Traffic shaping

We are a small WISP with approximately 600 clients on our network spread across 17 towers. We are currently running off of a 20Mb fiber pipe to the internet, but that is not our issue right now.

We are coming nowhere near our bandwidth limits, but recently we have come across a problem. Bit torrent traffic is killing the usability of the internet for our users. Our backhauls and AP’s are getting hit hard and we need to get this traffic under control.

Before we go drop alot of money on more AP’s and higher capacity backhauls, we would like to have a go with traffic shaping.

I would like to know your thoughts on different traffic shaping solutions.

I have been looking at different products, but none seem to be designed for this type of application, with the exemption of packeteer (Which would cost us as more than we would like to spent at the moment.)

Preferably we would like to use something open source. We have 20 or so brand new workstation computers in the warehouse that we could dedicate to this project, so I would prefer a software solution over a hardware one.

I greatly appreciate any insight on our problem.

A lot of people route to their towers, and QoS at the site. You feed the cluster into the router (or layer-3 switch)… most often a Microtik box, and choke it there. That way the p2p traffic never makes it onto the BH’s or the core. Pinching it at the tower confines all traffic to the local site.

If I had my way about things that is how I’d run things.


Smokeshow wrote:
Preferably we would like to use something open source. We have 20 or so brand new workstation computers in the warehouse that we could dedicate to this project, so I would prefer a software solution over a hardware one.

I would give a try to Zeroshell (
You can try the Live distro (based on Linux), it's very simple to configure Layer 7 filters to enforce QoS in transparent bridge mode.


Its the strangest thing, anytime someone uses bit torrent their speeds get reduced to 512/128…Doesn’t seem to have the same effect on the network if their upload is very limited.

Well, we have already made the needed modifications to our Fair Use Policy (Which according to our user contract can be changed at anytime with 60 days notice). It looks like we will more than likely be putting a device at each of our hub towers to do Layer-7 inspection of the traffic. Most users will find themselves unaffected, however the downloaders will be the ones affected (And we already know who they are). All our customers have been notified of the upcoming changes, so there should be no legality issues we have to worry about (unlike Comcast).

Anyway, I have been doing lots of research on this ove the past few days. I have played around smoothwall, but it was unable to run transparently. I have tried untangle, but it does not support L7 QoS. Mikrotik is a possibility, but I have a keen eye on Zeroshell, it looks very promising.

I greatly appreciate the suggestions thus far.

Took a look at Zeroshell, and I am going to give it a try.

We currently use low end Cisco’s at each of our towers to segment the network traffic, and have run into this situation also.

I am waiting for a new higher capacity flash card for a spare Soekris Net4501 I have, that was previously running Zebra on it to test Zeroshell out.

Will post more as I know more, but this seems to be a wonderful solution that will not hinder our exisitng infrastructure only add value to it.

Our biggest problem now is the Copyright Infringment emails that I am starting to get, it is a real chore to be able to turn those customers off.


We started using Allot earlier this year and so far I have been more than happy with it. It’s not free though!

We give our VoIP calls dedicated badwidth per call and peer to peer gets one pipe with defined down and upload speeds to be shared by all.

Our traffic dropped by over 1/2 after implementation.

You might also look into Much easier to configure the QOS as there is a very helpful wizard like interface. It is BSD based, and the current stable version won’t do shaping on a transparent bridge, but you can put one box at your head end and it will help on the whole network. Legitimate traffic (IOW not a DDOS attack) will only push as hard as it can get through at the slowest point, so you can shape at the top and the bottom will behave well.

We stated using a Netequalizer device at the core of our network a month or so ago.

It can be set to limit the number of connections each client can make. By limiting a customer to say 50 connections (25 down, 25 up) you can reduce the effect of Bittorrent on your network since the bittorrent client can no longer make hundreds of connections to hosts on the Internet. Customers will notice very sluggish performance if all their connections are in use. Tell them to turn off their bittorrent client or have them limit the number of connections the client is allowed to make.

You can also set a threshold limits on bandwidth. If the threshold of say 85% of your bandwidth is met Netequalizer will gently start to throttle back the customers it determines to be bandwidth hogs. It trys to keep the additional 25% of your bandwidth for short bursty type traffic such as web browsing, checking email, etc…

You can also create IP address and VLAN pools. So if you have a certain VLAN or IP subnet assigned to one particular site you can specify the bandwidth threshold values, etc for that site/VLAN without having to have a Netequalizer device at each tower.