Bandwidth limit per IP/Mac

I've hunted through multiple solutions in search for this over the last couple of months off and on, and haven't found an actual clear solution for what I'm looking to do; most people helping end up directing the person asking to various excellent methods of ensuring bandwidth fairness or reducing buffer bloat. That's probably the right answer for most of the people asking, but I'm looking for a very specific solution that actually does require a bandwidth limit for a single device (or IP range).

I've got a small home network running OpenWRT successfully with a Verizon air card. I do some light streaming video usage, almost exclusively with a single device (smart TV). My interest is in limiting bandwidth to this one device in order to force the Netflix and Amazon apps into a considerably lower video resolution, since both services intentionally avoid giving you a choice in their app settings. Doing so considerably extends the portion of the month I can watch low res video without getting the rest of my connection deprioritized. No fairness-oriented solution will solve this particular quirk without applying a pretty hard kb/s limit to the device.

I'm currently running an OpenWRT derivative named ROOter, based on LEDE 17.01.2, and it's been working perfectly otherwise for almost a year and a half. If necessary to get a package I'd need, I can back up my current image and upgrade to the latest version, which is based on OpenWrt 18.06.1. I'm using ROOter primarily due to the excellent job it does handling air cards.

My hardware can't support multiple SSID's, so if the easiest solution is to move the single device to a new interface and rate limit that one interface, I can do that, but it'll take a bit of extra work.

Is there a simple solution I'm missing? I've done custom traffic shaping using tc, but it's been years, and I'd end up completely re-learning if I need to do a custom setup. I'll do that if I need.

Thanks for your time if you have any suggestions!

First I would suggest you to upgrade your router to latest version if possible or otherwise at least upgrade to 17.01.6 because it should be possible. The upgrade should fix the problems and provide enhanced security.

I have a small script that I created some time ago and it may be able to help you. [Info] Limiting Download Speed based on MAC

In case, you want to limit traffic speed for http or https_ONLY_, squid (cache/proxy) can do that for you.
Semi-professional solution is to use traffic limits, enforced by captive portal in coop with RADIUS. However, steep learning curve.

There are lots of OpenWRT "Software" do the bandwidth per IP job. Google search those: eqos (tested working), luci-app-nft-qos (tested working, active development, MAC supported), qosv4(a tomato firmware shaping per IP merge, works on older version of WRT)

I am also interested in per IP/MAC bandwidth control. OP, did you manage to find a satisfactory solution?

Yes and no. Several of the recommendations above looked very likely to work, but at the time I was also stuck on a very outdated version of the ROOter branch that wasn't new enough to support them... and then I got ridiculously, stupidly busy at work, so am only now (in the last few weeks) getting back to my router setup to start working my way through the upgrades necessary to actually implement one of the suggested solutions. The gist of the problem is that almost all of the good solutions require at least one kernel module that's not precompiled with ROOter, and since ROOter is custom compiled, you either need to compile your own copy with the module or ... well, suffer.

If you've got an air card that works well with vanilla OpenWRT, you're ahead of the game. I'm also running an older generation, quirky air card ... so right now I've got a newer, better supported air card on the way from China (since the model I'm looking for is apparently almost impossible to get domestically right now). Once I have that upgrade completed, I can start playing with my second router and vanilla OpenWRT to see if I can get it supported under the vanilla platform where I'll have a lot more kernel module options.

I see. So your pains are in large part due to hardware.

I just installed luci-app-nft-qos, luci-app-qos and trafficshaper. I don't know which one caused a new menu item to in Luci, but I was able to set separate download/upload limits on a particular device and successfully confirmed the speeds on

1 Like

Perfect. luci-app-nft-qos was one of the most promising looking ones recommended to me, so I'll give that a try as soon as I get my other upgrades worked out. In my case too, individual air cards are fairly stupidly cheap per month as well, they just have a relatively low bandwidth limit, so once I get an initial modem upgrade worked out I'm looking to add a second card and do mwan3. I should be able to lock my couple of bandwidth-hungry devices to one card, so even when that one goes over and gets throttled, it won't affect my other devices being able to use the "fast lane" as well.

Thanks! I think you've actually helped me out on this one more than I was able to you!

1 Like

As a late but useful follow-up, I've spent the past few months slowly upgrading all my equipment so I can get a more recent OpenWRT on my (new) main router, which is now up to 19.07.4. Among other things, this has finally allowed me to test the suggestions above. Specifically, luci-app-nft-qos was exactly the tool to fit the bill perfectly. I wanted to follow up with my final answer for anyone finding this via search later.

Since I wanted to rate-limit exactly one client and leave the rest essentially untouched, I landed at the following setup:

  • Rate limit enabled, and set to static
  • Default rate (applies to everything) set WAY higher than I'll ever see on my multiple LTE connections, which effectively disables the limit for default devices.
  • Device I wanted to limit (a Firestick) set to a download limit of 100KB/s (not kb/s, this app uses B).

This has produced the desired effect of limiting me to lower data usage (really, lower resolution) on streaming with zero effect on any of my other gear. It's working perfectly so far.

Thanks to all who contributed suggested approaches!


I just found your thread, a lot of good info here.

Just wanted to ask, do you know if this package would work if I'm just using my OpenWrt router as a dumb AP, or must it act as the router/gateway to one's LAN in order to take advantage of this?

I've got an IPFire box running as my actual router, and I'm using its built-in QoS to pretty decent effect. But it's not quite enough for this one heavy user on the network whom I'd like to limit.

Anyone got an idea?

Sorry to be so slow getting back to this.

You could do it that way with this package, but as I understand it, you would have to have that device routing rather than acting as an AP in bridge mode.

Is the device you'd like to throttle wireless or wired? To go with that, what is your OpenWRT device?

I might be a little slow, but will help if I can.

1 Like

Thanks for the follow-up, and I apologize for my own slowness as well.

I have actually figured that to be the case, i.e. needing the OpenWrt device to run as the router and not just as an AP. Because after I downloaded the nft-qos package, and set some bandwidth limits, I didn't really see an obvious effect on the devices I tried to rate-limit.

I haven't gotten around to doing this yet, but my next plan is to connect a separate router (already have this device ready) to my OpenWrt AP, which is a TP-Link Archer C7. This other router will serve as the gateway for a new guest network. I have flashed FreshTomato onto it, which comes with a built-in QoS management system. Devices I plan on limiting will only have access to the AP broadcasted by this new guest WLAN router, whose outbound rate I plan to limit to something like 30-40% of that of my ISP's.

Hopefully this will be able to get me close enough to how I want my network to function, which is to allot guests (we host actual long and short term guests through Airbnb) a certain amount of bandwidth on my network, but not exceed the maximum limit I set. So that myself and the rest of my family will always be guaranteed a minimum level of performance even if some guests are using the network to an excessive degree, which though not too often, does still happen from time to time.

Do you think this is a good plan for achieving what I'm looking for?

That should work great!

If your gateway router supports VLANS, I'd recommend splitting the port for the guest network into its own subnet, with only the gateway router and guest router on it. This will allow you to prevent traffic between the two networks, protecting your private devices.

The guest router should be set up to give network addresses on a third subnet, which is the actual guest network. NAT at the guest router should be turned off - all NAT only needs to be done by the gateway router. The gateway router will need one static route, that points to the guest router to reach the guest subnet. That will get internet access working smoothly without unnecessary double NAT on the guest network.

1 Like

I personally think nftables is the best option. I've tried iptables and tc, they are complicated.
With nftables, if you already have the knowledge about iptables' chains and hook, it is very straightforward.

table inet nft-qos-static {
	chain upload {
		type filter hook prerouting priority filter; policy accept;

	chain download {
		type filter hook postrouting priority filter; policy accept;
		ip saddr ip daddr limit rate over 1 mbytes/second drop

ip saddr ip daddr limit rate over 1 mbytes/second drop
This is how you retrict bandwidth per IP, you can do both source and dest and MAC address too.

1 Like

For some reason I can't get MAC addressed based rules to work.

table inet nft-qos-mac {
        chain upload {
                type filter hook postrouting priority filter; policy accept;
                ether saddr 0a:1b:2c:3d:4d:5e limit rate over 1 mbytes/second drop

state your version

Device: Linksys WRT1900ACSv2
Firmware: OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d
Kernel Version: 5.4.154

1 Like

download and force install the master version (ipk) there was a fix that afaik isn't backported

Sadly the MAC address based speed restrictions still don't work.

nft list ruleset
uci show network
uci show nft-qos