Bandwith control by Netfilter ACL

  • 1
  • Question
  • Updated 1 week ago
Hello,

I am working on how to limit the bandwidth from ACL. 

However, there are some problem there.

Example, I need to limit the bandwidth for port swp34 with 20Mbit/s

Then I apply following acl rule

[iptables]
-A FORWARD -i swp34 -j POLICE --set-mode KB --set-rate 2500 --set-burst 1
-A FORWARD -o swp34 -j POLICE --set-mode KB --set-rate 2500 --set-burst 1

But when I do iperf test.  The result looks like already limited to 1Mbps
----
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  1.20 MBytes  1.00 Mbits/sec  551             sender
[  4]   0.00-10.00  sec  1.07 MBytes   901 Kbits/sec                  receiver
----

Could you please advise how should set config correctly?

Thanks!
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb

Posted 1 week ago

  • 1
Photo of Jakub Bitenc

Jakub Bitenc

  • 130 Points 100 badge 2x thumb
Could it be because of testing method?

-b, --bandwidth n[KM]
              set target bandwidth to n bits/sec (default 1 Mbit/sec for UDP, unlimited for TCP).
Photo of Jason Guy

Jason Guy, Employee

  • 1,712 Points 1k badge 2x thumb
Assuming the host running iPerf is connected to swp34? Generally the problem with iPerf is it is bound by the CPU power. I personally don't think iPerf (v2) is worth using. I would recommend iPerf3 or nuttcp, and use the options to optimize the host resources. Check out our KB on this (which I need to update with some new tricks). Give this a try for a 1 minute test:
Server: iperf3 -s
Client: iperf3 -t60 -i5 -Z -c <remotehost>
Photo of Anton Lopatin

Anton Lopatin

  • 150 Points 100 badge 2x thumb
Hi!

What is the delay between two hosts? Maybe problem in big delay and small default TCP window. To use custom TCP window set "-w " parameter to 2M - it will be enough in all cases.
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb
Hello,

Thanks for all suggestion.

I am using iperf3 during the test and both testing host is connected into same switch, so I think it is not affected by other switch issue.

I have tested again with following parameters at sender side
 iperf3 -c 192.168.88.18 -i 5 -t60 -w2M -Z
This time result is below:

- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  5]   0.00-60.04  sec  13.0 MBytes  1.82 Mbits/sec  6190             sender
[  5]   0.00-60.04  sec  12.7 MBytes  1.78 Mbits/sec                  receiver
----------------------------------------------

But it still did not reach to 20Mbp/s .  Does my setup is wrong?

--
[iptables]
-A FORWARD -i swp34 -j POLICE --set-mode KB --set-rate 2500 --set-burst 1
-A FORWARD -o swp34 -j POLICE --set-mode KB --set-rate 2500 --set-burst 1
---

Please advise.

Thanks!