Is there a script/way to limit/cap daily data *usage*?

[KineticSloth]

So I searched but couldnt come up with anything.

I just recently bought an ASUS router, and installed Merlin.

My situation:
I am "unofficially" data capped by my ISP. Even tho they *swear* they dont cap, I have been cutoff many times when I hit 100~120GB/month.
It wasnt too much of a problem, until my kids recently moved in with me. I generally use around 3GB a day, myself. But with the kids here, and the recent COVID induced remote learning, and the kids constantly streaming, its been hard to keep our daily usage down to a self-imposed 4GB/day.

I have QoS activated to keep their *bandwidth* pretty low, and from hitting our self-imposed total *data useage* limit of 4GB/day, within just an hour or two.

But I still have to manually check total data useage many times a day, and randomly turn off their access, (hopefully, BEFORE we go over 4GB) thru the day, which leads to arguments and pleading to turn it back on. not to mention, arguments over whose fault it is for hogging all the data.

What I want, is to limit devices/IPs/MACs, or maybe a subnet, to a daily data cap, and cut WAN/WiFi access automatically once those limits are reached.

Is it possible?
Thanx!

 

[Linux_Chemist]

It sounds interesting and is definitely possible but I'm not sure how to implement it myself as I've not had experience setting up a data cap.

The first part - setting certain devices to specific ip addresses on the LAN or putting them into a specific group is the easier part. Under LAN > DHCP server, you can set "Manually Assigned IP"s at the bottom, you'll just need to match and appropriately name the MAC addresses of the devices that everyone's using and assign them a specific number on the chosen subnet. Then on each person's device, tell it not to use DHCP and manually input their allotted ip and subnet mask and the router's ip. After reconnecting, they'll have these numbers all the time.

To set up a datacap, I'm not sure if the most elegant solution, outside of another program altogether, would involve iptables with tc?

I've noticed iptables keeps a measurement (even without a formal counter in the firewall rule) of how many packets and their size are matching a rule. What you'd need to do is create forwarding rules in the default (filter) table. The current rules would need a cleanup to make room for these or tweak what's there already:

iptables -A FORWARD -s $your_particular_subnet_of_ips_you're_grouping_together OR -i $your_lan_interface_in_general -o eth0 (or whatever your WAN interface is) -j ACCEPT

e.g.

iptables -A FORWARD -s 192.168.1.20/31 -o eth0 -j ACCEPT

This basically means "allow anyone on the LAN specifically with ip address 192.168.1.20 or 192.168.1.21 (again, you can change the subnet as required, just plan out how many devices you use and hence how many possible addresses you want available and how you want to group them) to access anything on the internet from any port to any port they wish" (feel free to add more specific port restrictions at a later time, such as limiting to only ports you use like 80, 443, email etc etc - a subject for another thread!)

Something like

iptables -A FORWARD -i br0 -o eth0 -j ACCEPT

would affect everyone on the LAN.

And the corresponding

iptables -A FORWARD -i eth0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

should come above this rule if it's not already there, to allow connections from the internet to respond freely if and only if you've initiated them from your side to start with.

What you'll notice when doing

iptables -L -n -v

is that there is a counter under number of packets and packet sizes now. The combined in and out will be your how much data you've used. I would love if there was a purely iptables-only solution here but I worry that adding a counter to the rule and then jumping to a deny rule when the counter hits a certain number might hurt performance a bit and it's probably not an elegant solution.

Where to go from here I don't know - however, I know with tc you can 'mark' packets and set bandwidth restrictions on the rate they flow for a particular interface. What I believe is possible but have never seen, is being able to simultaneously have tc mark these packets and instead of rate limiting, cease and drop packets after it hits a specificied count. Instead of defining a different subnet on the LAN, perhaps this would be defining another (sub?) interface? br1 vs br0 for example? "these devices use br1 which is a subset of br0 and may only transfer X packets before the connections must all be dropped".

I look forward to someone with more experience on this sharing how it could be done!

 

[KineticSloth]

Thanx for the informative reply, Linux_Chemist.

I guess I should have given more info, as it might have saved you quite a bit of typing, tho. Sorry.

Currently, I *do* have things setup pretty well.
I currently have all the devices I want limited, setup on the 2.4GHz wifi, with static IPs assigned to MACs. (I use the 5Ghz myself, so i can turn their access off at will, while still being connected myself, all the time ).

I'm also using a mixture of QoS assigned to MAC, Parental Controls web filtering, and time scheduling, also assigned by MAC.

The only thing I havent done, is seperate their devices and mine onto seperate subnets. So far, I havent really found a need for it. vOv

I'm terrible with CLI, so was hoping for a ready-to-go script or something.
But I may have to dig into, and research, what you've posted, and how the traffic monitor works. I have to imagine, if the traffic monitor can keep track of, separate, and display data useage totals by IP/MAC address, there should already be quite a bit of existing scripting/code, to output the numbers. vOv

I would hope, then, thats its just a matter of figuring out how to manipulate them into limit switches... or at least a way to throw a notification, so i could manually cut the devices off.

I *am* kind of surprised there isnt already this built-in functionality... I mean, I CANT be the only one who's ever wanted LAN-based device data caps?

And since I havent had this issue on a long-term scale before, on my previous DD-WRT based router, I never noticed the functionality seemed to be missing from there, either...:thinking:

 

[Martineau]

So I searched but couldnt come up with anything.

I just recently bought an ASUS router, and installed Merlin.

My situation:
I am "unofficially" data capped by my ISP. Even tho they *swear* they dont cap, I have been cutoff many times when I hit 100~120GB/month.
It wasnt too much of a problem, until my kids recently moved in with me. I generally use around 3GB a day, myself. But with the kids here, and the recent COVID induced remote learning, and the kids constantly streaming, its been hard to keep our daily usage down to a self-imposed 4GB/day.

I have QoS activated to keep their *bandwidth* pretty low, and from hitting our self-imposed total *data useage* limit of 4GB/day, within just an hour or two.

But I still have to manually check total data useage many times a day, and randomly turn off their access, (hopefully, BEFORE we go over 4GB) thru the day, which leads to arguments and pleading to turn it back on. not to mention, arguments over whose fault it is for hogging all the data.

What I want, is to limit devices/IPs/MACs, or maybe a subnet, to a daily data cap, and cut WAN/WiFi access automatically once those limits are reached.

Is it possible?
Thanx!

Here is a crude script QuotaMonitor.sh
This may get you started.

 

[sbsnb]

You might want to see how the Gargoyle router firmware does it. They have quota support in their GUI.

screenshots:14_quotas.jpg [Gargoyle Wiki]

www.gargoyle-router.com

GitHub - ericpaulbishop/gargoyle: Gargoyle Router Management Utility

Gargoyle Router Management Utility. Contribute to ericpaulbishop/gargoyle development by creating an account on GitHub.

github.com