Slashdot Mirror
Limiting Bandiwidth in a Shared DSL Environment?
stylee asks: "We have a DSL connection that runs from a Cisco 675 DSL modem to a 24 port hub. Cat 5 cable has been run to the utility closet of each unit. The condo assoc. pays for the DSL from the monthly condo fees collected. The internet connection has been terribly slow the last few days, so I did a little snooping with ethereal and found that there is an individual who is using eDonkey 2000 to download and share movies. This user is eating up all the bandwidth. I want to set up a good router that can do load balancing so that an individual can't take up all the bandwidth and I was wondering what Slashdot would recommend. I would have to do it on the condo assoc. dime so it would have to be done on the cheap. Any suggestions?"
What my university always did was, if a single user was using a lot of bandwidth on a constant basis, simply turn off their connectivity. When people learn to police themselves, stuff works better.
Karma: Bad (mostly due to all those "In Soviet Russia" jokes)
it sounds like your condo associaton needs an internet usage policy- considering this guy's actions could get everyone in trouble.
I always look on freshmeat.net for these solutions...here's a tip...
Linux Bandwidth Arbitrator looks like it was designed for this sort of thing...
If he's illegally sharing files, he won't squawk too loudly.
OpenBSD has support for limiting classes of bandwidth for quality of service as a part of the pf(4) firewall. See the part of the pf user's guide that covers how to do it.
FreeBSD also has built-in support via the altq facility that is a part of the ipfw firewall.
My druthers would be to use OpenBSD for this as it's not a CPU-bound problem and security on your router should be very high on your list of priorities.
--Paul
I set up a DSL traffic shaper on Linux a bit ago. It's a bit of a pain in the ass to figure out the right things to do, and I don't have the script handy, but here are some pointers (given that this is from memory, some of this will probably be wrong).
Get a Linux box. Get two NICs (c'mon, NICs are cheap these days, and the DSL modem only needs a 10Mbit one).
Set up bridging on the Linux box.
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
If your boxes use DHCP, you might want to give your shaper an outside IP address (so that it can run ntp and the like, if nothing else). Use br0 as the interface -- this tripped me up at first.
dhclient br0
Add per-host rate limiting. There are two *excellent* solutions to do this automatically under Linux -- esfq and wrr. Both automatically detect IP addresses on one side and spread bandwidth out evenly. Neither is apparently actively maintained, unfortunately, so if you're using a 2.6 kernel, you're out of luck. Your best bet is probably HTB (which *is* included in 2.6 and I believe current 2.4 kernels). HTB requires you to manually create a child of the main HTB qdisc for each IP address, and filter based on source IP address (or source MAC address, which is probably more appropriate if you have a single Ethernet segment and dynamically assigned IP addresses) but lets you filter traffic differently for each host. For a small network, this may be feasible. I'd hang another qdisc off of the HTB that reduces the priority of P2P *within* each host's account, so that someone can use spare bandwidth for eDonkey or whatever, but still retains reasonably snappy SSH, even on their own box.
You must set the maximum flow of the HTB just below the DSL modem's data transfer rate, or else the modem's buffer will fill up when outbound traffic fills up its (big) buffer, making interactive use impossible. Keep reducing the limit and then ping flooding (ping -f) the outside world from an inside box. Keep a regular ping running in another terminal, and monitor it. When your system is working right *ping times should not climb above 150 or 200ms or so on a box*. No 1000ms latency. You should simply start seeing packet loss.
I must say that setting something like this up was a huge pain in the ass, and that if I had the script handy at the moment, I'd post it. The Linux networking/filtering/routing system is not as well documented as it should be, and is *not* always the most intuitive thing in the world. It is, apparently, pretty powerful, based on what I've read from folks that have used other systems, though. [shrug]
Speaking of which, I can't figure out why sfq is in mainstream Linux but esfq is not. SFQ is, to my mind, almost useless for most people. Who on earth wants to balance all their TCP flows evenly? Even per-host bandwidth allocation is a *far* more common problem, and one that vanilla Linux (and any 2.6 kernel) cannot handle well.
I did not find it necessary to use ebtables or ipchains to produce an effective traffic shaper. YMMV.
May we never see th
IPCop v1.3 w/ Wondershaper or wait a couple more weeks for 1.4 which will have bandwidth shaping built in. It's a linux distro just for firewall/routers, runs on anything from a 486 up.
Several posters have already mentioned managed switches, linux routers with iptables, etc, but I've got a much simpler solution for you. It's a wonderful product manufactured by the Louisville Slugger corporation called a "baseball bat." With this fine product in hand, march over to the offending user's apartment, and smartly inform him that he is using too much bandwidth. If he refuses to self-throttle his bandwidth, offer to throttle him and his computer with the genuine wood Louisville Slugger baseball bat. Problem solved. Thank me later.
We don't have a state-run media we have a media-run state.
Monowall (www.m0n0.ch/wall) is a greaqt application for this. Can run from CDROM, CF or on a Soekris board - can do per IP bandwidth limiting/shaping, and totally free, based on BSD. It was trivial for me to set it up here.
Or FreeBSD, we use our firewall box where I work, and use the traffic shaping portion of ipfw2 (man pages, ipfw at www.FreeBSD.org) to limit bandwidth to certain hosts. FreeBSD allows you to add a rule that passes all traffic through either a pipe or queue (pipe is what you want), set the bandwidth, size of the backlog queue, and monitor usage of the pipes. If you set it up as a transparent bridge (see the advanced network topics in the FreeBSD Handbook at www.FreeBSD.org), you won't even have to change host settings. This way, you can limit traffic on an individual (or group) basis, monitor usage, and just drop the box between the main switch and the dsl router, turn it on, and pretty much forget it (especially if you don't allow remote access to the firewall, except maybe ssh or a VPN).
The same can of course be done with Linux, but in my (though somewhat limited to my place of work) experience, FreeBSD's traffic shaper is a bit more reliable, and much easier to set up (it's all in the handbook). In our case, that box is a transparent bridge, accessible only via ssh or from the inside interfaces, with three NICs, one for the outside router, one for the inside public systems, and a third with private addresses, where natd (man natd, also integrated with ipfw via FreeBSD's divert sockets) translates the private addresses as they go out of one of the other two interfaces. We also run nagios (network monitor), etherape (looks cool when you see the traffic real-time on a GUI), and poptop (MSCHAPv2 capable VPN server), along with IDS logging via ipfw and tcpdump/ethereal, all on an old Duron we had laying around collecting dust.
In all, our Firewall/VPN/IDS/Traffic Shaper/Network monitor cost us about $250 in hardware, and two day's labor. I saw a similar product (though in a nice 1U rackmount case) listed for $6000 at CDW, so whatever you do, you can't go wrong with Linux or FreeBSD on cheaper hardware, unless your time is worth a few thousand dollars an hour.
--That's the point of being root, you can do anything you want, even if it's stupid.
I'd recommend politely approaching the guy and asking him to throttle it down a bit. If he agrees, problem solved. If he refuses, cut his connection. Why spend more money to solve the problem of one abuser?
"Derp de derp."
One other thing, if you don't want to limit on a host-by-host basis, you could do it by type of service. Say you allocate 80% of your available bandwidth to common web, instant messaging, mail, and DNS traffic, and the remaining 20% for everything else. Just watch your tcpdump/ethereal/etc. logs for about a week to see the normal behavior (and the abuses). This way, the normal, non-abusive services are quick, while the unknown/abusive services are limited, which has a side benefit of discouraging improper use. Hell, if you can lock down the most abused ports, set the pipe they go through to 2400bps, and see how many people still use them in a week.
--That's the point of being root, you can do anything you want, even if it's stupid.
I used to use CarraFix, but Throttled whips the shit out of it.
I had to play around with the startup file for a few hours to get it working right. Here's my relevant modifications, if anyone's interested:
Alex