I have a hAP ac^2, upgraded to the latest firmware 6.46.5, recently reset to factory defaults, with default firewall rules except disabled fasttrack. I need to limit the incoming bandwidth of certain websites (including fast.com for testing purposes) for a range of IP addresses.
For this I've made two Mangle rules to mark all connections and packets from a Layer 7 Protocol entry, where I've described the website addresses. Then I made a Simple Queue to limit the incoming rate of marked packets for a specified range of addresses.
This doesn't work.
The queue only registers some 10KB worth of incoming data within ~2 seconds after I start a speed test at fast.com, then shows nothing at all. Mangle rule packet counter does increment, but not to the rate of incoming traffic flow from these websites, even when there are no any other traffic. But if I remove the Layer 7 Protocol option from my Mangle rule, thus effectively marking all incoming connections and packets, then the packet counter rate increases, and the queue starts working.
Here's the regexp for Layer7 going under name "limit":
Code: Select all
^..+\.(youtube.com|googlevideo.com|facebook.com|fbcdn.net|fast.com).*$
Here are my Mangle rules:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=forward action=mark-connection new-connection-mark=limc passthrough=yes layer7-protocol=limit log=no log-prefix=""
4 chain=forward action=mark-packet new-packet-mark=lim passthrough=no connection-mark=limc log=no log-prefix=""
Here's my Simple Queue rule:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 name="limitrate" target=192.168.88.2/31 parent=none packet-marks=lim priority=8/8 queue=pcq-upload-default/pcq-download-default limit-at=0/0
max-limit=0/1M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1
And here are my Firewall Filter rules:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Sorry it got so lengthy. I'd really appreciate if you could check and shed some light on what's going wrong here. Maybe there are some prerequisites to be fulfilled to get this working I'm not aware of? Advices on Firewall Filters are also appreciated. Thanks.