Unfortunately, I don't have much experience with system administration and configuring Linux systems, so please don't be too hard on me; I'm still learning ;)
Network setup:
172.21.0.1 - the server with traffic shaping.
172.21.0.2 - the second server storing files requested by clients via HTTP.
172.21.0.6 and 172.21.0.7 - two client devices.
I'm trying to configure traffic shaping for WireGuard clients:
tc qdisc add dev wg0 parent root handle 1:0 hfsc default 10
# Root class
tc class add dev wg0 parent 1: classid 1:1 hfsc sc rate 1gbit ul rate 1gbit
# Reserved traffic
# Guaranteed bandwidth of 500 Mbit/s and a maximum of 1 Gbit/s
tc class add dev wg0 parent 1:1 classid 1:10 hfsc sc rate 500mbit ul rate 1gbit
# Client traffic
# Guaranteed bandwidth of 500 Mbit/s and a maximum of 1 Gbit/s
tc class add dev wg0 parent 1:1 classid 1:20 hfsc sc rate 500mbit ul rate 1gbit
# Shaping for individual client 6
tc class add dev wg0 parent 1:20 classid 1:3006 hfsc sc rate 100kbit ul rate 100kbit
tc filter add dev wg0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.21.0.6/32 flowid 1:3006
# Shaping for individual client 7
tc class add dev wg0 parent 1:20 classid 1:3007 hfsc sc rate 100kbit ul rate 100kbit
tc filter add dev wg0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.21.0.7/32 flowid 1:3007
tc -pretty filter show dev wg0
filter parent 1: protocol ip pref 2 u32 chain 0
filter parent 1: protocol ip pref 2 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol ip pref 2 u32 chain 0 fh 800::801 order 2049 key ht 800 bkt 0 *flowid 1:3006 not_in_hw
match IP dst 172.21.0.6/32
filter parent 1: protocol ip pref 2 u32 chain 0 fh 800::802 order 2050 key ht 800 bkt 0 *flowid 1:3007 not_in_hw
match IP dst 172.21.0.7/32
tc -graph class show dev wg0
+---(1:) hfsc
+---(1:1) hfsc sc m1 0bit d 0us m2 1Gbit ul m1 0bit d 0us m2 1Gbit
+---(1:10) hfsc sc m1 0bit d 0us m2 500Mbit ul m1 0bit d 0us m2 1Gbit
+---(1:20) hfsc sc m1 0bit d 0us m2 500Mbit ul m1 0bit d 0us m2 1Gbit
+---(1:3007) hfsc sc m1 0bit d 0us m2 100Kbit ul m1 0bit d 0us m2 100Kbit
+---(1:3006) hfsc sc m1 0bit d 0us m2 100Kbit ul m1 0bit d 0us m2 100Kbit
|
| |
When trying to download a file from both clients at the same time, only one gets 100kbit, while the other gets 0kbit :(
What am I doing wrong? Server: Debian 12 running on KVM.
P.S.: The 100kbit/s limit is just for testing the traffic shaper's functionality.
I would also appreciate suggestions on how to rewrite the configuration. Perhaps I'm doing it completely wrong, and there might be a more optimal way (like setting up a single class for the entire subnet, so all WireGuard clients get an individual 100kbit limit).