Home > Freeradius, Open Source > Freeradius: Bandwidth Limit For Network Users

Freeradius: Bandwidth Limit For Network Users

Bandwidth limit can be set up using WISPr Attributes. Two attribute can be used for this purpose, which is

  1. WISPr-Bandwidth-Max-Down
  2. WISPr-Bandwidth-Max-Up

These attribute must be define in radreply table or radgroupreply table. Operator := is commonly used, but I figure out that == operator can be use also.
Lets say we want to limit a user bandwidth to 256kbps for download and 32kbps for upload. So we define in the radreply table:

WISPr-Bandwidth-Max-Down := 256000
WISPr-Bandwidth-Max-Up := 32000

However, bandwidth limitation is not successful yet by just applying these attributes, this is because our network users session is being routed in two way to go to Internet, using NAS internal ip (in my case br0) and NAS tunnel (tun0). Seems the br0 interface have more priority than tun0, and it packets will always being routed using this interfaces. This is not good as the attribute we set is only applied to tun0 tunnel which is created by Chillispot.

To overcome the situation we must force all packets to be routed using tun0. We can apply some firewall rules to help us achieve this. Below is the rules I used.

# iptables -P FORWARD DROP
# iptables -F FORWARD
# iptables -A FORWARD -o tun0-j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT

So when I list back the policy for Forward Chain in the Iptables, I’ll get this:

# iptables -nvL FORWARD
Chain FORWARD (policy DROP 17 packets, 1088 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — * tun0
0 0 ACCEPT all — tun0 *

By this rule, the bandwidth will be shape according to what we set in radreply/radgroupeply table. We can test this using iperf command.

So for the upload testing this is what i got:

$ iperf.exe -c -i 10 -t 60

Client connecting to, TCP port 5001
TCP window size: 8.00 KByte (default)
[1912] local port 3834 connected with port 5001
[ ID] Interval Transfer Bandwidth
[1912] 0.0-10.0 sec 64.0 KBytes 52.4 Kbits/sec
[1912] 10.0-20.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 20.0-30.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 30.0-40.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 40.0-50.0 sec 40.0 KBytes 32.8 Kbits/sec

[1912] 50.0-60.0 sec 32.0 KBytes 26.2 Kbits/sec
[1912] 0.0-65.4 sec 264 KBytes 33.1 Kbits/sec

And this is for download test:

$ iperf -c -i 10 -t 60

Client connecting to, TCP port 5001
TCP window size: 16.0 KByte (default)
[ 3] local port 60918 connected with port 5001
[ 3] 0.0-10.0 sec 568 KBytes 465 Kbits/sec
[ 3] 10.0-20.0 sec 312 KBytes 256 Kbits/sec
[ 3] 20.0-30.0 sec 296 KBytes 242 Kbits/sec
[ 3] 30.0-40.0 sec 312 KBytes 256 Kbits/sec
[ 3] 40.0-50.0 sec 288 KBytes 236 Kbits/sec
[ 3] 50.0-60.0 sec 264 KBytes 216 Kbits/sec
[ 3] 0.0-60.3 sec 2.00 MBytes 278 Kbits/sec

Finally, we managed to set up bandwidth limit for our network users. However, there is a problem in the way, traffic burst happens when everytime an object is retrieved from the Internet. Imagine a web page that contains 20 objects, there will be 20 traffic burst to happen. The traffic will make the traffic looks inaccurate when being test using bandwidth tester. Except, if we could excluded the beginning of the data transfer from the test, the bandwidth test will looks more accurate.

Categories: Freeradius, Open Source
  1. Mukul
    29/09/2011 at 11:55 pm

    I want to allocate different bandwidth to different user that is allocate bandwidth according to
    the user not the IP address

    • 02/10/2011 at 10:42 am

      You have to integrate your squid with any authentication system, such as LDAP, Active Directory, PAM_auth and so on. Try to research on “auth_param” for the purpose. When you done, each user will prompted for username and password before going to internet. Then, you can allocate desired bandwidth to each user.

      • 02/10/2011 at 12:14 pm

        Ops.. mistaken your question with squid. I think you should use ChilliSpot-Max-Total-Octets if you are using Chillispot. Try do research on that or equivalent attribute on your system.

  2. day
    10/08/2012 at 4:03 pm

    i’m using mac address as username, and i’ve done the setting that you told, but i still download with full speed

  1. 05/11/2007 at 2:40 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: