Hello, I have attempted to limit the VPN speed to 10Mbit per user. But when I do a DSL speed test with two devices simultaneously, it seems that the total traffic is limited to 10Mbit/s instead rather than each device having 10Mbit/s on their own.
ETH0ORSIMILAR="eth0" SERVER_LIMIT="10mbit" tc qdisc del dev $ETH0ORSIMILAR root tc qdisc add dev $ETH0ORSIMILAR root handle 1: htb iptables -I FORWARD -s 10.10.10.0/24 -j MARK --set-mark 51 iptables -I FORWARD -d 10.10.10.0/24 -j MARK --set-mark 51 tc class add dev $ETH0ORSIMILAR parent 1:1 classid 1:51 htb rate $SERVER_LIMIT ceil $SERVER_LIMIT tc qdisc add dev $ETH0ORSIMILAR parent 1:51 sfq perturb 10 tc filter add dev $ETH0ORSIMILAR protocol ip parent 1: prio 1 handle 51 fw flowid 1:51 I had followed this tutorial to achieve this: https://linuxscriptshub.com/bandwidth-control-on-ikev2-with-tc-and-iptables/ I'm essentially marking 10.10.10.0/24 vpn ip pool with number 51. After the marking, based on the single private IP address with iptables, I'd do the bandwidth limiting based on the marking id 51. Is this correct how I have done it? further iptables settings: VPNIPPOOL="10.10.10.0/24" # accept anything on the loopback interface iptables -A INPUT -i lo -j ACCEPT # drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP # rate-limit repeated new requests from same IP to any ports iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --set iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --update --seconds 60 --hitcount 12 -j DROP # accept IPSec/NAT-T for VPN (ESP not needed with forceencaps, as ESP goes inside UDP) iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT # forward VPN traffic anywhere iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s $VPNIPPOOL -j ACCEPT iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d $VPNIPPOOL -j ACCEPT # reduce MTU/MSS values for dumb VPN clients iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s $VPNIPPOOL -o $ETH0ORSIMILAR -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 # masquerade VPN traffic over eth0 etc. iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -m policy --pol ipsec --dir out -j ACCEPT # exempt IPsec traffic from masquerading iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -j MASQUERADE ipsec config: config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=${VPNIPPOOL} rightsendcert=never Many Thanks, Houman