Step 1: Understanding your private ip for each protocol.
In this case we will use below number for the private ip.
Ikev2=24 #eth0 tcp1194=23 #tun3 tcp443=22 #tun4 udp1194=21 #tun0 udp4096=25 #tun1 udp80=20 #tun2 pptp=111 l2tp=30 main=eth0
Step 2: Prevent we have tcrules before on the server
So we have to delete all the tcrules before we start
tc qdisc del dev $main root
This line is deleting all the tcrules that based on my main interface eth0, you can changes to yours.
tc qdisc del dev tun0 root tc qdisc del dev tun1 root tc qdisc del dev tun2 root tc qdisc del dev tun3 root tc qdisc del dev tun4 root
Then delete all the tun+ interface tc rules to make sure we can go through without any problem on the bandwidth control result.
Step 3: Add the main Tcrules on each interface.
tc qdisc add dev $main root handle 1: htb
$main in this case is eth0
tc qdisc add dev tun0 root handle 1: htb tc qdisc add dev tun1 root handle 1: htb tc qdisc add dev tun2 root handle 1: htb tc qdisc add dev tun3 root handle 1: htb tc qdisc add dev tun4 root handle 1: htb
Step 4: Configure Ikev2 for the bandwidth control.
First thing you have to use iptables rules to mark the forward source and destination to a unique number as below.
iptables -I FORWARD -s 10.$ikev2.$ikev2.1 -j MARK --set-mark 51 iptables -I FORWARD -d 10.$ikev2.$ikev2.1 -j MARK --set-mark 51
In this case $ikev2 = 24 so the private address become 10.24.24.1 and mark as number 51
After the marking based on the single private ip address with iptables, we move forward to the tc rules configuration for bandwidth limiting based on the marking id 51.
tc class add dev $main parent 1:1 classid 1:51 htb rate 1mbit ceil 1mbit
set the upper rules with classid 1:51 which is following the iptables marking and rate 1mbit and maximum can burst also 1mbit. Consider user that connect in and get the ip address 10.24.24.1 will not get a connection speed over 1mbit.
tc qdisc add dev $main parent 1:51 sfq perturb 10
perturb 10 means that based on the marking id 51 on iptables, when this ip is not using the bandwidth, it will release the bandwidth after 10 second to avoid your server connection been holding by the unused vpn private ip address.
tc filter add dev $main protocol ip parent 1: prio 1 handle 51 fw flowid 1:51
after top2 rules are set, we have to set up the filter rules based on the same classid the run up all the rules that we set earlier for bandwidth filtering.
In Ikev2 protocal case, because it doesn’t appear a virtual tunnel interface like openvpn , pptp , and l2tp so we must control this protocal bandwidth by using our server main interface which is eth0 in this case.
Step 5: Limiting the whole subnet for individual user using scripts.
#/bin/bash
ikev2=24 #eth0
echo tc qdisc del dev $main root >>tcrules
echo tc qdisc add dev $main root handle 1: htb >>tcrules
for i in {1..254}
do
##udp1194
echo iptables -I FORWARD -s 10.$ikev2.$ikev2.$i -j MARK --set-mark 1$i >> mark
echo iptables -I FORWARD -d 10.$ikev2.$ikev2.$i -j MARK --set-mark 1$i >> mark
echo tc class add dev eth0 parent 1:1 classid 1:1$i htb rate 1mbit ceil 1mbit >> tcrules
echo tc qdisc add dev eth0 parent 1:1$i sfq perturb 10 >> tcrules
echo tc filter add dev eth0 protocol ip parent 1: prio 1 handle 1$i fw flowid 1:1$i >> tcrules
done
put all this in the scripts, and chmod 755 to make the scripts executable , and bash scriptsname.
and u will see it will generate 2 scripts in the current location which is mark and tcrules. Just run it and can verify the result for marking by
iptables-save |grep mark
it will show the below result as per your configuration.
-A FORWARD -s 10.24.24.1/32 -j MARK –set-xmark 0x2ed/0xffffffff
-A FORWARD -d 10.24.24.1/32 -j MARK –set-xmark 0x1c1/0xffffffff
and use below command to actually show the class and qdisc that you set earlier for tc.
tc -s -d class show dev eth0 tc -s -d qdisc show dev eth0
If this article help, just share it to your friends.
Leave a Reply
Want to join the discussion?Feel free to contribute!