Limiting bandwidth on internal interface on Linux gateway

Jack Scott asked:

I am responsible for a Linux-based (it runs Debian) branch office router that takes a single high-speed Internet connection (eth2) and turns it into about 20 internal networks, each with a seperate subnet ( to and a seperate VLAN (eth0.101 to eth0.120). I am trying to restrict bandwidth on one of the internal subnets that is consistently chewing up more bandwidth than it should. What is the best way to do this?

My first try at this was with wondershaper, which I heard about on SuperUser here. Unfortunately, this is useful for exactly the opposite situation that I have… it’s useful on the client side, not on the Internet side.

My second attempt was using the script found at, which I modified so the active part is:

tc qdisc add dev eth0.113 root handle 13: htb default 100
tc class add dev eth0.113 parent 13: classid 13:1 htb rate 3mbps
tc class add dev eth0.113 parent 13: classid 13:2 htb rate 3mbps
tc filter add dev eth0.113 protocol ip parent 13:0 prio 1 u32 match ip dst flowid 13:1
tc filter add dev eth0.113 protocol ip parent 13:0 prio 1 u32 match ip src flowid 13:2

What I want this to do is restrict the bandwidth on VLAN 113 (subnet to 3mbit up and 3mbit down. Unfortunately, it seems to have no effect at all! I’m very inexperienced with the tc command, so any help getting this working would be appreciated.

My answer:

Quote from the developers to someone trying to do the same thing: Doing traffic control on vlan’s may not work as expected because the vlan pseudo-device does not have any transmit queue.

Since you’ve already written your rules to rate limit by subnet, it’s a matter of getting Linux to rate control it.

I would suggest working around it by putting the VLAN in a bridge (though for consistency’s sake you might want to create a bridge for every VLAN):

brctl addbr br113
btctl addif br113 eth0.113

You can then apply your tc rules to br113 instead of eth0.113.

(Configuring /etc/network/interfaces is left as an exercise for the reader, if this works…)

Or it might be simpler to apply the traffic control rules to your WAN interface eth2; the end result should be about the same.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.