firewall/bandwith limiting on ubuntu

Mon Aug 16 10:38:01 UTC 2010

On Mon, Aug 16, 2010 at 01:07:30PM +0300, James Mutuku wrote:
> It's a server-client network, which will
> 1. have  routing capabilities
> 2. host a web application, web server and database server
> 3. Act as the firewall/bandwidth limiter
> 4. Segment 3 networks(free wireless internet access point(initially support
> up to 40 clients), private business LAN(wireless)(10 clients) and the
> internet)
> 5. The private business LAN should only access the web application and the
> internet
> 6. Only the free wireless access point should be bandwidth limited

All right, more information, wonderful!

I assume you have one interface for each network segments? I also assume 
you are running Ubuntu as the main routing device? Example: a cable 
modem goes onto the eth0 of the Ubuntu desktop, and the Ubuntu desktop 
has eth[1..3], for each segment of the network? Having individual 
network segments work the best / are the easiest to manage (in my 
opinion). If you do have a seperate NIC for each device connected 
("three network segments"), your request is easy to handle.

I suggest you look into wondershaper. It can limit the up- and down- 
speeds on each interface. Limit the "free wireless" (eth1, as an 
example) to whatever you want; "sudo wondershaper eth1 DOWNLIMIT 
UPLIMIT". Replace DOWN- and UP- limit with however many kilobits/s you 
want this interface to have access to. Please note that wondershaper by 
itself will not "equally" share the bandwidth on the wireless clients, 
but it does a pretty swell job on not going over whatever limit you set 
(one person (ab)using your free wireless for torrents will make the 
network for everyone else on the free wireless go slow, but it should 
not make the people on the other interfaces go slow (unless you allot 
too much to the free wireless device)).

You can do the same to the other more private devices. I don't know why 
you would need to (unless those devices are "untrusted", ie. abusing the 
bandwidth as well).

Anyways,
> 1. ease of configuration
Wondershaper is easy to setup and configure. It's one of the easiest and 
most powerful simple bandwidth limiting tool I have ever seen.
> 2. feature rich
It should do everything you requested!
> 3.  reporting interface(preferably web)
Wondershaper will not do this. But what will?:

vnstat. It's a CLI tool, but there is a front-end 
(http://www.sqweek.com/sqweek/index.php?p=1). The CLI controlling of it 
is very simple, and easy to understand, so I suggest NOT installing that 
PHP frontend to it. So, you will want to create a new vnstat database 
for each interface. Make sure vnstat is installed first (sudo apt-get 
install vnstat), then run "sudo vnstat -u -i ethX" (replacing "ethX" 
with each network device). Make sure vnstatd(aemon) is running (it 
should by default, "ps aux|grep vnstat" will confirm this), and now 
you're pretty much done!... In a few hours (or less, depending on your 
network use), "vnstat -i ethX -m" (again, replace ethX with interface) 
will produce a nice little graph of you use. See "man vnstat" for all 
the other cool tricks it can do.

If you're using a different setup other than one interface per "group of 
people" (as I think you are), then I can not assist you further. If you 
are using this setup, wonderful; I hope I helped.