto
     speed auto
 }
 loopback lo {
 }


vyos@vyos# show traffic-policy 
 shaper EGRESS-LAB {
     bandwidth auto
     class 10 {
         bandwidth 5mbit
         burst 15kb
         ceiling 100%
         match CL10 {
             ip {
                 source {
                     address 172.25.1.0/25
                 }
             }
         }
         queue-type fq-codel
     }
     default {
         bandwidth 10mbit
         burst 15kb
         ceiling 100%
         queue-type fq-codel
     }
 }

My assumption in this config above should be that:
172.25.1.10/32 should match CL10 and be shaped at 5Mbit
172.25.1.200/32 should use the default bandwith 10Mbit

But no cigarr :slight_smile:

Any pointers what I am doing wrong here :slight_smile:

–
Regards Falk

Hi @falkowich,

If you find something confusing in the documentation, please let us know, we’ll try to fix it. Or you can also edit it yourself.

Your configuration is ok. But please note that by setting the policy’s bandwidth to auto, you have a lot of bandwidth available. When defining the bandwidth of the policy, you should define the speed of the slowest link your traffic might have to go through in its long way to its destination address.

Regarding class’ bandwidth command, in case the link gets really full, your class 10 traffic will always have its reservation of 5mbit, no matter how busy the link is. And the same goes for default: In case the link gets full, your default traffic will always have its reservation of 10mbit, no matter how busy the link is. That’s ok, that’s just what bandwidth for a class does.

You are also setting a ceiling of 100% for both class 10 and default, which means that, once the bandwidth limit for the class (or default) is reached, and there is still more traffic for that class, and the link is available, then the traffic for that class will be allowed to use up to 100% of the link.

Hi,

If you find something confusing in the documentation, please let us know, we’ll try to fix it. Or you can also edit it yourself.

It’s not the dokumentation that is confusing I guess. It’s that I am used with another platform :tm: :slight_smile:

Regarding class’ bandwidth command, in case the link gets really full, your class 10 traffic will always have its reservation of 5mbit, no matter how busy the link is. And the same goes for default : In case the link gets full, your default traffic will always have its reservation of 10mbit, no matter how busy the link is. That’s ok, that’s just what bandwidth for a class does.

Oh, I tried to shape the traffic down to 5mbit for class 10.
Here I guess that I am misunderstanding the documentation.

You are also setting a ceiling of 100% for both class 10 and default , which means that, once the bandwidth limit for the class (or default ) is reached, and there is still more traffic for that class, and the link is available, then the traffic for that class will be allowed to use up to 100% of the link.

So in this example I should lower the ceiling instead of the bandwidth to shape/limit the bandwidth?

It’s a strange use case perhaps, but I have a subnet should have “full bandwidth” and one that has only the shaped bandwidth per client.

–
Regards Falk

Yes.

Sorry, I did not get this sentence.

I have the same issue as you.

This my download policy

vyos@vyos# show traffic-policy
 shaper DOWNLOAD {
     bandwidth 15mbit
     class 12 {
         bandwidth 8mbit
         ceiling 8mbit
         match LAN {
             ip {
                 source {
                     address 192.168.1.0/24
                 }
             }
         }
     }
     default {
         bandwidth 1kbit
         ceiling 100%
     }
 }

This is my WAN interface config

vyos@vyos# show interfaces ethernet eth0
 address dhcp
 description WAN
 firewall {
     in {
         name WAN_IN
     }
     local {
         name WAN_LOCAL
     }
 }
 hw-id 00:a0:c9:69:80:7b
 traffic-policy {
     out DOWNLOAD
 }

No traffic shaping is done. My speedtest should give me 8mbit but it doesn’t work. I get full speed.

[Rephrase to make sense]
Our usecase is perhaps somewhat strange
 :slight_smile:

We have two subnets in the lab.
Subnet one should have access to full bandwidh
Subnet two should be shaped/limited to 5mbit / client even if the link isn’t congested.
[/Rephrase]

@fegauthier Maybe it’s just an easy confusion. You say you are showing your “download policy”, but I see you are applying an outbound policy to your WAN interface. So your outgoing traffic is the one that will be shaped, and normally that traffic is considered “Upload”, not “Download”. Maybe that is the reason?

@falkowich I get it now, thank you, it’s not any strange use case at all.

Did you adjust ceiling for class 10 of EGRESS-LAB?

I think that is just what you needed. Did you test it?

Maybe you also want to apply shaping to inbound traffic?

Yes my bad. It was for UPLOAD. Still no shaping


set traffic-policy shaper UPLOAD bandwidth '10mbit'
set traffic-policy shaper UPLOAD class 12 bandwidth '5mbit'
set traffic-policy shaper UPLOAD class 12 ceiling '5mbit'
set traffic-policy shaper UPLOAD class 12 match LAN ip source address '192.168.1.0/24'
set traffic-policy shaper UPLOAD default bandwidth '1kbit'
set traffic-policy shaper UPLOAD default ceiling '100%'

@fegauthier Can you please show how you apply the policy to the interface?

Maybe the problem is there.

Like this

set interfaces ethernet eth0 traffic-policy out 'UPLOAD'

Hi @fegauthier,

Is it ok with you if we go back to your currently active thread and I answer you from there?

Maybe it’ll be better, so that we don’t get confused.

1 Like

A quick little map how the “lab” is set up.
And the text over the clients is the goal, the red text are what is happening with the below config

I can get the “default policy” on OUTSIDE to get my upload to limit 100Mbit.
But I can’t get the CL10 to match the subnet


 interfaces {
     ethernet eth0 {
         address dhcp
         description OUTSIDE
         duplex auto
         hw-id 52:54:00:ed:ee:f1
         smp-affinity auto
         speed auto
         traffic-policy {
             out EGRESS-LAB
         }
     }
     ethernet eth1 {
         address 172.25.1.1/24
         description INSIDE
         duplex auto
         hw-id 52:54:00:cc:06:f7
         smp-affinity auto
         speed auto
     }
     loopback lo {
     }
 }


 traffic-policy {
     shaper EGRESS-LAB {
         bandwidth 1gbit # Default bandwidth on the uplink
         class 10 {
             bandwidth 5mbit # A unique value to see of matched
             burst 15kb
             ceiling 2%  # A unique value to see of matched
             match CL10 {
                 ip {
                     source {
                         address 172.25.1.0/25 # Here I try to match the first subnet?
                     }
                     source {
                     }
                 }
             }
             queue-type fq-codel
         }
         default {
             bandwidth 50mbit # A unique value just to see if I hit this default policy
             burst 15kb
             ceiling 10% # A unique value just to see if I hit this default policy
             queue-type fq-codel
         }
     }
 }

I know the bandwidth and ceiling values are wrong, but I used unique values just to see what I matched.

Any ideas what I am doing wrong :slight_smile:

–
Regards Falk

Yes, it seems you are not matching the criteria of the class and you are getting into default.

Why does your configuration show a second empty source for matching class 10?
I’m not sure if that has anything to do


In the diagram, I also see the addresses of your two clients are in the same subnet. I guess that’s just in the diagram, but telling you just in case something is mixed in your tests too.