OpenBSD Journal

limitting bandwith per user/time of day?

Contributed by jose on from the throttle dept.

Stephane writes:
"I would like to know if it is possible for me to use my openbsd firewall to dynamically limit bandwith on a per computer and/or time of the day basis, to effectively limit bandwith hogging that occurs with certain users/programs?

regards

Stephane"

While the altq daemon can be used to limit bandwidth, is there anything out there that dynamically responds to bandwidth consumption which is available for OpenBSD? Does anyone have a good introduction to setting up the altqd(8) process, as I recall it's configuration was pretty heavy.

(Comments are closed)


Comments
  1. By Christopher () anub-deadly-20020925@open.mine.nu on mailto:anub-deadly-20020925@open.mine.nu

    With CBQ, bandwidth can be reserved in classes, any excess is shared. That should satisfy the 'certain computers hogging the bandwidth' problem if filters are setup fine-grained enough.

    man altq.conf does give useful info. Its syntax is...unique, but certainly doable.

  2. By Chris Wage () cwage@agenteight.com on http://chris.agenteight.com/

    I would think ALTQ is definitely your best bet. As for time-of-day -- why not just create more strict and more flexible configs for various times of the day and use a cronjob to kill altq, swap out the configs, and restart it?

  3. By Eric () seamoor@thedeepsky.com on mailto:seamoor@thedeepsky.com

    The problem with ALTQ is that it does not throttle on incomming traffic. For exammple, if you have a 2-NIC obsd firewall, you would probably only want to run altq on the external interface (as not to limit bandwidth on the internal network), but in this config, local users downloading content can't be throttled, but if you are running a webserver behind the firewall (like in a dmz), then altq will work (for external users hitting your site). I'm not sure why it is this way, but I asked this question, and this is what I was told (and found).

    If you want to run ALTQ on the internal interface, then you can pretty much do it, but I didn't want to throttle bandwidth on the internal lan.

    Good luck.

    -E

    Comments
    1. By Chris Wage () cwage@agenteight.com on http://chris.agenteight.com/

      That's not entirely true. ALTQ is just what it sounds like.. it's queueing. You can queue traffic on any interface -- external or internal. If you queue on your external interface, you effectively rate-limit outgoing traffic.

      Likewise, if you queue on an internal interface, you can *affect* incoming traffic. Packets will come to your external interface at the rate they come no matter what you do -- but if you queue packets going out the internal interface, you can slow the process down -- effectively simulating congestion and eventually slowing down the process.

      Perhaps someone more experience with packet queueing and congestion can speak more specifically to what happens in this circumstance.

      Comments
      1. By Eric () seamoor@thedeepsky.com on mailto:seamoor@thedeepsky.com

        Right. You basically said what I wrote. If you want to queue incomming traffic, you have to put altq on the internal interface. This sucks if you are on a 100MB LAN, and talking to the firewall will get throttled (ie if you want the internal interface to have high bandwidth).

        The other big problem with running ALTQ on the interface that I didn't mention is that if you are on a 100MB lan, and you want high throughput (ie ~100MB for some traffic like between the firewall and the internal clients) for some ip/ports, but not others (ie. you want 'em alt-q'd), you can only go down to 1% of the interface's bandwidth for CBQ (which is 1Mb of a 100Mb connection). The problem with this is that 1Mb is more than most people have for their Internet connection.

        -E

        Comments
        1. By Rafael Coninck Teigao () on http://safecore.net

          I think you can define sub-classes that uses only a percentage of the parent_class bandwidth.
          For instance:
          #
          # cbq configuration for vx0 (10Mbps ether)
          # give at least 40% to TCP
          # other traffic goes into default class
          #
          interface vx0 bandwidth 10M cbq
          #
          class cbq vx0 root_class NULL priority 0 pbandwidth 100
          class cbq vx0 def_class root_class borrow pbandwidth 95 default
          class cbq vx0 tcp_class def_class borrow pbandwidth 40
          filter vx0 tcp_class 0 0 0 0 6
          class cbq vx0 csl_class tcp_class pbandwidth 10 red
          filter vx0 csl_class 0 0 133.138.1.0 netmask 0xffffff00 80 6
          filter vx0 csl_class 133.138.1.0 netmask 0xffffff00 0 0 80 6

          This way, I think csl_class has only 10% of the tcp_class, that has only 40% of the default_class, that has only 95% of the root_class.

          Not sure if this works how I think (haven't got time to test it), but I guess so.

          []'s.

    2. By Anonymous Coward () on

      Thats not accurate. ALTQ does not play favorites, nor does it even know what interface is Internal, whats External, or what's going through it (on a high level) -- nor does it care.

      Its completely driven by configuration -- you can easily throttle any interface/IP/network you want.

    3. By Anonymous Coward () on

      If you have networkfirewallworld then you can set up altq on both NICs on the firewall and it will work. This is because income trafic from the internet is outgoing traffic to the network.

    4. By RC () on

      Well, let's see... While I haven't used ALTQ, it seems you could workaround your problem. How about assigning an IP address to a loopback interface, then routing traffic from your external interface to loopback? You could then do something like bridge loopback with your real internal interface. ALTQ on outgoing loopback would then affect incomming internet traffic, without affecting any other traffic that router handles.

  4. By Jacek Artymiak () on http://www.onlamp.com/pub/ct/58

    I'm finising work on an article that explains how to install/use ALTQ on OpenBSD for O'Reilly.

    Comments
    1. By W () on

      Great! Looking forward to it!

    2. By stick () yli@wtwh.com.cn on mailto:yli@wtwh.com.cn

      How can I find the altq tutorial?
      I don't find it on http://www.onlamp.com/pub/ct/58
      ?
      can you tell me ?

  5. By Anonymous Bastard () notme@nothere.com on mailto:notme@nothere.com

    All i want is to limit my outgoing DSL traffic to 8KB/sec and that's it

    Sounds simple enough, but ALTQ makes Sendmail config files look like poetry :)

    Comments
    1. By W () on

      tbrconfig is your friend. To limit the outgoing bandwidth to, say, 2Mbit/s:

      tbrconfig your-nic 2M auto

      man tbrconfig for more information.

      Comments
      1. By Anonymous Coward () on

        You are the man! Thanks, this has just saved my colocated servers butt!

  6. By Dan () on

    I am using packeteer for my QoS needs. I am very happy with that machine!

    What I like the most is the fact that for TCP it not using queues at all. It change the windows size inside the packets and delays ack. With that method of doing QOS you can control the bandwith of incoming TCP packets!

    Can altq do TCP shaping?

    Comments
    1. By Anonymous Coward () on

      not in the way you described.

      but it can do diffserv QoS, i.e. some packets are dropped in preference to others for a single application stream.

      it also does very fine grain queuing using HFSC on output queues, which is how i use it.

      and on a 2 NIC firewall, _all_ packets go through an output queue on one of the NICs. ALTQ has the facility to do input queue stuff - but I haven't tried that yet.

  7. By stick () yli@wtwh.com.cn on mailto:yli@wtwh.com.cn

    I meet two question about altq on version30. the first one is like yours . It seems that altqd of openbsd hasn't the function like linux that users who belong to one subnet can share band given dynamically . You must set for every user/IP and add a parameter 'borrow' to the rule ,then you can get the effort like in linux . the second is : I have one nic ,run altqd on it in a server machine . I test like this a.download one file 100MB from the server machine in a client machine through ftp . It does work and the result is good. b.upload one file 100MB to the server machine in a client machine through ftp. the rulees don't work. the bytes run into default rule. c.downoad and upload run at same time .upload does work like just download and not upload . The upload has a very low band . I don't know how to express the result . I think maybe ,the altqd in openbsd is not complete and some places error . the conf file is the following : interface le1 bandwidth 1600k cbq class cbq le1 root NULL pbandwidth 100 # # meta classes # class cbq le1 ctl_class root pbandwidth 5 control class cbq le1 default_class root borrow pbandwidth 15 default class cbq le1 hostother root borrow pbandwidth 20 filter le1 hostother 0 0 0 0 6 filter le1 hostother 0 0 0 0 6 class cbq le1 host141 root borrow pbandwidth 20 filter le1 host141 10.1.1.141 0 0 0 6 filter le1 host141 0 0 10.1.1.141 0 6 class cbq le1 host195 root pbandwidth 15 filter le1 host195 name host1951 ruleno 1 10.1.1.195 0 0 0 6 filter le1 host195 name host1952 ruleno 2 0 0 10.1.1.195 0 6 class cbq le1 host17 root borrow pbandwidth 25 filter le1 host17 10.1.1.17 0 0 0 6 filter le1 host17 0 0 10.1.1.17 0 6 -------------------------------------------- how sb give me a RE ,3x

  8. By stick () yli@wtwh.com.cn on mailto:yli@wtwh.com.cn

    I meet two question about altq on version30.
    the first one is like yours . It seems that altqd of openbsd hasn't the function like linux that users who belong to one subnet can share band given dynamically . You must set for every user/IP and add a parameter 'borrow' to the rule ,then you can get the effort like in linux .
    the second is :
    I have one nic ,run altqd on it in a server machine . I test like this
    a.download one file 100MB from the server machine in a client machine through ftp . It does work and the result is good.
    b.upload one file 100MB to the server machine in a client machine through ftp. the rulees don't work. the bytes run into default rule.
    c.downoad and upload run at same time .upload does work like just download and not upload . The upload has a very low band .
    I don't know how to express the result .
    I think maybe ,the altqd in openbsd is not complete and some places error .
    the conf file is the following :
    interface le1 bandwidth 1600k cbq
    class cbq le1 root NULL pbandwidth 100
    #
    # meta classes
    #
    class cbq le1 ctl_class root pbandwidth 5 control
    class cbq le1 default_class root borrow pbandwidth 15 default
    class cbq le1 hostother root borrow pbandwidth 20
    filter le1 hostother 0 0 0 0 6
    filter le1 hostother 0 0 0 0 6
    class cbq le1 host141 root borrow pbandwidth 20
    filter le1 host141 10.1.1.141 0 0 0 6
    filter le1 host141 0 0 10.1.1.141 0 6
    class cbq le1 host195 root pbandwidth 15
    filter le1 host195 name host1951 ruleno 1 10.1.1.195 0 0 0 6
    filter le1 host195 name host1952 ruleno 2 0 0 10.1.1.195 0 6
    class cbq le1 host17 root borrow pbandwidth 25
    filter le1 host17 10.1.1.17 0 0 0 6
    filter le1 host17 0 0 10.1.1.17 0 6

    --------------------------------------------
    how sb give me a RE ,3x

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]