Help with limiting guest network's torrent usage

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Megaritis
DD-WRT Novice


Joined: 05 Sep 2012
Posts: 6

PostPosted: Wed Sep 05, 2012 14:06    Post subject: Help with limiting guest network's torrent usage Reply with quote
Hello everyone,

I'm using a linksys E4200v1 with DD-WRT v24-sp2 (03/19/12) big - build 18777 (dd-wrt.v24-18777_NEWD-2_K2.6_big-nv60k).

My own subnet uses the IP address range of 192.168.0.0/24.
I have created a guest wireless network on a bridge which I have named br1. Interface br1 has a DHCP server which is 192.168.2.1/255.255.255.0.
uPnP is enabled.

In the guest network there is heavy use of torrent clients which has a great impact on my local network's internet speed.

In order to overcome this I have enabled QOS, enabled an IP filter policy and applied a firewall script:

1. QOS settings are:
Premium priority to 192.168.0.0/24 (My subnet)
Bulk priority to 192.168.2.0/24 (The guest subnet).

2. IP filter policy is:
Block keyword "d1:ad2" on the IP address range of 192.168.2.2 - 192.168.2.254. I've read that blocking keyword "d1:ad2" blocks DHT.

3. My firewall script is:

Code:
# Firewall Script Start
# Wait 10 seconds for Router startup
sleep 10

# Allow access to modem IP
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

# br1 limit TCP and UDP connections
iptables -I FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -s 192.168.2.0/24 -m connlimit --connlimit-above 200 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 ! tcp -m connlimit --connlimit-above 200 -j DROP

# br1 Web Access Only
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP

iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

# Limit uPnP
iptables -I INPUT -i br1 -p tcp --dport 5000 -j REJECT
iptables -I INPUT -i br1 -p tcp --dport 2869 -j REJECT
iptables -I INPUT -i br1 -p tcp --dport 1780 -j REJECT
iptables -I INPUT -i br1 -p udp --dport 1900 -j REJECT

# Limit br1 download speed
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1:1 classid 1:10 htb rate 2048kbit ceil 2048kbit prio 4
tc filter add dev br1 parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -d 192.168.2.0/24 -j MARK --set-mark 10

## Limit br1 upload speed
# insmod imq
# insmod ipt_IMQ
# ip link set imq0 up
# tc qdisc del dev imq0 root
# tc qdisc add dev imq0 root handle 1: htb
# tc class add dev imq0 parent 1:1 classid 1:10 htb rate 192kbit ceil 192kbit prio 4
# tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10
# tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10
# iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j MARK --set-mark 10
# iptables -t mangle -A PREROUTING -j IMQ --todev 0



What I aim to do with the above:
1. Limit the guest network's download speed to 2048kbps and upload speed to 192kbps.
2. Block any DHT connections caused by the guest network's torrent clients.
3. Block uPnP on the guest subnet.
4. Limit br1 to 200 TCP and 200 UDP connections.

Current issues:
1. Upload speed limiting in the firewall script has been commented out because when in use, the router stops responding after a while and I have to manually turn off and on the router in order to restore connectivity.
2. No matter what I have tried I weren't able to limit br1's TCP and UDP connections.

If possible, can you also check if my firewall script is valid?

Thank you for your time,

Megaritis
Sponsor
Megaritis
DD-WRT Novice


Joined: 05 Sep 2012
Posts: 6

PostPosted: Fri Sep 07, 2012 9:24    Post subject: Reply with quote
Bump
Megaritis
DD-WRT Novice


Joined: 05 Sep 2012
Posts: 6

PostPosted: Sun Sep 09, 2012 13:03    Post subject: Reply with quote
Bump again Smile
HMkX2
DD-WRT Novice


Joined: 29 Jul 2012
Posts: 20

PostPosted: Wed Sep 12, 2012 8:31    Post subject: Reply with quote
Nice post! I was trying to do the same thing as you but there are a couple of problems. I'm surprised you got upload limiting working at all, I only could get download limiting working. I think it is a problem with the IMQ module in DD-WRT (versions 14000-19000ish). (I found the source of the problems -- NoCatSpash marks packets very similarly to IMQ, and was confusing it!!!)

http://lartc.org/howto/lartc.imq.html

This page instructs that QDISC limiting only works on EGRESS traffic...(i.e. router br1 ---->) and that part works fine ("download" limiting). It's the (<-----br1) "upload" part (imq) that is breaking -- in my case, letting all uploads through like a sieve.

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=709078

xt_connlimit was broken until very recently, so I couldn't use that. For the record, this is the script I was using to achieve Guest Wireless rate limiting:

Quote:
Removed - was similar to yours. The part causing problems with NoCatSplash:

tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 <-- matches via marks
iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j MARK --set-mark 10 <-- overwrites NoCat mark!


Perhaps it would be possible to do some shaping at the wl0.1 interface? I have no idea. I hope this gets fixed soon! (Found the fix for IMQ, now have to find a way to implement it. Can you mark packets with multiple marks??)

-------------

Edit: As for your question, going by this amazing post on the Gentoo forums here ( http://forums.gentoo.org/viewtopic.php?t=225863 ), it may be possible to use TC filters on the eth0 interface INSTEAD OF imq on the br1 interface. You probably don't even have to specify a default bandwidth either. That post should help explain the technical parts along with (in order of usefulness):

http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.imq.html
http://wiki.openvz.org/Traffic_shaping_with_tc (Check out the latter half of the large "HTB Method" pasted script, starting with the ######UPLOAD LIMITING#### comment block. It's pretty much copy+paste.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=665610 (A really good forum post here)


Last edited by HMkX2 on Wed Sep 12, 2012 12:24; edited 1 time in total
HMkX2
DD-WRT Novice


Joined: 29 Jul 2012
Posts: 20

PostPosted: Wed Sep 12, 2012 12:19    Post subject: Reply with quote
Ok, I found a script that works for me. Until I can teach myself how to use masks to mark a packet multiple times, this script uses u32 classifier to not need to mark packets.

Since it doesn't use marks, it is compatible with NoCatSplash as included with DD-WRT. It is also compatible with the "separate wireless lan" wiki article. Since it uses U32 instead of mark recognition, it *may* fix your issues too. Ignore the two "RTNETLINK answers: No such file or directory" errors -- the script deletes the qdisks before starting, so the first time you run it it has nothing to wipe. Feel free to change the values and run it again to update.

Quote:
#!/bin/sh
#HMkX2 Guest Wireless Limit Upload/Download Script
# (you may need some sleep 1's right before the filter commands, otherwise may go too fast)

#Ratelimiting
insmod xt_mark
insmod xt_mac
#Maybe don't need mac?

insmod imq
insmod ipt_IMQ

###Download limiting###

tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 1536kbit
#Maximum client "download" rate
tc qdisc add dev br1 parent 1:1 handle 10: sfq perturb 10
tc filter add dev br1 parent 1:0 prio 5 protocol ip u32 match ip dst 172.16.32.0/24 flowid 1:1
#Set your Guest Wireless (br1) ip range here

###Upload limiting####

#Create a IMQ virtual queue, treat it like an interface
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:1 htb rate 768kbit
#Maximum guest upload rate
tc qdisc add dev imq0 parent 1:1 handle 10: sfq perturb 10
tc filter add dev imq0 parent 1:0 prio 5 protocol ip u32 match ip src 172.16.32.0/24 flowid 1:1
#Set the "source" guest wireless range for upload limiting
#Add a jump from out input chain to the IMQ
iptables -t mangle -I PREROUTING -i br1 -j IMQ --todev 0
ip link set imq0 up

##WARNING: the script rules don't check if someone is manually faking their IP on the WLAN
# to bypass bandwidth limiting. You need to have an iptables rule to check for that yourself.
# IMQ0 is can be used anywhere, it simply screens passed traffic for that IP range.
# Delete "u32 match ip src <ip>" to dedicate imq0 to slowing down ALL traffic passed to it.
# (See the -Jump in iptables that screens for the br1 interface in general)



--------------------------------------

For your question about isolating router access, since I have multiple virtual adapters (tun/tap for vpn), I took a completely different approach.

By default I DROP'ed everything except traffic to/from outside (-i br1 -o !vlan2, -o !vlan2 -i br1) at the top of my FORWARD filter chains, then selectively permitted traffic before it hits the default "DROP" at the bottom. My wireless guests have absolutely 0 access to the local network. It seems you are permitting them some access? Some rules you put (iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` ) don't make sense - isn't SNAT to br0 enabled by default? (Coudln't BR1 masquerade through that and gain access to your lan?) I am leery of any rule that doesn't screen source/destination.

Do you want to lock them out entirely, or just prevent them from eating all your bandwidth?

To block UPnP, you would just need to add a chain to INPUT to -j DROP packets on the UPnP control ports from -i br1. It seems you have that... best way would be to connect and test. But again, you may be better off dropping *all* INPUT from br1 at the bottom of a chain listing what you permit. Please see my example.

Quote:
#!/bin/sh
#HMkX2 CORE
#Lockdown script for Guest Wireless on a separate bridge

#########################
# Misc / General housekeeping
#########################

# vv (DUPLICATE) Rule may already exist! Check before enabling
##iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# vv Grant br1 internet access
iptables -t nat -I POSTROUTING -o `get_wanface` -s `nvram get br1_ipaddr`/`nvram get br1_netmask` -j SNAT --to `nvram get wan_ipaddr`

#########################
# Chain to control what br1 can forward to
#########################

iptables -N br1_FORWARD

# vv Stop torrents from spamming connections
#(WARNING) Connlimit is currently broken!!
# iptables -A br1_FORWARD -p tcp -m connlimit --connlimit-above 50 -j DROP
# iptables -A br1_FORWARD -p ! tcp -m connlimit --connlimit-above 25 -j DROP

# vv Allow br1 access to External-Facing Webserver (loopback)
# iptables -A br1_FORWARD -i br1 -p tcp -d `nvram get wan_ipaddr` --dport 80 -j ACCEPT

# vv Block chatter from br1 to anything other than outside
iptables -A br1_FORWARD -i br1 -o ! vlan2 -m state --state NEW -j DROP
iptables -A br1_FORWARD -i ! vlan2 -o br1 -m state --state NEW -j DROP

# vv Block br1 from connecting to outside subnet (DMZ'd cable modem perhaps)
iptables -A br1_FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

# .... if all else OK, default allow for br1 BR1 traffic
# (DUPLICATE!) This already exists at bottom of FORWARD chain!
# iptables -A br1_FORWARD -i br1 -m state --state NEW -j ACCEPT

# vv Add to top of FORWARD chain
iptables -I FORWARD -i br1 -j br1_FORWARD
iptables -I FORWARD -o br1 -j br1_FORWARD

#########################
# Chain to control what br1 can INPUT to router
#########################

iptables -N br1_INPUT

# vv Get rid of default accept
iptables -D INPUT -i br1 -j ACCEPT

# vv Allow connections to NoCatSplash
iptables -A br1_INPUT -p tcp -d `nvram get br1_ipaddr` --dport 5280 -j ACCEPT

#(WARNING) Allow SSH access from Guest wifi
# iptables -A br1_INPUT -p tcp --dport 22 -j ACCEPT
# vv If you are lazy and forget to change the IPs in your client...
# iptables -t nat -I PREROUTING -i br1 -d `nvram get lan_ipaddr` -p tcp --dport 22 -j DNAT --to `nvram get wan_ipaddr`:22

# vv Allow DHCP
iptables -A br1_INPUT -p udp --dport 67 -j ACCEPT

# vv Allow DNS
iptables -A br1_INPUT -p udp --dport 53 -j ACCEPT
iptables -A br1_INPUT -p tcp --dport 53 -j ACCEPT

# vv Unless previously allowed, BLOCK ACCESS TO ROUTER
iptables -A br1_INPUT -m state --state NEW -j DROP
iptables -I INPUT -i br1 -j br1_INPUT

#####################
# Chain-load other firewall scripts
#####################


#/jffs/Other_firewall_scripts_go_here.sh


Last edited by HMkX2 on Thu Sep 13, 2012 17:20; edited 1 time in total
Megaritis
DD-WRT Novice


Joined: 05 Sep 2012
Posts: 6

PostPosted: Wed Sep 12, 2012 23:15    Post subject: Reply with quote
HMkX2 wow.. just wow! Shocked

I'm experienced with computers in general but these scripts are something new to me and I still have lots of reading to do... Rolling Eyes so your input is really appreciated!

I don't want any access from br1 to my local network or router, so dropping by using !vlan seems a very good idea Smile .

I will change my firewall script according to your suggestions and will post my results the following days. It will probably be a mix of my script and your script (Although looking at it, it will look much more like yours Embarassed)

Thank you for your help!
Megaritis
DD-WRT Novice


Joined: 05 Sep 2012
Posts: 6

PostPosted: Fri Sep 14, 2012 18:33    Post subject: Reply with quote
Hi again,

Firstly, I hadn't managed to make upload limiting work either. Sorry for not mentioning that in my first post.

Quote:
http://lartc.org/howto/lartc.imq.html

This page instructs that QDISC limiting only works on EGRESS traffic...(i.e. router br1 ---->) and that part works fine ("download" limiting). It's the (<-----br1) "upload" part (imq) that is breaking -- in my case, letting all uploads through like a sieve.

As I have read it doesn't work for kernel 2.6 builds right?

Quote:
(Found the fix for IMQ, now have to find a way to implement it. Can you mark packets with multiple marks??)

Is the fix you mention on your second post? Just to be sure I replaced my download & upload limiting scripts with that one but upload limiting didn't work as expected.

Regarding multiple marks I think I can manage Rolling Eyes.

Quote:
Edit: As for your question, going by this amazing post on the Gentoo forums here ( http://forums.gentoo.org/viewtopic.php?t=225863 ), it may be possible to use TC filters on the eth0 interface INSTEAD OF imq on the br1 interface. You probably don't even have to specify a default bandwidth either. That post should help explain the technical parts along with (in order of usefulness):

I also did some tests by using eth0 instead of imq0 using the HTB method as mentioned in link http://wiki.openvz.org/Traffic_shaping_with_tc but I didn't manage to make it work either.

Quote:
##WARNING: the script rules don't check if someone is manually faking their IP on the WLAN
# to bypass bandwidth limiting. You need to have an iptables rule to check for that yourself.

Are you referring to download limiting? Because the upload limiting seems to already have a jump to the imq.

Quote:
Do you want to lock them out entirely, or just prevent them from eating all your bandwidth?

Both lock them out of my network and prevent them from eating all my bandwidth.

--------------------------------------------------------------------------

My current configuration:

1. QOS settings
Services http, httpvideo, httpaudio with Express Priority
Service ssh with premium priority
Service bittorrent with bulk priority
Netmask 192.168.2.0/24 with bulk priority

2. IP Filter settings - Block DHT
Applies to guest IP range 192.168.2.2-192.168.2.254
Block keywords "d1:ad2", "get_peers", "announce_peer" and "find_node"

3. Startup script:
Code:
sleep 20
# Increase active IP connections limit to 65536
echo "65536" > /sys/module/nf_conntrack/parameters/hashsize
nvram set ip_conntrack_max=65536

# Workaround for issue where QoS when set to WAN sends uplink traffic to downlink queue
WANIF=`get_wanface`
while sleep 10
do
   iptables -t mangle -vL PREROUTING | grep "$WANIF.*IMQ: todev 0"
   if [ $? != 0 ]
   then
      iptables -t mangle -I PREROUTING -i $WANIF -j IMQ --todev 0
   fi
   
   iptables -t mangle -vL FORWARD | grep "$WANIF.*IMQ: todev 0"
   if [ $? = 0 ]
   then
      iptables -t mangle -D FORWARD -i $WANIF -j IMQ --todev 0
   fi
   
   iptables -t mangle -vL PREROUTING | grep "br0.*IMQ: todev 0"
   if [ $? = 0 ]
   then
      iptables -t mangle -D PREROUTING -i br0 -j IMQ --todev 0
   fi
done

# Create connection between router and modem in subnet 192.168.1.0/24
ifconfig `nvram get wan_ifname`:0 192.168.1.2 netmask 255.255.255.0


4. Firewall script:
Code:
# Firewall Script Start
# Wait 10 seconds for Router startup
sleep 10

# Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

# Allow access to modem IP
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

#!/bin/sh
#HMkX2 CORE
#Lockdown script for Guest Wireless on a separate bridge

#########################
# Misc / General housekeeping
#########################

# vv (DUPLICATE) Rule may already exist! Check before enabling
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# vv Grant br1 internet access
iptables -t nat -I POSTROUTING -o `get_wanface` -s `nvram get br1_ipaddr`/`nvram get br1_netmask` -j SNAT --to `nvram get wan_ipaddr`


#########################
# Chain to control what br1 can forward to
#########################

# vv Add to top of FORWARD chain
iptables -I FORWARD -i br1 -j br1_FORWARD
iptables -I FORWARD -o br1 -j br1_FORWARD

iptables -N br1_FORWARD

# vv Stop torrents from spamming connections
#(WARNING) Connlimit is currently broken!!
# iptables -A br1_FORWARD -p tcp -m connlimit --connlimit-above 50 -j DROP
# iptables -A br1_FORWARD -p ! tcp -m connlimit --connlimit-above 25 -j DROP

# vv Allow br1 access to External-Facing Webserver (loopback)
iptables -A br1_FORWARD -i br1 -p tcp -d `nvram get wan_ipaddr` --dport 80 -j ACCEPT

# vv Block chatter from br1 to anything other than outside
iptables -A br1_FORWARD -i br1 -o ! vlan2 -m state --state NEW -j DROP
iptables -A br1_FORWARD -i ! vlan2 -o br1 -m state --state NEW -j DROP

# vv Block br1 from connecting to outside subnet (DMZ'd cable modem perhaps)
iptables -A br1_FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

# .... if all else OK, default allow for br1 BR1 traffic
# (DUPLICATE!) This already exists at bottom of FORWARD chain!
# iptables -A br1_FORWARD -i br1 -m state --state NEW -j ACCEPT


#########################
# Chain to control what br1 can INPUT to router
#########################

iptables -N br1_INPUT

# vv Get rid of default accept
iptables -D INPUT -i br1 -j ACCEPT

# vv Allow connections to NoCatSplash
# iptables -A br1_INPUT -p tcp -d `nvram get br1_ipaddr` --dport 5280 -j ACCEPT

#(WARNING) Allow SSH access from Guest wifi
# iptables -A br1_INPUT -p tcp --dport 22 -j ACCEPT
# vv If you are lazy and forget to change the IPs in your client...
# iptables -t nat -I PREROUTING -i br1 -d `nvram get lan_ipaddr` -p tcp --dport 22 -j DNAT --to `nvram get wan_ipaddr`:22

# vv Allow DHCP
iptables -A br1_INPUT -p udp --dport 67 -j ACCEPT

# vv Allow DNS
iptables -A br1_INPUT -p udp --dport 53 -j ACCEPT
iptables -A br1_INPUT -p tcp --dport 53 -j ACCEPT

# Limit uPnP
iptables -I INPUT -i br1 -p tcp --dport 5000 -j DROP
iptables -I INPUT -i br1 -p tcp --dport 2869 -j DROP
iptables -I INPUT -i br1 -p tcp --dport 1780 -j DROP
iptables -I INPUT -i br1 -p udp --dport 1900 -j DROP

# vv Unless previously allowed, BLOCK ACCESS TO ROUTER
iptables -A br1_INPUT -m state --state NEW -j DROP
iptables -I INPUT -i br1 -j br1_INPUT

#####################
# Chain-load other firewall scripts
#####################

#!/bin/sh
#HMkX2 Guest Wireless Limit Upload/Download Script

#Ratelimiting
insmod xt_mark

insmod imq
insmod ipt_IMQ

###Download limiting###

tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 2048kbit
tc qdisc add dev br1 parent 1:1 handle 10: sfq perturb 10
tc filter add dev br1 parent 1:0 prio 5 protocol ip u32 match ip dst 192.168.2.0/24 flowid 1:1


###Upload limiting####

#Create a IMQ virtual queue, treat it like an interface
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:1 htb rate 192kbit
tc qdisc add dev imq0 parent 1:1 handle 10: sfq perturb 10
tc filter add dev imq0 parent 1:0 prio 5 protocol ip u32 match ip src 192.168.2.0/24 flowid 1:1
#Add a jump from out input chain to the IMQ
iptables -t mangle -I PREROUTING -i br1 -j IMQ --todev 0
ip link set imq0 up


This configuration seems to work very well.
Even if upload limiting doesn't work, QOS seems to properly prioritize me first; The guests use torrents without me actually noticing any significant drop in speed. E.g. My downstream is around 15000kbps and upstream is around 800kbps but I can easily stream 1080p video even when guests' torrents have gone wild.

Since connection limiting doesn't work for my current build I have increased the active connections limit to 65535.
(Is there any way to import Connlimit that works from the latest builds?)

Oh and also if GUI QOS marks the same packets as a firewall script, how are they handled?

Thank you,
Megaritis

EDIT: It looks I can't access my modem IP anymore. Any ideas?
HMkX2
DD-WRT Novice


Joined: 29 Jul 2012
Posts: 20

PostPosted: Sun Sep 16, 2012 11:45    Post subject: Reply with quote
Megaritis, I need to clarify some things. It seems you may have misinterpreted my posts.

1) The commands listed above work, as long as you aren't using built-in DD-WRT QoS at the same time.

You see that "tc qdisc del dev imq0 root" command? That wipes out ALL rules using the imq0 device before proceeding. All that work the QoS GUI is doing? GONE. This is fine for me, since I don't use the GUI. However, you do. I have no idea what filters DD-WRT uses to do its rate limiting.

Normally you find out with a command like "tc filter show dev $DEV", but DD-WRT uses a stripped down version of tc that doesn't show any output. Sorry. Embarassed

Normally, I'd just suggest creating a "new" imq device (imq4?) and use that for br1 filtering, but it seems the number of imq's DD-WRT creates is 2 (imq0, imq1). Run "ip link set imq[#] up" to test.

http://linuximq.net/foswiki/bin/view/IMQ/ImqFaq#I_need_more_than_two_IMQ_devices._How_can_I_create_more_63

Quote:
Edit: Check that, I figured out how to create more imq devices on DD-WRT. Please run the following commands --OR-- try the modified script below. Keep in mind you may have to re-create the rules DD-WRT uses on imq0 after you've deleted/removed the imq module/recreated the devices. I suggest trying to use imq1 first if it is unused.

rmmod imq
insmod imq numdevs=4 #(capped at 16)


2) I use Kernel 2.6 (kong mod 18527-ish) and imq & upload/download rate limiting works fine.

The "imq" problem I mentioned was a problem in DIRECTING traffic to imq0 when running NoCatSplash and the first script I posted at the same time. This doesn't apply to you.

The fix involves bitmasks and hexidecimal math and "--set-xmark" -- things I don't understand very well. Plus, I would have to re-write NoCatSplash from the ground up to implement it... not worth the effort.

3) The "IP Spoofing" hole I was talking about was people on BR1 could theoretically manually set their IP to something outside 172.16.32.* and get around bandwidth limiting. I've since fixed it. There is probably a more elegant way code this (what about UDP? ICMP?), I just don't know what it is.

Quote:
#!/bin/sh

#Ratelimiting
insmod xt_mark
insmod xt_mac

insmod imq
insmod ipt_IMQ

tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 1536kbit
tc qdisc add dev br1 parent 1:1 handle 10: sfq perturb 10
#tc filter add dev br1 parent 1:0 prio 5 protocol ip u32 match ip dst 172.16.32.0/24 flowid 1:1
tc filter add dev br1 parent 1:0 prio 5 protocol ip u32 match ip dst 0.0.0.0/0 flowid 1:1


ip link set imq1 up
tc qdisc del dev imq1 root
tc qdisc add dev imq1 root handle 1: htb
tc class add dev imq1 parent 1: classid 1:1 htb rate 768kbit
tc qdisc add dev imq1 parent 1:1 handle 10: sfq perturb 10
#tc filter add dev imq1 parent 1:0 prio 5 protocol ip u32 match ip src 172.16.32.0/24 flowid 1:1
tc filter add dev imq1 parent 1:0 prio 5 protocol ip u32 match ip src 0.0.0.0/0 flowid 1:1
iptables -t mangle -I PREROUTING -i br1 -j IMQ --todev 1
ip link set imq1 up


4) You said you can't get into your modem IP. Are you talking about ROUTER ip or the CABLE MODEM ahead of it? By the fact you added in the "Limit UPnP" DROP rules when there is a default DROP rule right below it, I'm guessing you aren't familiar with Iptables. (Or, you are a guru, and want packet counters). If you are unfamiliar with something, or do not understand what it is doing, I suggest you avoid using it.

Are you yourself on br1? You may have to delete this line.
Quote:
iptables -A br1_FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP"
. Try doing that and see if access to your modem is restored.
Megaritis
DD-WRT Novice


Joined: 05 Sep 2012
Posts: 6

PostPosted: Sun Sep 16, 2012 15:13    Post subject: Reply with quote
HMkX2, thanks for your clarifications and for the information about using "new" imq devices. I'll give it a try when I have some spare time.

HMkX2 wrote:
You said you can't get into your modem IP. Are you talking about ROUTER ip or the CABLE MODEM ahead of it?

It is a modem. I fixed it, it was the workaround in the startup script that was messing with it.

HMkX2 wrote:
By the fact you added in the "Limit UPnP" DROP rules when there is a default DROP rule right below it, I'm guessing you aren't familiar with Iptables. (Or, you are a guru, and want packet counters). If you are unfamiliar with something, or do not understand what it is doing, I suggest you avoid using it.

You are correct, I'm not familiar with iptables and I'm still learning the basics. Isn't that pretty obvious? Rolling Eyes That is the main reason I created this thread since I wanted some feedback regarding my configuration.
I won't avoid using iptables though, because I really want to learn through trial and error.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum