How to reliably limit the amount of bandwidth your room mate or bad office colleague uses

Update: It seems I’ve created a monster. I’ve had my first two Google searchers arrive on this blog entry searching for “limit roomate downloading” and “netgear limit roomate”. Well after years of experimenting with QoS this is the best method I’ve found to do exactly that, so enjoy.

For part of the year I’m on a rural wifi network that, on a good day, gives me 3 megabits per second download speed and 700kbps upload speed. I’ve tried multiple rural providers, had them rip out their equipment because of the packet loss (that means you Skybeam), I’ve shouted at Qwest to upgrade the local exchange so we can get DSL, but for now I’m completely and utterly stuck on a 3 megabits downlink using Mile High Internet.

I have an occasional room-mate, my nephew, who downloads movies on iTunes and it uses about 1.5 to 3 megabits. I’ve tried configuring quality of service (QoS) on various routers including Netgear and Linksys/Cisco and the problem is that I need a zero latency connection for my SSH sessions to my servers. So while QoS might be great if everyone’s using non-realtime services like iTunes downloads and web browsing, when you are using SSH or a VoIP product like Skype, it really sucks when someone is hogging the bandwidth.

The problem arises because of the way most streaming movie players download movies. They don’t just do it using a smooth 1 megabit stream. They’ll suck down as much as your connection allows, buffer it and then use very little bandwidth for a few seconds, and then hog the entire connection again. If you are using SSH and you hit a key, it takes a while for the router to say: “Oh, you wanted some bandwidth, ok fine let me put this guy on hold. There. Now what did you want from me again? Hey you still there? Oh you just wanted one real-time keystroke. And now you’re gone. OK I guess I’ll let the other guy with a lower priority hog the bandwidth again until you hit another keystroke.”

So the trick, if you want to effectively deal with the movie downloading room-mate is to limit the amount of bandwidth they can use. That way netflix, iTunes, youtube, amazon unbox or any other streaming service has to use a constant 1 megabit rather than bursting to 3 megabits and then dropping to zero – and you always have some bandwidth available without having to wait for the router to do it’s QoS thing.

Here’s how you do it.

First install DD-WRT firmware on your router. I use a Netgear WNDR3300 router and after using various Linksys/Cisco routers I swear by this one. It has two built in radios so you can create two wireless networks, one on 2Ghz and one of 5Ghz. It’s also fast and works 100% reliably.

Then look up your router on dd-wrt’s site and download DD-WRT for your router and install it. I use version “DD-WRT v24-sp2 (10/10/09) std – build 13064″. There are newer builds available, but when I wrote this this was the recommended version.

Once you’re all set up and you have  your basic wireless network with DD-WRT, make sure you disable QoS (it’s disabled by default).

Then configure SSH on DD-WRT. It’s a two step process. First you have to click the “Services” tab and enable SSHd. Then you have to click the Administration tab and enable SSH remote management.

Only the paid version of DD-WRT supports per user bandwidth limits, but I’m going to show you how to do it free with a few shell commands. I actually tried to buy the paid version of DD-WRT to do this, but their site is confusing and I couldn’t get confirmation they actually support this feature. So perhaps the author can clarify in a comment.

Because you’re going to enter shell commands, I recommend adding a public key for password-less authentication when you log in to DD-WRT. It’s on the same DD-WRT page where you enabled  the SSHd.

Tip: Remember that with DD-WRT, you have to “Save” any config changes you make and then “Apply settings”. Also DD-WRT gets confused sometimes when you make a lot of changes, so just reboot after saving and it’ll unconfuse itself.

Now that you have SSHd set up, remote ssh login enabled and hopefully your public ssh keys all set up, here’s what you do.

SSH to your router IP address:

ssh root@

Enter password.

Type “ifconfig” and check which interface your router has configured as your internal default gateway. The IP address is often The interface is usually “br0″.

Lets assume it’s br0.

Enter the following command which clears all traffic control settings on interface br0:

tc qdisc del dev br0 root

Then enter the following:

tc qdisc add dev br0 root handle 1: cbq \
avpkt 1000 bandwidth 2mbit

tc class add dev br0 parent 1: classid 1:1 cbq \
rate 700kbit allot 1500 prio 5 bounded isolated

tc filter add dev br0 parent 1: protocol ip \
prio 16 u32 match ip dst flowid 1:1

tc filter add dev br0 parent 1: protocol ip \
prio 16 u32 match ip src flowid 1:1

These commands will rate limit the IP address to 700 kilobits per second.

If you’ve set up automatic authentication and you’re running OS X, here’s a perl script that will do all this for you:


my $ip = $ARGV[0];
my $rate = $ARGV[1];

$ip =~ m/^\d+\.\d+\.\d+\.\d+$/ &&
$rate =~ m/^\d+$/ ||
die “Usage:\n”;

$rate = $rate . ‘kbit';

print `ssh root\@ “tc qdisc del dev br0 root”`;

print `ssh root\@ “tc qdisc add dev br0 root handle 1: cbq avpkt 1000 bandwidth 2mbit ; tc class add dev br0 parent 1: classid 1:1 cbq rate $rate allot 1500 prio 5 bounded isolated ; tc filter add dev br0 parent 1: protocol ip prio 16 u32 match ip dst $ip flowid 1:1 ; tc filter add dev br0 parent 1: protocol ip prio 16 u32 match ip src $ip flowid 1:1″`;

You’ll see a few responses for DD-WRT when you run the script and might see an error about a file missing but that’s just because you tried to delete a rule on interface br0 that might not have existed when the script starts.

These rules put a hard limit on how  much bandwidth an IP address can use. What you’ll find is that even if you rate limit your room mate to 1 megabit, as long as you have 500 kbit all to yourself, your SSH sessions will have absolutely no latency, Skype will not stutter, and life will be good again. I’ve tried many different configurations with various QoS products and have not ever achieved results as good as I’ve gotten with these rules.

Notes: I’ve configured the rules on the internal interface even though most QoS rules are generally configured on an external interface because it’s the only thing that really really seems to work. The Cisco engineers among you may disagree, but go try it yourself before you comment. I’m using the Linux ‘tc’ command and the man page is here.

PS: If you are looking for a great router to install DD-WRT on, try the Cisco-Linksys E3200. It has a ton of RAM and the CPU is actually faster at 500 MHz than the E4200 which is more expensive and only has a 480 MHz CPU. It also is the cheapest Gigabit Ethernet E series router that Cisco-Linksys offers. Here is the Cisco-Linksys E3200’s full specs on DD-WRT’s site. The E3200 is fully DD-WRT compatible but if you are lazy and don’t want to mess with DD-WRT, check out the built in QoS (Quality of Service) that the E3200 has built in on this video.

95 thoughts on “How to reliably limit the amount of bandwidth your room mate or bad office colleague uses

  1. great article but very scary for people who dont have experience with SSH. Flashing custom firmware is advanced, but SSH is a whole ‘nother level. Here is what I did on mine running DD-WRT v24-sp2 (08/07/10) vpn.

    Set up QOS with the limits you want, then under netmask priority, put in your IP and set it as exempt. Set the rest of the IP range as standard. I have a guest SSID set up that is restricted while the main network is not, however this approach should work for individual IPs to exempt them from the QOS.

  2. hello,
    we tested the rules limiting download and works properly but the rules limiting upload not working nor for Mac or by ip. Can you help us?

  3. My brother suggested I may like this website. He was totally right.
    This post actually made my day. You cann’t imagine simply how
    a lot time I had spent for this info! Thanks!

  4. Attractive component to content. I just stumbled
    upon your site and in accession capital to assert that I get in fact loved account your weblog posts.
    Anyway I will be subscribing in your augment and even I success you get admission to consistently quickly.

  5. Thanks for an easy to follow howto. The tc’s manpage is dense and it great to have a useful application. I would like to make a change to limit the bandwidth everyone on a particular subnet (my guest wifi is on a different subnet). Is it possible to replace the IP address by a netmask in the tc command lines? Thanks in advance!

  6. Clarke spectacular wife’s comments Sallyanne’s 16 year old young man john was found unconscious to the service area of the house two days promptly after christmas day in 2012 and passed away on recent seasons eve. Clarke is currently training courses to have fun playing the paris 2 amazing Cycle’ our sept and in addition pg,descrip,element a person’s Ross Lewis. The 700km interval open for reduction of the national suicide nonprofit charities,

  7. nice commands … However this is NOT needed anymore in the new dd-wrt firmware versions …. I am using dd-wrt v24-sp2 (05/27/14) build 24160 … Under QoS , you have full control on bandwidth limit for upload and download for either aggregated WAN interface , or per client, per MAC address , service , just full control over bandwidth limitation ….
    My dd-wrt router is the second router which is cascaded to my main (fast router), and I am using the aggregated WAN limit to avoid limiting users one by one , so guests and bandwidth abusing users are allowed only to access dd-wrt router

    P.s. My home router has bandwidth of 24MB, while I limited the dd-wrt router with 512kbps only …. It’s working like charm :)

  8. you’re truly a just right webmaster. The site loading speed is incredible. It kind of feels that you are doing any distinctive trick. In addition, The contents are masterpiece. you’ve performed a magnificent task in this subject! faegeekbagkg

  9. In the next dialogue be sure to check Sniff Remote Connections (or we
    won’t be able to), then click OK. The Custom Screensaver Hack happens to be the most popular ones.

    I am now ready to assign a fake mac address to my USB device.

    Such as the unique Apple i – Pad include, the plastic spine incorporates a “flap” that the
    over folds into to hold it inside movie and keyboard stand positions.

    For instance, a Wi – Fi mobile phone user can present a Power Point
    presentation by accessing the laptop over the wireless
    Internet network during a conference.

  10. Enabling SSH Remote Management is not needed and can open your router to possible attacks. I wouldn’t recommend it.

    Awesome blog post. Helped me throttle a friend who is staying with me for a while. He’s a Steam fan and downloads new games daily and it was dragging my 5Mbit DSL connection threw the mud. This seems to be working beautifully. Thanks!

  11. Each show is different and it really depends on whos booking it and for the bigger shows with celebrities and bands they need a lot of lead-time.

    It is an industry norm that you offer a hotel room
    for the comedian at the same time. He hosted Comedy Central’s’The Man Show’ as well as the ubiquitous pseudo-porn for the sexually crippled, ‘Girls Gone Wild’, both solely and shamelessly for financial gain.

  12. Pingback: Limit Bandwidth Used on Computers?

  13. Ӏ know this if off topic but I’m looking into starting
    my own weblog and was curious what all is required to get setup?

    I’m assuming having a blog like yourѕ would ϲost a
    pretty penny? I’m not very internet savvy ѕo I’m not 100% sure.
    Any tips or advice would be greatly appreciated. Appreciate

  14. I got this to work and it is exactly what I need. Thanks for this info by the way. I am trying to get this to run for ranges on my network. I use for my router, ranging from to, on subnet I use 104 and 105 and want to throttle from to I tried setting it up the same as I did for a single ip, but in the tcp filtering commands, I did It worked, but also throttled me at my ip address. I have my address static from my network card, using specified settings.

    My question is, what am I doing wrong? Why is it also throttling me if I am not in the range of to

    Thanks for any help, I need to figure out how to throttle this by ip ranges.

      • should be something like
        then you need to change the dhcp range on the router to give out 130-200 or whatever. the issue u had has to do with subnetting ie /24 is 256 ip addresses in the above /25 is 128 ips (including broadcast and subnet address) which leaves u with 126 throttled ips you can use.

  15. Hi,
    I’m not sure if anyone is still reading these comments but I had a questions I was hoping someone could help me answer.
    I have several hosts in my network that I would like to limit the bandwidth so that no one can exceed 3mbits so that one person doesn’t hog the entire line.
    Should I just make another filter entry for each IP and put them all under the same class or do I have to create a separate class and/or qdisc for each IP that I want to limit?

  16. obviously like your website however you have to check the spelling on quite
    a few of your posts. Many of them are rife with spelling issues and I in finding it very troublesome to tell the reality on the other hand I’ll definitely come again again.

  17. My satellite ISP has a 30 day usage limit of 10gb, which is enough for my needs, but when guests visit I’d like to limit their total usage to 100mb per day or less.

    Does anyone know if this can be accomplished?

  18. Congrats!! great tutorial. I’m looking for the same for a couple of days, looking into firmwares and softrouters/firewalls. I have one simple question. Have you tried just change or customize the default bandwidth boundaries of QoS priorities, don’t you think that by doing so you can achieve the same results or maybe better because you will have 5 priorities each of one with a minimum bandwith along the max banwidth limit so maybe you can also prioritize SYN ACK an similar kind of packages for both your roomate and you. I am looking for a way to do so, but currently I don’t have any success.


  19. Is there a way to determine if this change to my router is working? All of the commands executed without an error so I am assuming everything is working. Right?

  20. Hi Mark, awesome tutorial!, listen we have are a small company in Mexico City and I need your help to to this, I tried to follow the steps mentioned here but when I run this command “tc qdisc del dev br0 root” it throws “RTNETLINK answers no such file or directory” anyways, I was wondering if you could help us via skype of course we will pay for your advice, could be anytime any day just let me know, my email is

    Thanks in advance!

  21. Sir i am in a hostel. our wifi is hacked by one of our colleague. only his laptop has wifi connectivity 24*7. I am not able to connect. i think he has hacked our wifi for sure. please help me i am in deep trouble

    • Try net cut utility. U can identify his IP address and MAC too and prevent him from disconnecting you from the network.

      • Or you can plug in to the router directly via ethernet and change the security settings to WPA2 creating a network key using letters numbers and a character or two. Your colleague will need a super computer to break the password even if he already has a large database created. Remember you can have up to 63 characters on a WPA2 password. If you don’t know how to do this look up your router’s model number and default router login instructions.

  22. OK, I’ve run the tc commands and the router didn’t snivel, so maybe it’ll work.

    What sort of tc command can I run to check that the commands have ‘taken’, so I can be sure that my brother-in-law will be bandwidth limited when he stream sports channels when he visits us, please?


  23. Excellent tutorial, which after I’ve digested it will probably do just what I’m looking for. Many thanks Mark!

    Just one aside: I’ve printed the man page for tc and have to say that whilst I have some experience with Linux, the tc command seems pretty opaque!

  24. I am running a cyber cafe with 10 computers, DIR 615 dlink router and a wimax MODEM for internet. All the computers are connected to the router through wirelless cards. How can I limit the download and upload bandwith through my rouuter? THANKS in advance.

  25. Is there a way this could be done if my dd-wrt firmware router doesn’t have an SSHD command to turn on but only a telnet command? Can these commands be done through telnet?

  26. Hey, nice tutorial :D I wish my Router supported it :/ My Italian room mate has been hogging the bandwidth for ages.

    Ignore the stupid, arrogant haters in above posts :P

    You sure know your stuff!

  27. Great info – thanks! No good deed goes unpunished – I have two questions. First, do you know how to apply the limit to the upload speed? Second, is there a line to remove the rule, aside from just increasing the limit?

    Thanks again!

  28. What a surprise.

    Author uses technical terms unknown to non-techies … And lo and behold, author runs a technology company.

    What a surprise.

    • The title of this post promises “how to reliably limit the amount of bandwidth your roommate or bad office colleague uses”. Not “advanced networking for dummies”

      Before we even get to the “technical” stuff it is apparent that this solution requires a Linux-based third party router firmware. (To be fair, anyone desiring any level of network control past ‘setting the wifi password’ NEEDS custom firmware, if not commercial-grade network hardware.)

      I’m pretty sure anyone who has hacked a residential gateway router can get their head around some damn shell scripts. If that’s too much to ask, consider speaking with your bandwidth-hogging compatriot, THAT certainly doesn’t require a whole lot of technical skill …


        Good information

    • It’s not even that technical, a subject like this requires a slightly techinical answer.

      Have you considered instead of moaning about the lingo/jargo used. Actually Googling (that’s how you go here right) the lingo and consider reading. There is an ever increasing number of lazy people always wanting the quick solution with minimal learning. The author could not of made it any easier for you.

      Thanks Mark, brilliant solution to quite a complex problem. I would ignore comments from the “sloth-like” people.

      • I accidentally posted prior to reading your post. Well said indeed. I tried to erase my old post as I hate posting with accidental grammatical &/or spelling errors.

        It’s hard to excuse ignorance when so much free knowledge is available to those willing to look.

        It’s sad to see comments where someone would post something so ignorant. How can someone explain a technical task to a person without the slightest foundation of technical knowledge?

        Sadly, one day I foresee a world desperate for Google to wipe their butts and feed them. It’s bad enough that everyone has to have the newest $600 phone, only to complain about simple technical issues and demand that their provider “reimburse them for their time.” How much can 15 minutes cost from someone unable to READ THE INSTRUCTIONS or RESEARCH THE PROBLEM?

  29. You are a &^%$#@ idiot!!!!! I have DD-WRT on my router and I need to do this, but your explanation is impossible for a normal person to follow. Perl script? Shell?… awesome! If only my room mate used that IP addres! KISS MY A$$! You jerkoff!!!! How about a way for the rest of us to solve this problem without getting gun and shooting our room mates in the head!!!

    • If only you could change the number when you type it in. You should design the next version of windows, as you clearly know a lot about usability testing.

    • Perhaps if you are so technically challenged that you can’t google to learn enough about using shell scripts to do what is described in the article you shouldn’t be screwing around with your router in the first place. But since you asked so politely for help I’m sure many here will jump at the chance to respond with detailed instructions. While we are at it maybe someone could come to your house and teach you how to tie your shoelaces….

    • Perhaps you could assist the author by writing a few billion individual tutorials, one for each IP that exists in the world. Thats definitely the easiest option isn’t it…..

      Or perhaps, if you’re capable of installing custom firmware onto a router, you might actually be capable of reading a screen to find out your room mates IP address. Or even, get up and walk to his computer to find it out.

      But I guess that’s probably too much effort for someone who can’t think for themselves.

    • Learn to read you illiterate app! Better yet, pay the money to have someone that isn’t tossed into a world of furious profanity and chest pounding when RIDICULOUSLY easy terminology is used!

      It’s difficult for myself, and I’m certain I speak for the grand majority of persons making a living by creating devices and softwares with big shiny buttons and softwares and instructions purpusly written for the vast majority of Americans that have made education and articles mind numbingly simplistic with a literary rate of a 3rh grade child!

      If you are unfamiliar and unwilling to learn such simple, rudimentary and fundamental terminologies and tools, I.E. PERL (A scripting language… sorry… a computer programming/scripting language executed… ehem… language that does stuff in a screen)… I can’t do continue speaking on idiot terms without being payed!

      The only thing you deserve my foul mouthed peter, is a humbling beating… some color books on computer terminology that I learned as an 8 year old child WITHOUT THE INTERNET WE KNOW TODAY, because it mattered to me, and I am not ignorant enough, or lazy enough to cry and complain and insult persons that offered an extremely easy to follow means to circumvent a problem without having to pay for someone else to do it for them.


      Peter, you’re the perfect example of why humanity should be purged like an infectious vermine. To translate, your one of those many POS (ehem… piece of s**t) that would justify wiping out humanity.

  30. HEY! CAN SOMEONE HELP ME! HOW CAN I DISABLE THIS LIMITATION, CAUSE MY BROTHER USED THIS “hogging of bandwidth”. I have DL SPEED of 400-2mb before but now it fell to 20kbps. Were sharing a Router…..


  31. Hi, nice tutorial! I have one question – since our line is asynch in that we have 4Mbps down and 512kbps up, how would I limit the down speed to700kbps and the up speed to 100 kbps?

    Thanks again, cool article!

  32. I stumbled on your post and this is exactly what i am looking for. however, i can’t figure out

    SSH to your router IP address:
    ssh root@
    Enter password.
    Type “ifconfig” and check which interface your router has configured as your internal default gateway. The IP address is often The interface is usually “br0″.

    How do i get there? I set up my private key and can connect thru WinSCP following the dd-wrt wiki.

  33. hi
    i have DIR-615(Dlink) and loaded DD-WTR for it.
    i limited bandwidth with tc commands but
    cleared all limitation when i turn off router

  34. Pingback: limit bandwidth by norty - TribalWar Forums

  35. hiii in my hostel someone is hacking the speed of wifi and his speed is of 1mbps but here in my laptop it is only 3 kbps .. plz help me what to do .. m cnfused
    should i use any software..
    or can anybody tell me what is that guy using and what is he doing … plz help me

  36. Great idea ! i would like to ask something more.
    In my situation , i am in quite identical to yours, i have a 2 gig avalability at my laptop from a 30 gig at the model from the service provider. So i don’t ask help for that aspect, nothing can be done, already tryed. What i am concernng about is there is only one ”cvlient” me, but i have a constant 3 other pc that use my bandwith limit for free. ( it is accepted that way ) But my problem is that i have a limited bandwith download after what i have a penality fee by each gig over what make an expensive fine by the end of the month. Guess WHAT ? nobody take exess bandwith lolll ! so as i can’t see what every one use as programme and download, i don’t want to slowdown them but to install a ”filtering download bandwith limit for EACH one i add on my network ( under my rooter..dd-wrt linksys modelwrt54G/GL/GS.) Is there a setting or a command lines that would settle me for that ? That way, what ever or when ever they use the bandwith,when reached their each specified limit, their connection will be stop until the next paramater. ( ex: 500mb/day or 3 gig a week or 12 gig / month ) I would b able to have a better control of the bandwith regardless of anybody use,just by the mac adress download limit. Thank’s a lot

    Notify me if something is confusing in my explanation

  37. sorry to bother you, i was trying to do the same but with a liksys wrt54g2 but all i get is:

    root@DD-WRT:~# tc qdisc del dev br0 root
    RTNETLINK answers: No such file or directory
    root@DD-WRT:~# tc qdisc add dev br0 root handle 1: cbq \
    > avpkt 1000 bandwidth 6mbit
    RTNETLINK answers: Invalid argument
    root@DD-WRT:~# tc class add dev br0 parent 1: classid 1:1 cbq \
    > rate 700kbit allot 1500 prio 5 bounded isolated
    RTNETLINK answers: No such file or directory
    root@DD-WRT:~# tc filter add dev br0 parent 1: protocol ip \
    > prio 16 u32 match ip dst flowid 1:1
    RTNETLINK answers: Invalid argument
    root@DD-WRT:~# tc filter add dev br0 parent 1: protocol ip \
    > prio 16 u32 match ip src flowid 1:1
    RTNETLINK answers: Invalid argument

    any ideas?
    thanks in advance

  38. Nice article, exactly what I’m looking for, except I am having a problem with step 2:

    root@DD-WRT:~# tc class add dev br0 parent 1: classid 1:1 cbq \
    > rate 1kbit allot 1500 prio 5 bounded isolated
    RTNETLINK answers: No such file or directory

    Anyone have any suggestions?

  39. Is there a way this could be done if my dd-wrt firmware router doesn’t have an SSHD command to turn on but only a telnet command? Can these commands be done through telnet? It’s a Linksys wrt54g.


    • I was using the micro version of the firmware, which doesn’t have SSH. If you use the “standard” one, you’ll get SSH. However, telnet will work fine to enter the commands.

      • Yeah: Micro. Kind of stymied…

        My situation resembles your hypothetical one as:

        I’ve got a 200′ ethernet cable from my up-the-hill landlord’s Qwest modem, going into my wireless router (running “Firmware: DD-WRT v24-sp2 (10/10/09) micro”) and, precisely as you described, my Netflix viewing habits have got on my landlord’s nerves, and I am convinced that I need to place a limit on how much of my landlord’s bandwidth I draw away from him: After all, he is the one paying for the internet service, so if I am hogging bandwidth, I am being a bad tenant–which self-respecting no tenant wants to do.

        Any help here would be appreciated.

  40. actually this information is useful for me but i want to restrict all user who connect with my router in my office so who to do this for all user

    please give me solution
    as soon as possible it’s argent

  41. Perhaps you can tell us what each line of command means. I like to know what I’m doing. Also what if I am using a 15 Mbps internet connection. Will the commands be different? Lastly, how can I undo this. Thanks.

  42. Hi
    Great tutorial. It seems like it is exactly what I have been looking for….however, beeing a newbie in this field, I need a little more guidance to get all the way home.

    quote: ” Because you’re going to enter shell commands, I recommend adding a public key for password-less authentication when you log in to DD-WRT.”
    How do I add a public key?

  43. Hi, Need a solution:-
    I have a belkin router in my home, my room mate have limited my bandwidth allocation, how can i reset the same. and get the access to the full bandwidth?
    Thank you in advance

  44. This post is spot-on, thanks for putting it up. Does exactly what I needed, is simple to deploy, and does not waste time with books of documentation (no patience for that when you need something effective and simple).

    Question, somewhat related. Once you have your rate limit on, do you see a data flow reduction in results coming out of rFlow from your DD-WRT device? I see no difference in mine, though I know the rate limiter works. I suspect that the problem is that rFlow does not report P2P sessions (maybe because they are always on and don’t end?) I have 1 MB/sec download going to a wireless client on my network but this traffic is not shown when using NetFlow analysis tools like Scrutinize. I tried several different monitoring tools. If you have an idea of what’s going on, would be interesting to know.

    Cheers, good work.

  45. This is GREAT!!! The only problem I have is doing it by IP address since it’s normally assigned dynamically. My son’s computer is normally the bandwidth hog since he’s streaming movies and conducting internet life on a near 24/7 basis. I’ve gone so far as to create a separate wireless network for him and allow him to connect *only* to that WiFi network. I configured rules to prevent his network from being able to see any of the other networks so have essentially carved out a network that he and his friends can connect to. I’d *really* (emphasis on REALLY) love to be able to limit this network to a certain amount of bandwidth. (Think of it as a guest network per se.) If that isn’t possible, perhaps limiting by MAC address would be the second best option. I can’t tell you how many times my network has gone to a crawl (SSH sessions disconnecting, all hell breaking loose) because one of his friends comes over and is running a P2P program that sucks all the available bandwidth. I have 24Mbps download and 6Mbps upload on a pretty consistent basis so my network rocks – it just gets abused…

    I’ve created a restriction policy and put it in place based on MAC address. I add his friends computers and apply the setting. BOOM! Internet is back to stable for me and there’s weeping and wailing coming from his bedroom. I hate to completely cut him off so just limiting him to 1-2Mbps would be ideal.

    Please let me know if you can think of anyway to achieve this great feat!


    • Yes you can limit it by making a different segment for him. For example, if your complete network is 192.168.1./24 like the examples given, you can set static IPs in the dhcp server of the router within the trusted range of, and then set the dhcp dynamic range to 128+

      Then in the tc filter commands, use instead of a specific IP address. That is shorthand for with a netmask of That makes all IPs 128 and above restricted to the limit set. And since that is the dynamic range given by the dhcp server, only trusted devices you assign IPs below 128 will not be subject to the limit. You can get fancy and add multiple limits, using 1:2 instead of 1:1 as well.

      • Hello. I am about to buy a Netgear WNDR3300 router to apply this guide.
        My goal is to limit the bandwidth use of an Ipod touch and a PC connected wirelessly to my current router.

        My network also assigns random IP addresses to each device. I want to use your method to create two divisions of IPs in the DHCP server to help me set apart throttled devices from restriction-free ones.

        Could you explain with a bit more detail how to create these “groups” and how do I assign static IPs to restriction-free devices?

        I want to understand how this is going to work before I buy the router.


    • DD WRT has a function that allows the DHCP server to always issue a specific PC with the same IP address dynamically. This is done by associating a MAC address with a static IP lease. This can be set under the Services tab > DHCP Server > Static Leases. You put in the MAC address and the desired IP address (which should be out of range of the DHCP server) and that IP will automatically be assigned to that a specific PC whenever it connects.

      This would then allow you to follow Mark’s instructions above.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.