Throttle downloads by a single (range of IPs)


I need to limit (throttle) the maximum download bandwidth consumed by a group of IPs on my internal network.

I use a subnet.
I have grouped assigned IP via DHCP into /28 sets.
I need to limit the upload and download bandwidth that can be used by a set of IP (

I have set up two new QoS classes 105, and 205. I show the settings below.

The 105 is correctly grabbing and limiting the upload, but the download seems not to be working. What have I set wrong?

Class 205

QoS seems to be putting the traffic I expect to see in Class 205 into Class 204

According to here
“In the default IMQ_MODE (“PREROUTING”) local IP’s cannot used for the downstream rules because the QoS runs on the RED interface which is located before the NAT. This setting can changed to “POSTROUTING” in /var/ipfire/qos/settings but this has other problems (it limits local service traffic outbound).”

I have not tried this, but I want to soon… with everything being SSL on port 443 now, it’s impossible to easily do QOS now. So I’m either going to have to do what you’re doing, or do QOS based on a large list of outside IP addresses. Why do we even have ports if every service disguises themselves on the same port?

Also It would be nice if we could use firewall hosts/services/groups in the QOS menu.

Also I think that will work without the level 7 protocol lines. Or you could try using static IP’s, but if it’s a phone you would have to turn off MAC address randomization on it. I had a similar setup with static IP’s for all the IOT devices and phones, but they kept changing their MAC so I turned AP isolation on (on my AP). I might just get another network card and setup the AP on an orange zone instead to isolate/throttle them.

1 Like


with everything being SSL on port 443 now, it’s impossible to easily do QOS now.

Yes, I am afraid this works as designed. However, it has always been possible to
tunnel protocols through SSH or similar, so if a user wants to bypass QoS and is
able to open TCP connections to the internet, he/she will always be able to do so.

Why do we even have ports if every service disguises themselves on the same port?

Because things you always want to prefer over other traffic, such as VoIP or DNS,
are pretty recognisable by the port numbers used in corresponding packets. If
none of your client is allowed to talk to someones’ port 53 (TCP and UDP) on the
internet, such packets can only be generated by your local DNS resolvers. This is
why it makes no sense to drop ports from QoS.

IP addresses are not better: Imagine a CDN hosting thousands of web sites on the
same IPs. You can either block/throttle/whatever all or none of them.

Thanks, and best regards,
Peter Müller

Sorry I wasn’t saying all ports aren’t useful or that I was going to drop them… I know dns/voip and some other services are very useful being on specific ports.

In my situation I have very slow upload speed, and I just want my family to be able to enjoy slightly laggy netflix/youtube/etc without it affecting my job, where I use zoom all the time for meetings etc. Even at low quality it interrupts people talking and myself.

Until just recently this worked great, zoom was using udp ports 8801-8802 (I couldnt find any level 7 rules that worked), but now they switched to ssl 443 (and some random 50k ports), and I feel like this is a trend caused by the desire for security, but it ends up making the internet difficult to prioritize for those of us who really need to do that. Now youtube looks exactly like zoom, and I’m pretty much screwed. Personally I don’t need this security, and I believe it could have been done without using port 443 (there was another encryption option before this).

The only way I can see to prioritize my meetings now would be to create a set of IP’s for the endpoint ISP of the people I connect to (Bell/Rogers) and/or for the zoom servers and add my internal IP for upload shaping. I’ve set it up like below, but I haven’t managed to get it working yet for class 200:

class 102 voip:
tcp source: 192.168.1.X (me, static)

class 200 voip:
tcp source: - ZOOM (usually I connect to these servers)
tcp source: - ROGERS (most people I chat with are in this range)

Or I could try what the OP was doing and enable postrouting. Does anyone know if postrouting has other problems, aside from limiting local service traffic outbound?

Edit: Another option would be to add a level 7 protocol for netflix, or “D.A.S.H.” i think it’s called, then I could reverse-prioritize or something (put streaming below default like p2p). Does youtube still use rtsp?

Edit 2: How do I actually enable postrouting? I thought you just had to change a value in that file, but I dont see anything similar at all?