Automatically throttle network bandwidth for users causing bulk traffic

Question

Is anybody aware of a FreeBSD, Linux, or Windows based product that can automatically lower the priority of network packets of users that have caused a high amount of network traffic during the last minute? (The standard pf and ALTQ mechanisms of FreeBSD cannot do that.)

I am not talking about defining packet priority for certain protocols or port numbers; I want to lower priority dynamically based on the actual bandwidth usage of a user.

normally done by a router in front. Mikrotik has some nice and low priced products. Can do so. Called burst speed management, part of traffic shaping options. — TomTom, Apr 12 '11 at 10:55

score 2 · Answer 1 · answered May 08 '11 at 18:29

2

You can do this using ALTQ, to some extent. What you can do using ALTQ is lower the bandwidth of a specific pipe after a specific time, when using HFSC. Whether this actually accomplishes what you need depends largely on the protocol.

In depth information on PF and HFSC is available here and you'll be looking at option 7 for your implementation. It does not "lower priority after a while", but "grants more bandwidth initially". This can have the same desired end result.

answered May 08 '11 at 18:29

Mel

196
2

Thanks for pointing out that option; I was not aware of it. The disadvantage of your approach is that the bandwidth **always** is lowered after the timeout; if no other user currently is using the Internet connection, the bandwidth is lowered unnecessarily, because in this case it would be OK for the bulk user to have 100% bandwidth. That is why I rather would lower the priority instead of restricting the bandwidth. – May 09 '11 at 08:20
@fmunkert Hmm, so why does borrow using whatever scheme not work for you? Borrow allows any pipe to use additional bandwidth if it's available. A 50% bandwidth borrow pipe would mean "50% if busy but 100% if we can steal some from other pipes". – Mel May 09 '11 at 08:42
"borrow" can only be used with cbq, but cbq cannot differentiate between bulk users and normal users. – May 09 '11 at 21:01

score 2 · Answer 2 · answered Jun 07 '11 at 14:59

2

I wrote a script to set up HFSC + SFQ for Linux (using tc); HFSC should do what you want, and SFQ on top enforces fairness between bulk streams. The result works very well for me, allowing for low latency even in the face of multiple bulk uploads or downloads.

Here's the script: https://gist.github.com/939373

answered Jun 07 '11 at 14:59

Daniel S. Sterling

1,574
2
10
13

Would your script work if I comment out all lines that shape LAN interface? I have one WAN interface and multiple LAN interfaces with many private subnets. Also I use the Linux gateway as a file-server for the LAN users. So forcing WAN down-link speed onto LAN interface would be underutilization of my LAN interface speed for intranet services. – nixnotwin Jan 14 '12 at 14:03
1

@nixnotwin - add a line like this under "prioritize interactive ports" - this will prevent shaping internal LAN traffic; replace 10.0.0.0/24 with your network IP: /sbin/tc filter add dev $LAN_INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/24 match ip dst 10.0.0.0/24 flowid 1:10 – Daniel S. Sterling Jan 25 '12 at 00:31
1

I used ifb module to create dummy interface ifb0, much like imq. Here is the modfied script where ifb0 becomes my LAN interface: http://pastebin.com/JbFkVFtr But I have not been able to modify WAN ingress filter to work with ifb0, e.g. ingress filters for interactive ports are still applied to the WAN interface because It showed an error when I applied them to ifb0. – nixnotwin Feb 11 '12 at 11:06

score 1 · Accepted Answer · answered Apr 12 '11 at 10:52

1

These Windows solutions get quite close to your needs: Bandwidth Splitter and Bandwidth Manager

If I was using Linux I'd use tc to manipulate the spike ceiling and SNMP to count GBs transferred on switch ports in order to penalise heavy users (with packet priorities or lower ceilings).

answered Apr 12 '11 at 10:52

Jonathan Ross

2,173
11
14

Bandwidth Manager sounds like it is exactly what I need. I will try that product. – Apr 12 '11 at 14:32
Great, hope it helps. – Jonathan Ross Apr 12 '11 at 14:37

Chris S · Answer 4 · 2011-06-08T12:39:07.807

I'm not a PF/ALTQ guy, but I know IPFW/DummyNet and it can do essentially what you're after, scheduling priority by rate usage.

A very simple example (as I don't have any details of how your router is setup):

ipfw pipe 1 bw 300Kbit/s
ipfw sched 1 config pipe 1 mask src-ip 0xffffffff
ipfw queue 1 config sched 1
ipfw add 10 queue 1 ip from 192.168.1.0/24 to any

I would not recommend using these rules unaltered....

They simply take all traffic coming from 192.168.1.0, run it through Queue 1.
Queue 1 is associated with Schedule 1
Schedule 1 is using FWQ+ to distribute bandwidth (when there isn't enough available) based on least usage gets highest priority. Flows are grouped by source IP address (I'm assuming you want all the traffic from a particular IP treated the same).
The Schedule is constrained by the Pipe, which tells it that it's got 300Kbps to work with (otherwise it would assume it has the whole speed of the Ethernet interface, which your Internet connection probably isn't that fast). You would change the 300Kbps to whatever your actual connection is.

A quick explanation of what this is doing: This will build a packet queue, by default 50 packets deep. Let's say that you have two users on your network, one is BitTorrenting files out over the connection, the other is just checking their e-mail; neither are constraining their usage in any way. The IP the BitTorrent Client is sending from will generate enough traffic to fill the queue and saturate the Internet connection. When the person checking their e-mail sends something, it will get placed first in line in the queue (and would thus be sent out as quickly as possible) because they have not been sending data. If the situation were two BT Clients, they would each get half of the connection as they'd both have the queue constantly saturated.

DummyNet allows for very complicated traffic shaping with the right options, you just have to be very specific as to what you're trying to accomplish. Also keep in mind that a router can only control what it sends, it can never control what is received (because that is controlled by whatever sent it). Think of if like your postal mailbox, the mailman determines what you receive, you determine what you send out through it.

Doesn't "ipfw pipe 1 bw 300Kbit/s" constrain the bandwidth **always**? If no other user currently is using the network interface, the bulk user should be able to use the full network bandwidth. — , Jun 08 '11 at 06:39
My apologies I wasn't clear enough. These rules are just an example and would not be appropriate to be used in almost any situation without altering them. Yes, you would change the 300Kbit/s to whatever the bandwidth of your connection is. You did not specify what your bandwidth is, so I used "300Kbit/s", the same number the man pages use for examples. You have to specify the bandwidth somehow because the router would have no other way of knowing what the bandwidth of the connection is. — Chris S, Jun 08 '11 at 12:32

Automatically throttle network bandwidth for users causing bulk traffic

4 Answers4