Dear Lazyweb: IP tables to force a certain ethernet address through a cache preprocessor?

[elfs]

So, I have a problem. I would like some of the computers in this house to go through a caching preprocessor, and others to have direct access to the Internet. Specifically, I'd like to throttle Yamaraashi-chan's music video watching enough that the rest of us can actually get work done; my daughter is a bandwidth hog. Any suggestions?

Comments

[ben-raccoon.livejournal.com]

The lazy way to accomplish this could be to use the throttling and shaping tools in a router with dd-wrt installed

[rhonan.livejournal.com]

Ding, ding, ding!

Get a Linksys WRT54G-TM router on eBay, flash it with DD-WRT Mega, set up a reserved DHCP for Yamaraashi-chan's MAC address, enable QoS, throttle her bandwidth down by IP address.

The WRT54G-TM is prefered, as it has much more ram and flash then other DD-WRT compatible routers, which is handy for logging and things like security certificates and the like.

DD-WRT adds a lot of functionality that you normally don't find on consumer routers. One thing you can do is adjust the output pow on the wireless. While some people like to turn it up to get more range, what I think is nifty is that you can put much better antennas on the router, and then turn down the power so that you are not radiating more than you need to outside of those parts of your property you want to cover. The other nifty thing that DD-WRT Mega has is OpenVPN. You can set up OpenVPN server on your router, and then install OpenVPN clients on your Mac, Windows, and Linux poratables, and access your network securely while out.

[m-o-w.livejournal.com]

Use the REDIRECT target to send all packets from some computers to your webcache, DNAT if it's not running on the router.
However, transparent proxying is ugly, especially if multiple destination ports are involved. Blocking most kinds of traffic and manually configuring the computers to use the proxy might be a cleaner solution.

[dr-memory.livejournal.com]

I think the simplest thing might be to force all of the machines in your house through a squid cache (ie: only give the squid machine access to 80/tcp and 433/tcp outbound), but use squid ACL rules to make it so that only Y-c's computer/account actually gets cached/throttled. Transparent caching is, as noted, just a good way to drive yourself insane.

Alternatively, do a little traffic analysis and find out what her top-5 video sites are, and create a QoS queue just for them? Shouldn't be too hard to lock down youtube/vimeo/mtv/blah/blah/foo down to no more than 33% of your available bandwidth.

[duskwuff.livejournal.com]

Alternative-alternatively, just rate-limit all port-80 traffic to/from the IP involved. Easy!

[m-o-w.livejournal.com]

That however won't help for media servers streaming on other ports.

The nice thing about proxies is that when a program knows it's supposed to use one, all connections are initiated through it, even to unusual ports, if necessary by CONNECT. So the squid of whatever proxy software already knows all it needs for traffic accounting, and you don't have to go port-hunting.

[duskwuff.livejournal.com]

That is true. However, the majority of video streaming sites (especially the popular ones, like youtube and whatnot) all just use HTTP streaming, so squid is still overkill.

[puellavulnerata.livejournal.com]

Use a tc queue (http://lartc.org/howto/lartc.qdisc.html) for just her machine to limit bandwidth? Remember that this would have to be done on the inward-facing interface of your router to affect download speed, and thus would only save bandwidth on your internet link for protocols in which the remote server will eventually slow down transmission until it gets ACKed - i.e., TCP-based protocols. That doesn't sound like it would be a problem in this case, and I believe similar limitations would apply to a transparent proxying solution.

[tehrasha.livejournal.com]

Let me know what you figure out.
Ive been tinkering with tc queue settings for a bit, and have yet to get a recipe that will keep my wife's Facebook usage from periodically dragging my gaming bandwidth to zero.

QoS

[elbowfetish.livejournal.com]

QoS is the right way to do it. IPv6 on your LAN will help with that, as well as with media streaming in general.

[lovingboth]

Delayed response :) but QoS on a DD-WRT'd WRT54GS is what I do for similar reasons.

For some reason, the person in question will not use get_flash_videos to just download the ones he wants to watch once, but you have have better luck.

What did you end up doing?