QoS - limiting bandwith per user

I created rules to limit guest bandwith.

vif 2 {
           ...
            }
            traffic-policy {
                in hotspotupload
                out hotspotdownload
            }
        }

traffic-policy {
    limiter hotspotupload {
        default {
            bandwidth 5mbit
        }
    }
    shaper hotspotdownload {
        bandwidth 50mbit
        default {
            bandwidth 10mbit
        }
    }
}

But I don’t know if I am limiting whole interface trafic or per IP/host?
If not per IP, how can I change it?

I tried to read this informations but can’t find detailed description how it works :frowning:
https://docs.vyos.io/en/latest/qos.html#classful-policies-and-traffic-matching

I also can’t understand also what “bandwith” means for “shaper”
shaper hotspotdownload {
bandwidth 50mbit
Does it mean that I am limiting bandwith on this interface to 50 and then splitting it in classes (or default bandwith)?

Thanks in advance for any clarification of this topic!

Hi rysic,

According to the showed configuration, you are not limiting or shaping per IP or host, you are limiting any inbound traffic coming from that interface and you are shaping every outbound traffic going through that interface.

Regarding this command:

traffic-policy shaper hotspotdownload bandwidth 50mbit

Does it mean that I am limiting bandwith on this interface to 50 and then splitting it in classes (or default bandwith)?

Yes, that’s it, it is shaped as a whole to 50mbit. And that will be your reference when configuring classes, I mean you will be able to define classes with absolute values (never higher than 50mbit) or with percentages of that reference bandwidth.

And yes, documentation on Traffic Policy needs some love, we will give it soon : )

Continuing the discussion from QoS - limiting bandwith per user:

Thank you! It is helpfull!

Can you please tell me how to fix it and do bandwith limitations per IP in shaper and limiter?

PPPoE would be good in that case.

https://docs.vyos.io/en/latest/services/pppoe-server.html#bandwidth-shaping

If you don’t want to use PPPoE, I would use the Stochastic Fairness Queuing algorithm (VyOS’ faire-queue) to have a more or less proportional fair share of every conversation.
fair-queue won’t take only source IP address into account for its calculations, but source port and destination address too, but probably the final results will somehow meet what you are looking for.

In the case your physical link is not really 50mbit, you will have to set fair-queue inside a shaper policy so that fair-queue really takes effect.

That would be:

set traffic-policy shaper hotspotdownload bandwidth '50mbit'
set traffic-policy shaper hotspotdownload default bandwidth '50mbit'
set traffic-policy shaper hotspotdownload default queue-type 'fair-queue'

For the inbound traffic I cannot think of something similar to a per-user policy without using PPPoE.

For “ingress shaping” you may want to use the IFB (Intermediate Functional Block) workaround, which lets you redirect every incoming traffic to an in-between virtual interface to which you can apply
outbound policies.

So, you would need to do:

set traffic-policy shaper hotspotupload bandwidth <bandwidth>
set traffic-policy shaper hotspotupload default bandwidth <bandwidth>
set traffic-policy shaper hotspotupload default queue-type 'fair-queue'

set interfaces input ifb0 traffic-policy out hotspotupload
set interfaces ethernet <ethX> redirect ifb0

@s.lorente, When I did that, I lost connection (Internet) on this interface.

ethernet eth0 {
 address dhcp
 description WAN
 dhcp-options {
     client-option "retry 60;"
     default-route-distance 1
     name-server no-update
 }
 firewall {
     in {
         ipv6-name WANv6_IN
         name WAN_IN
     }
     local {
         ipv6-name WANv6_LOCAL
         name WAN_LOCAL
     }
     out {
         ipv6-name WANv6_OUT
         name WAN_OUT
     }
 }
 }
 ethernet eth1 {
 address 192.168.1.1/24
 description LAN
 firewall {
     in {
         ipv6-name LANv6_IN
         name LAN_IN
     }
     local {
         ipv6-name LANv6_LOCAL
         name LAN_LOCAL
     }
     out {
         ipv6-name LANv6_OUT
         name LAN_OUT
     }
 }
 vif 2 {
     address 172.16.0.1/24
     firewall {
         in {
             ipv6-name GUESTv6_IN
             name GUEST_IN
         }
         local {
             ipv6-name GUESTv6_LOCAL
             name GUEST_LOCAL
         }
         out {
             ipv6-name GUESTv6_OUT
             name GUEST_OUT
         }
     }
     redirect ifb0
     traffic-policy {
         out hotspotdownload
     }
 }
 }
 input ifb0 {
 traffic-policy {
     out hotspotupload
 }
 }

But it woud be usefull.

If you try this “ingress shaping” for traffic received directly to the ethernet, not to the VLAN interface, is everything working ok?