Home / server / Questions / 1166792
Accepted
herenickname
Asked: 2024-10-19 14:41:37 +0800 CST

several configured TC (TrafficControl) rules become single

  • 772

Unfortunately, I don't have much experience with system administration and configuring Linux systems, so please don't be too hard on me; I'm still learning ;)

Network setup:

172.21.0.1 - the server with traffic shaping.

172.21.0.2 - the second server storing files requested by clients via HTTP.

172.21.0.6 and 172.21.0.7 - two client devices.

I'm trying to configure traffic shaping for WireGuard clients:

tc qdisc add dev wg0 parent root handle 1:0 hfsc default 10

# Root class
tc class add dev wg0 parent 1: classid 1:1 hfsc sc rate 1gbit ul rate 1gbit

# Reserved traffic
# Guaranteed bandwidth of 500 Mbit/s and a maximum of 1 Gbit/s
tc class add dev wg0 parent 1:1 classid 1:10 hfsc sc rate 500mbit ul rate 1gbit

# Client traffic
# Guaranteed bandwidth of 500 Mbit/s and a maximum of 1 Gbit/s
tc class add dev wg0 parent 1:1 classid 1:20 hfsc sc rate 500mbit ul rate 1gbit

# Shaping for individual client 6
tc class add dev wg0 parent 1:20 classid 1:3006 hfsc sc rate 100kbit ul rate 100kbit
tc filter add dev wg0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.21.0.6/32 flowid 1:3006

# Shaping for individual client 7
tc class add dev wg0 parent 1:20 classid 1:3007 hfsc sc rate 100kbit ul rate 100kbit
tc filter add dev wg0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.21.0.7/32 flowid 1:3007

tc -pretty filter show dev wg0

filter parent 1: protocol ip pref 2 u32 chain 0
filter parent 1: protocol ip pref 2 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol ip pref 2 u32 chain 0 fh 800::801 order 2049 key ht 800 bkt 0 *flowid 1:3006 not_in_hw
  match IP dst 172.21.0.6/32
filter parent 1: protocol ip pref 2 u32 chain 0 fh 800::802 order 2050 key ht 800 bkt 0 *flowid 1:3007 not_in_hw
  match IP dst 172.21.0.7/32

tc -graph class show dev wg0

+---(1:) hfsc
     +---(1:1) hfsc sc m1 0bit d 0us m2 1Gbit ul m1 0bit d 0us m2 1Gbit
          +---(1:10) hfsc sc m1 0bit d 0us m2 500Mbit ul m1 0bit d 0us m2 1Gbit
          +---(1:20) hfsc sc m1 0bit d 0us m2 500Mbit ul m1 0bit d 0us m2 1Gbit
               +---(1:3007) hfsc sc m1 0bit d 0us m2 100Kbit ul m1 0bit d 0us m2 100Kbit
               +---(1:3006) hfsc sc m1 0bit d 0us m2 100Kbit ul m1 0bit d 0us m2 100Kbit
          |
     |    |

When trying to download a file from both clients at the same time, only one gets 100kbit, while the other gets 0kbit :(

What am I doing wrong? Server: Debian 12 running on KVM.

P.S.: The 100kbit/s limit is just for testing the traffic shaper's functionality.

I would also appreciate suggestions on how to rewrite the configuration. Perhaps I'm doing it completely wrong, and there might be a more optimal way (like setting up a single class for the entire subnet, so all WireGuard clients get an individual 100kbit limit).

debian

1 Answers

  1. Best Answer

    Your rules look OK on the surface to me.

    Try passing -s to tc to get stats and see if you are getting your packets actually passing onto the right classes.

    You should test the behaviour of your entire network chain to see if you can isolate the conditions by which the problem occurs.

    • if you use just either one client they get the 100kbit bit the other does not?
    • If you try both separately individually they work?

    Consider swapping out other areas of your stick to eliminate those, such as any webserver that has any of its own limitations being applied.

    • 0