Hi everyone,
I know it is possible to limit the up- and download bandwith on a certain interface with QSM.
So far so good, but how can I only limit certain subnets/networks on a selected interface?
All this is very easy to setup on dd-wrt, cisco devices or any other firmware.
Does anyone has a good configuration to achieve this? Couldn't really find anything suitable.
Thanks in advance!
So sqm is not the right tool for that job, I fear since it does only allow different instances for different interfaces So either you differentially route via virtual interfaces or you look for a different solution.
That said, have you tried cake's per internal IP fairness mode, which should give you at least equal bandwidth per computer?
Thank you for your answer!
Guess I also can't get it to work with QOS?
Found many examples, but never with subnets.
So you would create an additional interface and route all the traffic that needs to be limited through it?
The "fairness mode" is nice, but doesn't help me much.
Do you think this could work?
So I would route some traffic directly to the wan and some to the dummy interface which is bridged with wan?
Since then I have tried this and it works, but has some issues. I'd just try and experiment
What kind of issues do you have?
So far this seems to be the best solution 
veth pairs don't respond normally to arp packets, so you can't just have a pair sitting around randomly and route things through them properly. One end has to be embedded in a bridge, or moved into a different namespace. Actually it works fine for ipv6 because icmp6 packets work fine, it's just ipv4 arp packets that have issues.
There's a certain amount of overhead in using veth pairs. Also the firewall config could be more complex... basically by creating a bunch of virtual interfaces you make your job more complex, but the complexity is what you need to get the flexibility to you want, so it's not a huge deal.
If you explain what you want to accomplish I'll see if I can make some more specific recommendations.
It's also possible to use tc filters to move certain subnets into separate queues without all the veth overhead, so I don't think veths are the only solution. But I gotta say setting up routing on a veth is much easier than digging into manual tc commands.
Why, what exactly is the problem you are trying to solve with differentially throttling subnets?
Probably routing to dummy interfaces will work, but to be honest this is very messy. Also I am using ipv4...
I will have a router and some wifi range extenders with different SSID's and some subnets. Some networks shouldn't have much bandwidth at all. All traffic will be routed. The range extenders don't support vlans, which would have made it all more easy.
I don't have experience with tc filters at all and I guess there would be much help needed.
I will have clients and a guest network and well they just don't need much bandwidth at all. Fair queuing is nice, but not a solution for any case. The best would be "fairness mode" for normal clients and some bandwidth limiting for special networks.
I think what you need is VLANs. You can put an SQM instance on eth0.4 or something, and then all your guest traffic on vlan 4 is limited. Perhaps try powerline modems instead of range extenders. They should pass vlan traffic fine.
If not, perhaps you can dedicate a separate range extender for each network. Then plug them to different ports on your switch. Put each switch port on different VLAN untagged, and have the router use tags. put SQM on the tagged interfaces in the router. voila.
If you don't have a metered connection, your other option would be to use something like a smart switch with QoS in the smart switch. Put high priority on your main network ports, and low priority on your guest network ports. Let guest network have as much bandwidth as it wants... but only as scavenger priority (DSCP CS1)
Your suggestions are all good and would solve the problem, but means in my case I need different hardware and well I wanted to avoid that.
So all in all I think I have two possibilities:
As far as I understand openwrt isn't capable of doing that at the moment. It would probably need more specialized SQM scripts. I saw many posts like this on the web and is there a way to make feature requests?
Thank you for your help and time!
Here's what I suggest with no additional hardware required.
Turn on SQM on your WAN interface as outbound only (use the physical interface, like eth0.1 or whatever).
Turn on SQM on your LAN interface as outbound only with the layer cake option (use physical interface, eth0.2 or whatever) use the outbound bandwidth as the same as your WAN inbound bandwidth.
create a DSCP tagger chain in your firewall, and tag all the packets headed to your guest LAN as CS1, tag all the packets headed to your primary LAN as CS2. See recent thread here: Creating DSCP markings with iptables?
VOILA! high priority for your main LAN, low priority for your Guests, no bandwidth limit required.
DSCP markings are a good tip, thanks for that!
Turn on SQM on your WAN interface as outbound only (use the physical interface, like eth0.1 or whatever).
Turn on SQM on your LAN interface as outbound only with the layer cake option (use physical interface, eth0.2 or whatever) use the outbound bandwidth as the same as your WAN inbound bandwidth.
Why do you suggest to use SQM on WAN and LAN interface? Wouldn't WAN only be enough?
No, because the DSCP markings won't be on the packets at the time the WAN interface inbound is being queued. First they'll be queued, then they'll go into iptables and get marked, then it's too late.
On the other hand, if you have no inbound queueing on WAN, they'll go into iptables, be marked, and then on outbound of LAN they'll be queued again using the marks.
+1. Please go and try this first as this will be quite easy to implement, even if it is not sufficient it should be better than the current behavior and will make things slightly better while you are searching for a better solution.
I note that there seems to be a package under development that tries to use iptables to allow per-device ot per-subnet throttling, though currently IIRC you will need to build this from source. Unfortunately I do not even find the link right now. @hnyman do you remember the link to the discussion about using iptables for fine-grained speedcontrol by any chance?
No, because the DSCP markings won't be on the packets at the time the WAN interface inbound is being queued. First they'll be queued, then they'll go into iptables and get marked, then it's too late.
On the other hand, if you have no inbound queueing on WAN, they'll go into iptables, be marked, and then on outbound of LAN they'll be queued again using the marks.
This means I have to enable SQM on all interfaces(LAN) which will receive traffic from WAN?
I will definitely try to implement that in the first step. Also very good to hear that there is a package under development, because sometimes this can be useful in addition to the solutions described here.