Traffic Shaping

[I would have to look at how we could set up a per user state limit... And one that would not break everything later.]

 I would have to look at how we could set up a per user state limit...  And one that would not break everything later.

That would be really nice.
Is there anything I can do about increasing the state table on m0n0wall? may be that while give some more room for smooth browsing will torrents are downloading?

I torrent client run amok can generate thousands of states.  More states have to be compiled into the kernel...  This is not something that comes up often, and bad torrent actors like this usually get blocked.  Hard.

Understood, will keep monitoring, I'm hoping that was just an isolated issue...I know most of my clients do torrents but I had never seen something like this before especially after I started using m0n0wall.

Most torrent users are sophisticated enough to know that if the knock down the Internet, they will get noticed and banned.

Hi,

I'm hoping someone is still around to give a helping hand.

I'm not sure if I should start a new thread for this question but I feel that its related to this topic so I'm going to post it here anyway.
The share bandwidth evenly on LAN has worked wonders for me so far, I no longer get complains from my clients abt slow speeds despite my low bandwidth. However, something has been bothering me lately, I have clients who want to connect more than one device on their end, they can either achieve this by plugging the cable to a switch or to a router then share the connection either wirelessly or through cables, you realize that when this happens there is unfair distribution of bandwidth whereby the clients with more devices consume more than those with only one device.
So my question; how can I allow only known devices to get connection? I saw an option on m0n0wall's DHCP Server tab about allowing only reserved devices, I thought this would help me out but I discovered that this works only for DHCP and even when the option is enabled any client with a static IP can still get a connection. Is there a way that I can block or allow devices by their MAC addresses on m0n0wall? I know this feature is available in almost all routers even the most cheap ones so I was thinking it must be somewhere in m0n0wall but I just cant find it.
Note that I dont want to deny my clients the privilege of connecting more than one device, I just want each clients connection to be treated as one connection by m0n0wall no matter how many devices are connected on his /her local network, on the clients end he will need to install a router with a public IP assigned by m0n0wall so that m0n0wall will treat the connection as one but then the client can create his own  local network and connect as many devices as he / she wishes without consuming more bandwidth.

I hope I'm making sense.

Any help or advice will be highly appreciated.

Regards

Cosmas.

Yes, you are making sense...  m0n0wall is balancing traffic with each IP address it sees, so there is no way to filter by port.  Now the switch could filter by port by only alloing one mac address to associate.  And yes, a small router at the client side would fix things.

As to support, you can try the SmallWall forums.  http://www.smallwall.org/ is a project that aims to continue m0n0wall.  And the Forums at http://smallwall.freeforums.net/ will be supporting m0n0wall for now and SmallWall as we get ready for release one.

Now the switch could filter by port by only alloing one mac address to associate. 

could you please explain how this can be achieved? may be i'm not getting it right but did you mean there is away to do MAC ACL on a switch?

And yes, a small router at the client side would fix things.

I already have that implemented in most of my clients, its working to some extend but there are clients who knows how to beat it so they just plug out the cable from the router and plug it to a switch.

As to support, you can try the SmallWall forums.  http://www.smallwall.org/ is a project that aims to continue m0n0wall.  And the Forums at http://smallwall.freeforums.net/ will be supporting m0n0wall for now and SmallWall as we get ready for release one.

I'm already subscribed to SmallWall forums and I've been following the posts there closely, I'm really hoping it will come through, I like the concept to maintain a lean firewall.

Now the switch could filter by port by only alloing one mac address to associate. 

could you please explain how this can be achieved? may be i'm not getting it right but did you mean there is away to do MAC ACL on a switch?

Good switches can, yes.  For example, here is how on Cisco.  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html  Other managed switches can as well, but you have to look for the feature.