policy {
route PEERING-LIST {
rule 100 {
destination {
group {
network-group PEERING-LIST
}
}
set {
mark 200
traffic-policy {
shaper PEERING {
bandwidth 10mbit
class 14 {
match PEERING-LIST {
mark 200
}
}
default {
bandwidth 10mbit
queue-type fair-queue
interfaces {
ethernet eth1 {
duplex auto
hw-id 00:25:90:37:41:1d
policy {
}
pppoe 0 {
default-route auto
mtu 1492
name-server auto
traffic-policy {
out PEERING
| Welcome to VyOS
Linux SLBB-NAS-TEST 4.19.89-amd64-vyos #1 SMP Fri Dec 20 15:24:48 UTC 2019 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 14 18:29:49 2020 from
???@SLBB-NAS-TEST:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group PEERING-LIST {
network 173.194.0.0/16
network 74.125.0.0/16
network 216.58.0.0/16
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address ??.??.??.??/30
duplex auto
hw-id 00:25:90:37:41:1c
smp-affinity auto
speed auto
}
ethernet eth1 {
duplex auto
hw-id 00:25:90:37:41:1d
pppoe 0 {
default-route auto
mtu 1492
name-server auto
traffic-policy {
out PEERING
}
noc@SLBB-NAS-TEST:~$ show configuration commands
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group network-group PEERING-LIST network ‘173.194.0.0/16’
set firewall group network-group PEERING-LIST network ‘74.125.0.0/16’
set firewall group network-group PEERING-LIST network ‘202.177.244.0/24’
set firewall group network-group PEERING-LIST network ‘124.155.0.0/16’
set firewall group network-group PEERING-LIST network ‘216.58.0.0/16’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘49.143.252.11/27’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 hw-id ‘00:25:90:37:41:1c’
set interfaces ethernet eth0 smp-affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘00:25:90:37:41:1d’
set interfaces ethernet eth1 pppoe 0 default-route ‘auto’
set interfaces ethernet eth1 pppoe 0 mtu ‘1492’
set interfaces ethernet eth1 pppoe 0 name-server ‘auto’
set interfaces ethernet eth1 pppoe 0 traffic-policy out ‘PEERING’
set interfaces ethernet eth1 smp-affinity ‘auto’
set interfaces ethernet eth1 speed ‘auto’
set interfaces loopback lo
set nat source rule 300 outbound-interface ‘eth0’
set nat source rule 300 source address ‘10.99.99.0/24’
set nat source rule 300 translation address ‘masquerade’
set policy route PEERING-LIST rule 100 destination group network-group ‘PEERING-LIST’
set policy route PEERING-LIST rule 100 set mark ‘200’
set protocols static route 0.0.0.0/0 next-hop 49.143.252.1
set service https api keys id 1
set service https api port ‘7000’
set service pppoe-server access-concentrator ‘SLBB’
set service pppoe-server authentication mode ‘radius’
set service pppoe-server authentication radius-server 122.170.105.97 secret ‘localkey’
set service pppoe-server authentication radius-settings acct-timeout ‘0’
set service pppoe-server authentication radius-settings nas-identifier ‘VYOS_SLBB_NAS’
set service pppoe-server authentication radius-settings nas-ip-address ‘49.143.252.11’
set service pppoe-server authentication radius-settings rate-limit enable
set service pppoe-server client-ip-pool start ‘10.99.99.2’
set service pppoe-server client-ip-pool stop ‘10.99.99.250’
set service pppoe-server dns-servers server-1 ‘8.8.8.8’
set service pppoe-server interface eth1
set service pppoe-server local-ip ‘49.143.252.11’
set service pppoe-server service-name ‘smartlink123’
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘9600’
set system host-name ‘SLBB-NAS-TEST’
set system login user noc authentication encrypted-password ‘$6$wPdPXUEcZ$Q.aksYzaevq5676xF5n0bJRp8pcnvGIFRidSlXdFbuDrKEAy2YvGANw0sQikecpM5QzLHohjbLvBaAauFJdu50’
set system login user noc authentication plaintext-password ‘’
set system login user noc level ‘admin’
set system login user vyos authentication encrypted-password ‘$6$Du9fx1DRTx$RT.ekLj8O/RTgrnrLrEpRaSqWyBUa/dI7g/YRVLNU7O.oySOKw0CA6NNy0zbXD0lW.eKK6RXeCT65kIzyvYLt1’
set system login user vyos authentication plaintext-password ‘’
set system login user vyos level ‘admin’
set system name-server ‘8.8.8.8’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’
set traffic-policy shaper PEERING bandwidth ‘auto’
set traffic-policy shaper PEERING class 14 bandwidth ‘10240kibps’
set traffic-policy shaper PEERING class 14 burst ‘15k’
set traffic-policy shaper PEERING class 14 match TESTING mark ‘200’
set traffic-policy shaper PEERING class 14 queue-type ‘fair-queue’
set traffic-policy shaper PEERING default bandwidth ‘20480kibps’
set traffic-policy shaper PEERING default burst ‘15k’
set traffic-policy shaper PEERING default queue-type ‘fair-queue’
noc@SLBB-NAS-TEST:~$
I made changes as required, but still same result. PPPoE user not bypassing destination IP pools rate-limit.
find below the configuration:
noc@SLBB-NAS-TEST:~$ show configuration commands
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group network-group PeeringList network ‘173.194.0.0/16’
set firewall group network-group PeeringList network ‘216.58.0.0/16’
set firewall group network-group PeeringList network ‘103.5.187.0/24’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘49.143.252.11/27’
set interfaces ethernet eth0 hw-id ‘00:25:90:37:41:1c’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘00:25:90:37:41:1d’
set interfaces ethernet eth1 pppoe 0 default-route ‘auto’
set interfaces ethernet eth1 pppoe 0 mtu ‘1492’
set interfaces ethernet eth1 pppoe 0 name-server ‘auto’
set interfaces ethernet eth1 pppoe 0 traffic-policy out ‘PEER’
set interfaces loopback lo
set policy route Peering rule 100 destination group network-group ‘PeeringList’
set policy route Peering rule 100 set mark ‘222’
set protocols static route 0.0.0.0/0 next-hop 49.143.252.1
set service pppoe-server access-concentrator ‘SLBB’
set service pppoe-server authentication local-users username mahendra password ‘123456’
set service pppoe-server authentication local-users username mahendra rate-limit download ‘2048’
set service pppoe-server authentication local-users username mahendra rate-limit upload ‘1024’
set service pppoe-server authentication mode ‘local’
set service pppoe-server client-ip-pool start ‘139.5.98.2’
set service pppoe-server client-ip-pool stop ‘139.5.98.250’
set service pppoe-server dns-servers server-1 ‘8.8.8.8’
set service pppoe-server interface eth1
set service pppoe-server local-ip ‘139.5.98.1’
set service pppoe-server service-name ‘smartlink123’
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘SLBB-NAS-TEST’
set system login user noc authentication encrypted-password ‘$6$wPdPXUEcZ$Q.aksYzaevq5676xF5n0bJRp8pcnvGIFRidSlXdFbuDrKEAy2YvGANw0sQikecpM5QzLHohjbLvBaAauFJdu50’
set system login user noc authentication plaintext-password ‘’
set system login user noc level ‘admin’
set system login user vyos authentication encrypted-password ‘$6$Du9fx1DRTx$RT.ekLj8O/RTgrnrLrEpRaSqWyBUa/dI7g/YRVLNU7O.oySOKw0CA6NNy0zbXD0lW.eKK6RXeCT65kIzyvYLt1’
set system login user vyos authentication plaintext-password ‘’
set system login user vyos level ‘admin’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’
set traffic-policy shaper PEER class 3 bandwidth ‘10mibit’
set traffic-policy shaper PEER class 3 match TEST mark ‘222’
set traffic-policy shaper PEER default bandwidth ‘10mibit’
set traffic-policy shaper PEER default queue-type ‘fair-queue’
Hi @mahendra, did you restart pppoe daemon after manually changing? restart pppoe-server
check please also sudo tc -s -d filter show dev ppp0
and also provide output of command show policy route
set interfaces ethernet eth1 pppoe 0 policy route ‘Peering’
status is same, not bypassing destination IP Pools
173.194.0.0/16
216.58.0.0/16
103.5.187.0/24
noc@SLBB-NAS-TEST:~$ show configuration commands
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group network-group PeeringList network ‘173.194.0.0/16’
set firewall group network-group PeeringList network ‘216.58.0.0/16’
set firewall group network-group PeeringList network ‘103.5.187.0/24’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘49.143.252.11/27’
set interfaces ethernet eth0 hw-id ‘00:25:90:37:41:1c’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘00:25:90:37:41:1d’
set interfaces ethernet eth1 pppoe 0 default-route ‘auto’
set interfaces ethernet eth1 pppoe 0 mtu ‘1492’
set interfaces ethernet eth1 pppoe 0 name-server ‘auto’
set interfaces ethernet eth1 pppoe 0 policy route ‘Peering’
set interfaces loopback lo
set policy route Peering rule 100 destination group network-group ‘PeeringList’
set policy route Peering rule 100 set mark ‘222’
set protocols static route 0.0.0.0/0 next-hop 49.143.252.1
set service pppoe-server access-concentrator ‘SLBB’
set service pppoe-server authentication local-users username mahendra password ‘123456’
set service pppoe-server authentication local-users username mahendra rate-limit download ‘2048’
set service pppoe-server authentication local-users username mahendra rate-limit upload ‘1024’
set service pppoe-server authentication mode ‘local’
set service pppoe-server client-ip-pool start ‘139.5.98.2’
set service pppoe-server client-ip-pool stop ‘139.5.98.250’
set service pppoe-server dns-servers server-1 ‘8.8.8.8’
set service pppoe-server interface eth1
set service pppoe-server local-ip ‘139.5.98.1’
set service pppoe-server service-name ‘smartlink123’
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘SLBB-NAS-TEST’
set system login user noc authentication encrypted-password ‘$6$wPdPXUEcZ$Q.aksYzaevq5676xF5n0bJRp8pcnvGIFRidSlXdFbuDrKEAy2YvGANw0sQikecpM5QzLHohjbLvBaAauFJdu50’
set system login user noc authentication plaintext-password ‘’
set system login user noc level ‘admin’
set system login user vyos authentication encrypted-password ‘$6$Du9fx1DRTx$RT.ekLj8O/RTgrnrLrEpRaSqWyBUa/dI7g/YRVLNU7O.oySOKw0CA6NNy0zbXD0lW.eKK6RXeCT65kIzyvYLt1’
set system login user vyos authentication plaintext-password ‘’
set system login user vyos level ‘admin’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’
set traffic-policy shaper PEER bandwidth ‘auto’
set traffic-policy shaper PEER class 3 bandwidth ‘10mibit’
set traffic-policy shaper PEER class 3 burst ‘15k’
set traffic-policy shaper PEER class 3 match TEST mark ‘222’
set traffic-policy shaper PEER class 3 queue-type ‘fair-queue’
set traffic-policy shaper PEER default bandwidth ‘10mibit’
set traffic-policy shaper PEER default burst ‘15k’
set traffic-policy shaper PEER default queue-type ‘fair-queue’
100 set all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* Peering-100 */ MARK set 0xde
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
noc@SLBB-NAS-TEST:~$
NO, not working…
noc@SLBB-NAS-TEST:~$ show configuration commands
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group network-group PeeringList network ‘173.194.0.0/16’
set firewall group network-group PeeringList network ‘216.58.0.0/16’
set firewall group network-group PeeringList network ‘103.5.187.0/24’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘49.143.252.11/27’
set interfaces ethernet eth0 hw-id ‘00:25:90:37:41:1c’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘00:25:90:37:41:1d’
set interfaces ethernet eth1 pppoe 0 default-route ‘auto’
set interfaces ethernet eth1 pppoe 0 mtu ‘1492’
set interfaces ethernet eth1 pppoe 0 name-server ‘auto’
set interfaces ethernet eth1 pppoe 0 policy route ‘Peering’
set interfaces loopback lo
set policy route Peering rule 100 destination group network-group ‘PeeringList’
set policy route Peering rule 100 set mark ‘222’
set protocols static route 0.0.0.0/0 next-hop 49.143.252.1
set service pppoe-server access-concentrator ‘SLBB’
set service pppoe-server authentication local-users username mahendra password ‘123456’
set service pppoe-server authentication local-users username mahendra rate-limit download ‘2048’
set service pppoe-server authentication local-users username mahendra rate-limit upload ‘1024’
set service pppoe-server authentication mode ‘local’
set service pppoe-server client-ip-pool start ‘139.5.98.2’
set service pppoe-server client-ip-pool stop ‘139.5.98.250’
set service pppoe-server dns-servers server-1 ‘8.8.8.8’
set service pppoe-server interface eth1
set service pppoe-server local-ip ‘139.5.98.1’
set service pppoe-server service-name ‘smartlink123’
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘SLBB-NAS-TEST’
set system login user noc authentication encrypted-password ‘$6$wPdPXUEcZ$Q.aksYzaevq5676xF5n0bJRp8pcnvGIFRidSlXdFbuDrKEAy2YvGANw0sQikecpM5QzLHohjbLvBaAauFJdu50’
set system login user noc authentication plaintext-password ‘’
set system login user noc level ‘admin’
set system login user vyos authentication encrypted-password ‘$6$SKdAJ9ZuzN6JD.3$NseWPH/wzbVSjJkSXHQwz3fWR0kV0XZfFBFa3FT9oboiun2MQvyl9M4Xfly6rNUiRvRLEujIpfYrSFxfLgBQP1’
set system login user vyos authentication plaintext-password ‘’
set system login user vyos level ‘admin’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’
set interfaces ethernet eth0 policy route 'PEERING'
set policy route PEERING rule 10 set mark '222'
set policy route PEERING rule 10 source group network-group 'PEERING-LIST'
That worked for Dmitry and myself. We were able to bypass the PPPoE rate-limit.
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group network-group PeeringList network ‘173.194.0.0/16’
set firewall group network-group PeeringList network ‘216.58.0.0/16’
set firewall group network-group PeeringList network ‘103.5.187.0/24’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘49.143.252.11/27’
set interfaces ethernet eth0 hw-id ‘00:25:90:37:41:1c’
set interfaces ethernet eth0 policy route ‘PEERING’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘00:25:90:37:41:1d’
set interfaces ethernet eth1 pppoe 0 default-route ‘auto’
set interfaces ethernet eth1 pppoe 0 mtu ‘1492’
set interfaces ethernet eth1 pppoe 0 name-server ‘auto’
set interfaces loopback lo
set policy route PEERING rule 10 set mark ‘222’
set policy route PEERING rule 10 source group network-group ‘PeeringList’
set protocols static route 0.0.0.0/0 next-hop 49.143.252.1
set service pppoe-server access-concentrator ‘SLBB’
set service pppoe-server authentication local-users username mahendra password ‘123456’
set service pppoe-server authentication local-users username mahendra rate-limit download ‘2048’
set service pppoe-server authentication local-users username mahendra rate-limit upload ‘1024’
set service pppoe-server authentication mode ‘local’
set service pppoe-server client-ip-pool start ‘139.5.98.2’
set service pppoe-server client-ip-pool stop ‘139.5.98.250’
set service pppoe-server dns-servers server-1 ‘8.8.8.8’
set service pppoe-server interface eth1
set service pppoe-server local-ip ‘139.5.98.1’
set service pppoe-server service-name ‘smartlink123’
set service ssh
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘SLBB-NAS-TEST’
set system login user noc authentication encrypted-password ‘$6$wPdPXUEcZ$Q.aksYzaevq5676xF5n0bJRp8pcnvGIFRidSlXdFbuDrKEAy2YvGANw0sQikecpM5QzLHohjbLvBaAauFJdu50’
set system login user noc authentication plaintext-password ‘’
set system login user noc level ‘admin’
set system login user vyos authentication encrypted-password ‘$6$SKdAJ9ZuzN6JD.3$NseWPH/wzbVSjJkSXHQwz3fWR0kV0XZfFBFa3FT9oboiun2MQvyl9M4Xfly6rNUiRvRLEujIpfYrSFxfLgBQP1’
set system login user vyos authentication plaintext-password ‘’
set system login user vyos level ‘admin’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Asia/Kolkata’
If you want access to router, I can allow you to check …
Please keep exactly that configuration, so that we are in the same page.
Please make sure /etc/accel-ppp/pppoe/pppoe.config includes
[shaper]
fwmark=222
down-limiter=htb
Please note that, if you reboot the machine, that section will be gone and you will have to configure it again.
restart pppoe-server
On a PPPoE client run iperf -s
Take a host with an IP address belonging to your defined network-group.
Please note that this host should be accessible from the interface eth0 of the PPPoE server.
Run the following command in that host: iperf -c <PPPoE_client_IP_address>
Check the output, you should see the traffic has not been affected by the PPPoE Server rate-limit configuration.