Become a fan of Slashdot on Facebook


Forgot your password?
The Internet Technology

Limiting Bandiwidth in a Shared DSL Environment? 77

stylee asks: "We have a DSL connection that runs from a Cisco 675 DSL modem to a 24 port hub. Cat 5 cable has been run to the utility closet of each unit. The condo assoc. pays for the DSL from the monthly condo fees collected. The internet connection has been terribly slow the last few days, so I did a little snooping with ethereal and found that there is an individual who is using eDonkey 2000 to download and share movies. This user is eating up all the bandwidth. I want to set up a good router that can do load balancing so that an individual can't take up all the bandwidth and I was wondering what Slashdot would recommend. I would have to do it on the condo assoc. dime so it would have to be done on the cheap. Any suggestions?"
This discussion has been archived. No new comments can be posted.

Limiting Bandiwidth in a Shared DSL Environment?

Comments Filter:
  • Mmm... Linux (Score:2, Interesting)

    by notamac ( 750472 ) *
    So a 2.4 (or a 2.6) kernel + iptables + some of the traffic shaping stuff (tc) sitting on a 486 that you can buy from the local second hand computer place for nothing, and things should be sweet.
    • Re:Mmm... Linux (Score:5, Informative)

      by innosent ( 618233 ) <> on Wednesday March 24, 2004 @01:44AM (#8653323)
      Or FreeBSD, we use our firewall box where I work, and use the traffic shaping portion of ipfw2 (man pages, ipfw at to limit bandwidth to certain hosts. FreeBSD allows you to add a rule that passes all traffic through either a pipe or queue (pipe is what you want), set the bandwidth, size of the backlog queue, and monitor usage of the pipes. If you set it up as a transparent bridge (see the advanced network topics in the FreeBSD Handbook at, you won't even have to change host settings. This way, you can limit traffic on an individual (or group) basis, monitor usage, and just drop the box between the main switch and the dsl router, turn it on, and pretty much forget it (especially if you don't allow remote access to the firewall, except maybe ssh or a VPN).

      The same can of course be done with Linux, but in my (though somewhat limited to my place of work) experience, FreeBSD's traffic shaper is a bit more reliable, and much easier to set up (it's all in the handbook). In our case, that box is a transparent bridge, accessible only via ssh or from the inside interfaces, with three NICs, one for the outside router, one for the inside public systems, and a third with private addresses, where natd (man natd, also integrated with ipfw via FreeBSD's divert sockets) translates the private addresses as they go out of one of the other two interfaces. We also run nagios (network monitor), etherape (looks cool when you see the traffic real-time on a GUI), and poptop (MSCHAPv2 capable VPN server), along with IDS logging via ipfw and tcpdump/ethereal, all on an old Duron we had laying around collecting dust.

      In all, our Firewall/VPN/IDS/Traffic Shaper/Network monitor cost us about $250 in hardware, and two day's labor. I saw a similar product (though in a nice 1U rackmount case) listed for $6000 at CDW, so whatever you do, you can't go wrong with Linux or FreeBSD on cheaper hardware, unless your time is worth a few thousand dollars an hour.
      • Re:Mmm... Linux (Score:5, Informative)

        by innosent ( 618233 ) <> on Wednesday March 24, 2004 @02:09AM (#8653442)
        One other thing, if you don't want to limit on a host-by-host basis, you could do it by type of service. Say you allocate 80% of your available bandwidth to common web, instant messaging, mail, and DNS traffic, and the remaining 20% for everything else. Just watch your tcpdump/ethereal/etc. logs for about a week to see the normal behavior (and the abuses). This way, the normal, non-abusive services are quick, while the unknown/abusive services are limited, which has a side benefit of discouraging improper use. Hell, if you can lock down the most abused ports, set the pipe they go through to 2400bps, and see how many people still use them in a week.
  • by xoran99 ( 745620 ) on Wednesday March 24, 2004 @12:49AM (#8653026)
    What my university always did was, if a single user was using a lot of bandwidth on a constant basis, simply turn off their connectivity. When people learn to police themselves, stuff works better.
    • Well that's one way to solve it. Still it doesnt work for all of us.

      In my case, (I work as a sysadmin at a web-hosting company), we are considering implementing some sort of transparent bridge to limit traffic to WWW-servers in case we need to use our backup line. People can stand having slow WWW-traffic for a while, but mail/dns, especially smtp MUST work all the time.

      In short, i cannot just pull the plug on our large web-servers :-), but i do want to delimit their traffic in case of a network problem.
    • I was gonna mod you up but you were already pegged - so I will simply agree with you.

      Unplug his ass. Unplug his wire from your switch and plug it into a cheapo Linksys cablemodem router (that isn't connected to anything else) so he gets a DHCP address - but no connectivity (that part is just for fun, makes it a real bitch for him to self-diagnose an outage when he can ping the router, get a DHCP address, and his neighbor still has Internet connectivity.) When he comes up wondering why he can't get out to
      • when he comes up wondering why he can't get out to the net show him the logs and explain that one guy using 95% of the bandwidth is not acceptable and he can either cut it out or go get his own dedicated pipe to the 'net.

        That would be the three-year-old's approach.

        No, instead, just talk to the user first.

        It is MUCH more complicated if that user is paying you money for the service (albeit not much money). If you didn't explicitly state in some sort of contract an acceptable use policy, YOU are the one wh
        • I agree, inasmuch as you will agree that the user seemed to adopt a three-year-old's approach to the shared resources in the first place (cue the 'squeal voice' : Mine - gimme - mine - me no share.) Either he knows he is eating ALL the bandwidth and doesn't care or he has no clue that he is flooding the pipe - one of those is true and both is equally childish.

          But yes, I agree that the association needs to immediately draft a TOS (terms of service) letter with regards to the shared dataline. Unless he is
  • FreeBSD + ipfw should be able to handle this for you rather nicely. Find yourself an old P-200 or similar and put a couple NICs in it. That should be enough hardware to accomplish your goal.
  • You can run traffic shaping using a linux box. It may be the reason that the eDonkey eat up most of the upload traffic so ack cannot be sent back and slow down the download too.
    • Why bother using another device? The router that he has is a Cisco IOS router. It supports the traffic shaping commands built into the IOS.

      access-list 101 permit tcp any any eq

      access-list 102 permit tcp any eq any

      interface dsl 0
      traffic-shape group 101 256000

      interface ethernet 0
      traffic-shape group 102 256000

      simple and to the point. If you any more buckets go to Cisco's web site.
  • first off (Score:3, Interesting)

    by glen604 ( 750214 ) on Wednesday March 24, 2004 @12:51AM (#8653037)
    it sounds like your condo associaton needs an internet usage policy- considering this guy's actions could get everyone in trouble.
  • Freshmeat (Score:5, Informative)

    by wed128 ( 722152 ) <<woodrowdouglass> <at> <>> on Wednesday March 24, 2004 @12:51AM (#8653040)
    I always look on for these's a tip...

    Linux Bandwidth Arbitrator [] looks like it was designed for this sort of thing...
    • Linux Bandwidth Arbitrator is a really good product. It's updated constantly, easy to set up and use (well, relatively), lots of options for buying it or downloading it, and it actually works.
  • switch! (Score:3, Informative)

    by moosesocks ( 264553 ) on Wednesday March 24, 2004 @12:58AM (#8653071) Homepage
    What you need is a managed switch. They will allow you to limit bandwidth or completely disconnect a specific port. HP's switches are supposed to be particularly good

    Be warned... a managed switch WILL cost several times more than a normal switch.

    But apart from that, your only other choice is to use some sort of arbitrary setup to limit bandwidth to certain IP addresses and force each user to have one static IP (virtually impossible to enforce with your setup)
  • by dnight ( 153296 ) < minus caffeine> on Wednesday March 24, 2004 @12:59AM (#8653077)
    Refund the portion of his condo fees used for DSL, and tell him to get his own DSL line.

    If he's illegally sharing files, he won't squawk too loudly.

  • OpenBSD or FreeBSD (Score:5, Insightful)

    by plsuh ( 129598 ) <plsuh.goodeast@com> on Wednesday March 24, 2004 @12:59AM (#8653080) Homepage
    OpenBSD has support for limiting classes of bandwidth for quality of service as a part of the pf(4) firewall. See the part of the pf user's guide [] that covers how to do it.

    FreeBSD also has built-in support via the altq facility that is a part of the ipfw firewall.

    My druthers would be to use OpenBSD for this as it's not a CPU-bound problem and security on your router should be very high on your list of priorities.

  • At my house we have four guys and we all download pretty heavily (bittorrent, edonkey, gnutella, etc.) Unlimited this just chokes up the whole connection (a fragile cable modem that gets confused if it gets too many packets)
    So I just run "tc qdisc add dev eth1 root tbf rate 250kbit latency 20ms burst 2kb". This keeps the network running at full speed with all the downloads going.
    Checkout the Bandwidth Limiting HOWTO on
    • The problem is that this still has severe problems. It does avoid the awful latency problems once someone starts using the network and fills up the modem's outbound buffer. It does not evenly share out bandwidth.

      It requires the hosts on the inside side of the shaper to regulate their own traffic, via TCP throttling from packet loss. Unfortunately, TCP only knows about the single stream that it's dealing with. Most P2P clients these days have *scads* of TCP connections open at any given time. Which mea
  • Would it be too hard to change his hosts file so he thinks the internet's broken? Heh.
  • DSL shaping system (Score:5, Informative)

    by 0x0d0a ( 568518 ) on Wednesday March 24, 2004 @01:19AM (#8653179) Journal
    I set up a DSL traffic shaper on Linux a bit ago. It's a bit of a pain in the ass to figure out the right things to do, and I don't have the script handy, but here are some pointers (given that this is from memory, some of this will probably be wrong).

    Get a Linux box. Get two NICs (c'mon, NICs are cheap these days, and the DSL modem only needs a 10Mbit one).

    Set up bridging on the Linux box.

    ifconfig eth0
    ifconfig eth1
    brctl addbr br0
    brctl addif br0 eth0
    brctl addif br0 eth1

    If your boxes use DHCP, you might want to give your shaper an outside IP address (so that it can run ntp and the like, if nothing else). Use br0 as the interface -- this tripped me up at first.

    dhclient br0

    Add per-host rate limiting. There are two *excellent* solutions to do this automatically under Linux -- esfq and wrr. Both automatically detect IP addresses on one side and spread bandwidth out evenly. Neither is apparently actively maintained, unfortunately, so if you're using a 2.6 kernel, you're out of luck. Your best bet is probably HTB (which *is* included in 2.6 and I believe current 2.4 kernels). HTB requires you to manually create a child of the main HTB qdisc for each IP address, and filter based on source IP address (or source MAC address, which is probably more appropriate if you have a single Ethernet segment and dynamically assigned IP addresses) but lets you filter traffic differently for each host. For a small network, this may be feasible. I'd hang another qdisc off of the HTB that reduces the priority of P2P *within* each host's account, so that someone can use spare bandwidth for eDonkey or whatever, but still retains reasonably snappy SSH, even on their own box.

    You must set the maximum flow of the HTB just below the DSL modem's data transfer rate, or else the modem's buffer will fill up when outbound traffic fills up its (big) buffer, making interactive use impossible. Keep reducing the limit and then ping flooding (ping -f) the outside world from an inside box. Keep a regular ping running in another terminal, and monitor it. When your system is working right *ping times should not climb above 150 or 200ms or so on a box*. No 1000ms latency. You should simply start seeing packet loss.

    I must say that setting something like this up was a huge pain in the ass, and that if I had the script handy at the moment, I'd post it. The Linux networking/filtering/routing system is not as well documented as it should be, and is *not* always the most intuitive thing in the world. It is, apparently, pretty powerful, based on what I've read from folks that have used other systems, though. [shrug]

    Speaking of which, I can't figure out why sfq is in mainstream Linux but esfq is not. SFQ is, to my mind, almost useless for most people. Who on earth wants to balance all their TCP flows evenly? Even per-host bandwidth allocation is a *far* more common problem, and one that vanilla Linux (and any 2.6 kernel) cannot handle well.

    I did not find it necessary to use ebtables or ipchains to produce an effective traffic shaper. YMMV.
    • by 0x0d0a ( 568518 )
      I did not find it necessary to use ebtables or ipchains to produce an effective traffic shaper.

      And by this I mean that all the commands that you'll have to use that I didn't already list should start with tc.
    • Oh, yes. If you're just giving br0 a static IP, don't forget to bring the interface up.

      ifconfig br0 [or whatever your IP is]
      ifconfig br0 up
    • As another followup, I looked on Freshmeat, and couldn't find anything that did what I wanted. It seems that it's all the rage to have traffic shapers also do NAT, which I *really* did not want.

      I don't think Freshmeat is currently a good place to go when looking for a traffic shaping system to do this sort of thing.
    • by 0x0d0a ( 568518 )
      As another aside, some distros bundle pump as the DHCP client, rather than dhclient.

      Oh, speaking of DHCP, big tip for Red Hat/Fedora users. Absolutely do not use the vanilla ifup scripts that Red Hat provides. They *suck*. If you are on any kind of a consumer DSL connection, every now and then (perhaps rare, perhaps common) you will lose your connection, for whatever reason. For some reason, Red Hat sets up their copy of dhclient to *give up* if it fails to get a dhcp lease, which means I frequently en
    • HTB matching (Score:3, Informative)

      by 0x0d0a ( 568518 )
      Don't forget to add a default class to the HTB to match any MAC that all your previous matching work didn't match. That way, anyone that you *haven't* added a MAC entry for (adding a child to the HTB tree) will at least go into a general class and get connectivity...they just have to share it with all the other people in the "general" class.

      You may want to toy with the idea of having a perl script or something look at unmatched packets or maybe scrape the ARP cache (arp -a) to automatically add new entri
  • IPCop (Score:3, Informative)

    by Anonymous Coward on Wednesday March 24, 2004 @01:30AM (#8653242)
    IPCop [] v1.3 w/ Wondershaper [] or wait a couple more weeks for 1.4 which will have bandwidth shaping built in. It's a linux distro just for firewall/routers, runs on anything from a 486 up.
  • by meta-monkey ( 321000 ) on Wednesday March 24, 2004 @01:33AM (#8653260) Journal
    Several posters have already mentioned managed switches, linux routers with iptables, etc, but I've got a much simpler solution for you. It's a wonderful product manufactured by the Louisville Slugger [] corporation called a "baseball bat." With this fine product in hand, march over to the offending user's apartment, and smartly inform him that he is using too much bandwidth. If he refuses to self-throttle his bandwidth, offer to throttle him and his computer with the genuine wood Louisville Slugger baseball bat. Problem solved. Thank me later.
    • Here's the problem though, have you seen a P2P client that has a "no, don't use my entire bandwidth, I want to download at 2400bps" option? If people download anything, their system will attempt to move packets at the fastest speed possible, and one heavy user can affect all others. It doesn't matter who the user is today, the original poster wants a solution to the problem tomorrow. A DSL line is not that fast, so chances are pretty good that if one user downloads something large, they could max out the
      • "Here's the problem though, have you seen a P2P client that has a "no, don't use my entire bandwidth, I want to download at 2400bps" option?"

        The better bittorrent clients let you do exactly that, specifying a limit to how much bandwidth it can consume. ^^
        • >
          >The better bittorrent clients let you do exactly that, specifying a limit to how much bandwidth it can consume.

          The better bittorrent clients let you limit the UPLOAD speed, I have yet to see one that lets you limit the DOWNLOAD speed, which is what the original poster was asking. If you know of one, please share, because I have been looking for one.
          • The better bittorrent clients let you limit the UPLOAD speed, I have yet to see one that lets you limit the DOWNLOAD speed, which is what the original poster was asking. If you know of one, please share, because I have been looking for one

            The way bittorrent works is that your upload speed sets your download speed. If you don't upload at all, you won't be able to download. That's why it works!
            • I have my bittorrent upload capped at 5K, but my bittorrent download still hits 50K+ which all but kills my ability to do anything else while I'm using bittorrent.
              If there is a download/upload ratio, presumably based on my numbers it is greater than 10/1.
              I would like my download to be capped at 20K, but I haven't found a bittorrent client that lets me do that yet.
              • Well.. All I know is what I read from bt's page:

                Q: I don't want you stealing my bandwidth! How can I stop it from uploading?

                A: You could hack the source to not upload, but then your download rate would suck. BitTorrent downloaders engage in tit-for-tat with their peers, so leeches have very little success downloading.
          • Shareaza [] will let you limit up and down speed. Supports Gnutella1, Gnutella2, eDonkey, and Bittorrent
            • Here is the creator of bittorrent's opinion of shareaza, which I found kindof interesting:

     4 912 []

              Suffice it to say that shareaza is not only written incompetently but makes every attempt it can to squeeze whatever it can out of the network, regardless of how much damage to the network as a whole that results in. In BitTorrent the amount of damage you can do is fairly limited. In edonkey it took the whole search system down. Come to think of it, I'm feelin

      • Here's the problem though, have you seen a P2P client that has a "no, don't use my entire bandwidth, I want to download at 2400bps" option?

        Of course. The problem user has one already, assuming his version of eDonkey is reasonably current.
    • Policy solutions are generally less scalable, harder to enforce, and cause more social issues in enforcement than technical solutions. If one can manage a technical solution, I'd prefer it.

      More to the point, a traffic shaper knows about the current demands that all the computers are putting on the network. Each individual computer with throttling capabilities does not. Sure, Bob can throttle his traffic down to 3KBps, but that means that when nobody else is using the network, he isn't taking advantage o
  • M0n0Wall (Score:5, Informative)

    by mcowger ( 456754 ) on Wednesday March 24, 2004 @01:34AM (#8653265)
    Monowall ( is a greaqt application for this. Can run from CDROM, CF or on a Soekris board - can do per IP bandwidth limiting/shaping, and totally free, based on BSD. It was trivial for me to set it up here.
  • by NanoGator ( 522640 ) on Wednesday March 24, 2004 @01:45AM (#8653329) Homepage Journal
    I'd recommend politely approaching the guy and asking him to throttle it down a bit. If he agrees, problem solved. If he refuses, cut his connection. Why spend more money to solve the problem of one abuser?
    • Because after you've told the tenth person, your time tracking them down, talking to them, and making sure they comply has been worth more than the traffic shaper. One person may cause the problem today, but three more may start next week. Plus, you have to police them if you don't put a shaper in, which also costs you time/money.
  • []

    It's difficult to understand, much less set up, but essentially the stuff from this site can solve your problem by tightly controlling outbound traffic (since it is possible to have perfect control over what packets you release to the network) and by loosely attempting to control inbound traffic (since it isn't really possible to perfectly control what packets other people send you).

    For example, my home setup has four priority classes:

    Class 0:10 is for high priority traffic: ping replie
    • Not a bad solution, but the ingress traffic from P2P software will mostly circumvent this, unless the problem is outbound traffic from the offending user. This is where FreeBSD's pipes and integration with ipfw come in handy. IPFW is stateful, so for each outbound connection that should be limited, the response can be forced through the same limits (though the ipfw man pages suggest using separate pipes with larger queues, a single pipe with a small queue size works better in my opinion). If the rule tha
    • OK, here's the text of my paper, for those of you who don't want to click a link. :)

      Traffic Conditioning For Inexpensive Installations
      Business-Class Performance From Free Software and Commodity Hardware

      By Michael Spencer

      Broadband internet connections don't handle heavy server loads very well. When many
      connections are in contention for the same limited upstream bandwidth, problems occur
      that degrade overall link performance. I have found a solution that can be implemented
      with inexpensive

  • throttled (Score:3, Informative)

    by megabulk3000 ( 305530 ) on Wednesday March 24, 2004 @02:26AM (#8653503) Homepage
    If the offending user's on OS X (which they probably ain't, but) they should install Throttled [] on their machine. That's what I use to keep my roommates from getting too pissed about pokey net connections when I'm "riding the donkey."

    I used to use CarraFix, but Throttled whips the shit out of it.

    I had to play around with the startup file for a few hours to get it working right. Here's my relevant modifications, if anyone's interested:

    /usr/local/sbin/throttled -s $MAXSPEED -d 17777 -p 1 -d 17778 -p 2
    #added another socket for mldonkey
    /usr/local/sbin/throttled -s 5120 -d 5555 -p 3
    # all rules below are for ipfw, there is many ways you can set this up.
    # we have simplified this for new users by removing ip specific ipfw rules.
    # this fixes isses for dynamic ip users, but if you want rules bound to
    # a single ip you can use either of the examples below.
    # the line below finds your ip automatically
    # IP=$(/sbin/ifconfig $INTERFACE inet | /usr/bin/sed -n 's/^.*inet\ \(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*/\1/p' | tail -n 1)
    # you can also specify the ip address by doing
    # IP=
    # IP = any
    # default prioritized configuration ( style config)
    # these rules allow http/https/ssh/telnet/smtp/aim/pop/irc/sirc
    # to be prioritized by the throttle.
    # Setting up the configuration this way catches more file transfer types
    # and minimizes lag in response driven services.
    # prioritize http/https
    /sbin/ipfw add divert 17778 tcp from $IP to any 80 out xmit $INTERFACE
    /sbin/ipfw add divert 17778 tcp from $IP to any 443 out xmit $INTERFACE
    # prioritize ssh and telnet
    /sbin/ipfw add divert 17778 tcp from $IP to any 22 out xmit $INTERFACE
    /sbin/ipfw add divert 17778 tcp from $IP to any 23 out xmit $INTERFACE
    # prioritize imap and smtp
    /sbin/ipfw add divert 17778 tcp from $IP to any 143 out xmit $INTERFACE
    /sbin/ipfw add divert 17778 tcp from $IP to any 25 out xmit $INTERFACE
    #carrafix style
    /sbin/ipfw add divert 17778 tcp from $IP to any 25 via $INTERFACE
    # prioritize ftp directory listings
    /sbin/ipfw add divert 17778 tcp from $IP to any 21 out xmit $INTERFACE
    # prioritize aim or iChat
    /sbin/ipfw add divert 17778 tcp from $IP to any 5190 out xmit $INTERFACE
    # prioritize msn
    # /sbin/ipfw add divert 17778 tcp from $IP to any 1863 out xmit $INTERFACE
    # prioritize pop3
    /sbin/ipfw add divert 17778 tcp from $IP to any 110 out xmit $INTERFACE
    # prioritize irc and sirc
    /sbin/ipfw add divert 17778 tcp from $IP to any 6667 out xmit $INTERFACE
    /sbin/ipfw add divert 17778 tcp from $IP to any 6668 out xmit $INTERFACE
    /sbin/ipfw add divert 17778 tcp from $IP to any 9999 out xmit $INTERFACE
    # prioritize hotline and carracho "listing" ports (client end)
    /sbin/ipfw add divert 17778 tcp from $IP to any 5500 out xmit $INTERFACE
    /sbin/ipfw add divert 17778 tcp from $IP to any 6700 out xmit $INTERFACE
    # prioritize hotline and carracho "listing" ports (server end)
    # /sbin/ipfw add divert 17778 tcp from $IP 5500 to any out xmit $INTERFACE
    # /sbin/ipfw add divert 17778 tcp from $IP 6700 to any out xmit $INTERFACE
    #throttling mldonkey
    /sbin/ipfw add divert 5555 tcp from $IP 4662 to any out xmit $INTERFACE
    /sbin/ipfw add divert 5555 udp from $IP 4666 to any out xmit $INTERFACE
    #carrafix style
    #/sbin/ipfw add divert 5555 tcp from $IP to any 4662 via $INTERFACE
    #/sbin/ipfw add divert 5555 udp from $IP to any 4666 via $INTERFACE
    #throttling overnet (are all these necessary?)
    /sbin/ipfw add divert 5555 tcp from $IP 4391 to any out xmit $INTERFACE
    /sbin/ipfw add divert 5555 tcp from $IP to any 4391 out xmit $INTERFACE
    /sbin/ipfw add divert 5555 udp from $IP 4391 to any out xmit $INTERFACE
    /sbin/ipfw add divert 5555 udp from $IP to any 4391 out xmit $INTERFACE

  • Cisco has declared the 675 router dead, and stopped supporting it. Before they declared it dead, there were frequent security upgrades, giving the impression that it might not be secure now. Cisco had bought the 675 technology from another company; it was not designed as a Cisco product.

    So, maybe it would be sensible to buy a new router, and maybe that router would have load balancing. SMC [] seems to be a reputable company, but I don't see any SMC routers with balancing.
  • by Alex ( 342 ) on Wednesday March 24, 2004 @04:25AM (#8653913)

  • If it's one Windows user and you don't have the time/resources to set up a free-Unix bandwidth shaper, you can ask the offender to run NetLimiter ... it costs money, but works great, and even improves transfer performance (If you cap your upload and download a few percent below the actual maximum capacity on the line, it doesn't back off and have to retransmit dropped packets from bandwidth overage). Google for it, I think it's at
    • Netlimiter is good for running on an individual machine (I run it myself to prevent my mailserver and HTTPD from eating all my upstream), however there are better windows solutions for gateways.

      Is a fairly decent gateway traffic shaper - not quite as configurable as linux solutions, but fairly easy to set up and you can limit by a number of options, port, protocol, etc.

      Free trial version to so you can see if it works for you. $50 to buy.

  • I have done traffic shaping with FreeBSD/ipfw2 and found out the hard way that some viruses that initiate a lot of connections can take up unproportional share of bandwith. For instance on of the users has had a virus that was making roughly about 700 thousand outbound connections daily, but not causing much traffic, since all connections were single UDP packets. After we have disconnected it from the hub the overall response time and transfer speeds for other computers have increased.
    Apart from such queer
  • Dummynet []

    Quote from the above linked page:
    Unlike other traffic shaping packages which run in userland, dummynet has a very little overhead, as all processing is done within the kernel. There is no data copying involved to move packets through pipes, just a bit of pointer shuffling, and the implementation is able to handle thousands of pipes with O(log N) cost, where N is the number of active pipes.

    All you need is an old PC, two NICs. You can boot Dummynet (running on PicoBSD) from a floppy..
  • Remember how it is based on linux? there are several wonderful replacement firmwares for it that give you some filtering options, you probably don't need the wireless part, but its what I've been deploying lately. check out the simandhi firmware and look at WRT54G as I recall, very wonderful little box and now you can make a hotspot and sell access to it also. the router isn't expensive, $80US I think. If you know enough, you might can do the filtering in straight iptables instead of the web
  • get a 486/66, slap in 2 Nics, d/l freesco [] and install it. Search the forums for bandwidth limiting. []

    The biggest issue I have had with freesco was a) bad floppies and b) finding supported nics. 3Com 3C509s and 3C905s both work great. On the ISA ones make sure you turn off PnP.

    I've used this product for over 2 years without an issue. I'd reboot it once a month just because, but I can't think of a time I had to.

    Good Luck
  • You can download a series of floppy disk images and turn just about any old PC with two NICs into a router with all sorts of limits, including P2P Filtering! []
  • Shorewall has traffic shaping built in, but what it sounds like you might prefer to do is put in a Quality of Service system. Just reduce the priority of the outbound traffic, or block it all together, depending on how strict you want to be.

    I've successfully down this to allow bittorrent transfers to take a lower priority than my VoIP traffice from my phone. It seems so far to have worked quite well. I had some trouble getting the qos-htb and tc qdisc stuff to work. Possibly because of the versions, bu
  • For those that don't want to migrate to OpenBSD FreeBSD 5.2.1 has support for OpenBSD's pf and altq via a port, although you need to patch your source tree by hand. FreeBSD 5-current has fully integrated support for pf and altq, although I would wait for FreeBSD 5.3-RELEASE, rather than trying to use current. I personally found ipfw and the queueing subsystem extremely hard to use. That said, FreeBSD 5.2.1 on my k6-233 works great for our LAN. I use it to prioritize dns/www/smtp/pop3/imap, put leechers in
  • All this is excellent for corporate scale infrastructure,

    but it's a lot of work for the everyday DSL people who have a brother who runs eDonkey 24/7.

    Really it would be nice is something was available to balance all ports equally so that:


    I guess the "prio" chain may be help with this. It isn't as well documented as htb. If anyone can figure out how to balance everything in as little lines as possible using something like prio, please share it as that would
  • Get a Linksys 802.11g Wireless router. Because the firmware is just a customized linux kernel, and Linksys finally GPLed out their code, there's a fairly active community that's into hacking the firmware code to add all sorts of functionality that Linksys never considered, including QoS and Packet Shaping.

    Just lock the ports for all of the popular P2P apps that have fixed ports down to 50kbps up and down, and call it a day. If I was on a shared DSL, I'd completely understand this, and even appreciate tha
  • The hardware being your boot and the software being his ass. Not only is his downloading slowing you down but with all the RIAA crap going around it could be a legal liability. You have to think that if something happens legally, will this 15 year old behind a router going to get sued? Or the registered name/owner of the DSL service?
  • it sounds to me like your first concern should be that 24 households are on the same hub.... i for one wouldn't feel comfortable knowing that anyone else in the area could just open up ethereal and check me out. look into buying a 24 port switch for privacy's sake; i'm sure your neighbors will be more than willing to chip in for one if you explain how they differ from hubs.

    as for the bandwidth issue, 24 households sharing a single DSL line is a bit of a stretch, especially if some houses have several comp

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"