Help with beginner QoS

Useful hints. Radius has many EAP types (protocols for authentication).. Most of them are insecure or broken. What you really want is EAP-PWD

I know it works on Android, and Linux with network manager but beyond that I don't think windows, Mac, or iPhones support it. I'd enable it as an option though and encourage Android users to use it. Maybe in next few years iOS and Windows will support it.

What fallback works best? It seems like peap with mschapv2 works for iPhones and Windows. Less good security but workable.

Your little guest Network is not very likely to be subject to active attack like this, and you're handing out random passwords that only get you access to your wifi anyway. Generate usernames like wifiuser0035 and random passwords to print on your cards. Command line util pwgen is helpful here. Worst case someone goes to a lot of trouble to get something you're handing out free :wink:

1 Like

Hi there,

whole I can not offer a solution for your request, I can sketch out a simple proposal for a stop-gap measure...

I would use two wifi-routers in series, both running sqm in per-internal-IP-fairness mode.
The first router is for trusted users, while the second is for guests.
SQM on the first router should be configured to keep wan-bufferbloat under control (which might be tricky for a 4g-link, but still /I think it is worth trying) and to treat all internal IP-addresses fairly (so no IP can monopolize the link if there are other users).
Now the second router should be set-up as a router performing a second layer of NAT, that way all guest computers will be treated as a single IP-address by the primary router, in addition I would set up SQM on the second router to put in ceiling for the aggregated bandwidth consumed by all guest devices.
The last thing to do would be to isolate the port that connects the primary with the secondary router so that guests can not reach internal devices on the primary's internal network.
Again this does not solve your problem properly, but might buy you enough time to fully research the proper solution while already serving your guests...

Have a look at this script, posted by this thread OP.
This script will do you bandwidth speed limiting per mac address, you can set it according to your needs.

This is awesome, thanks! I'll try modifying this when I get a chance to work a little closer to my needs!

1 Like

Another idea:

  1. you can use iptables conntrack; this will track the whole connection based on src ip or dst ip, it will auto
    match dst if you use src ip and will auto match src based on dst ip.
  2. you can use iptables connmark; this let you mark a connection, so you can later drop it or slow it down!
  3. connbytes, you can use it to do something with connection when it's reached a certain size ex: 100MB of
    download data or uploaded.
    you can gathering all ideas into one, then tell us what will suit you!

The big problem with MAC based solutions here is that you probably have to add each MAC manually as people try to connect, also quotas will be per-connection not per MAC, and some mobile OSes alter the MAC for privacy reasons. I do think ultimately the WPA enterprise technique will be useful.

I have another idea: can use this modified wrtbwmon from here, you have to compile it first. also old version is not working.
2.wrtbwmon will create a text based db, this db will not lost if you reboot your router, you can use some bash commands to read the used bytes and mac address by each mac.
3.use a function like if:

if mac1-d=100000 #user 1 that consumed 10MB of data, mark his mac with a $SlowMark.

iptables -t nat -A prerouting_rule -m mac --mac-source $S1MAC -j MARK --set-mark $SlowMark -m comment --comment "$S1Name"
iptables -A forwarding_rule -m mark --mark $SlowMark -m conntrack --ctstate ESTABLISHED,RELATED -m hashlimit --hashlimit-name "$Group1Name" --hashlimit-above $SlowInternet -j DROP
  you decide here
end it to a script and do this for all of your limited users. can use crontab to change limit based on the time of the day.
another idea is to create guest wifi then use nft-qos limit all guest wifi to specified speed limit, a long with
crontab to reset limits etc.

1 Like

Awesome, any wy that new version of wrtbwmon you linked can be brought up to the packages included in openwrt?

Wrtbwmon still not included in the package repo, i don't know why.
but maybe someone will compile it and share on github!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.