There are about 20 people sharing our internet connection on a WRT54GL running regular Tomato 1.21, generally with only 5 or so people using it at a time. Users are on a DHCP range of 192.168.2.100 to 192.168.2.149. Outgoing connections are managed beautifully by Tomato 1.21's built-in QoS. I'm also using scripts found on this board to limit each user in this range to 125 TCP connections and 50 UDP (and ICMP) connections. Code: iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.2.100-192.168.2.149 -m connlimit --connlimit-above 125 -j DROP iptables -I FORWARD -p ! tcp -m iprange --src-range 192.168.2.100-192.168.2.149 -m connlimit --connlimit-above 50 -j DROP The trouble I'm having is that there is one person who occasionally downloads HUGE files from a very fast server somewhere, completely hogging the entire 10MB/s incoming connection. I've successfully given this user a Static IP and shaped traffic for this IP using the following script from Robson's Script Generator: Code: TCA="tc class add dev br0" TFA="tc filter add dev br0" TQA="tc qdisc add dev br0" SFQ="sfq perturb 10" tc qdisc del dev br0 root tc qdisc add dev br0 root handle 1: htb tc class add dev br0 parent 1: classid 1:1 htb rate 10000kbit $TCA parent 1:1 classid 1:10 htb rate 500kbit ceil 6000kbit prio 2 $TQA parent 1:10 handle 10: $SFQ $TFA parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:10 iptables -t mangle -A POSTROUTING -d 192.168.2.109 -j MARK --set-mark 10 The script seems to work beautifully b/c immediately after applying it while this user was downloading, the RX on the WAN dropped to near the ceiling of 6000kbit. The problem is that I can't constantly monitor the charts to keep an eye out for individuals monopolizing bandwidth, assign them static IPs, and redo the script every time. Is it possible to effectively apply this same limit to each individual user in the DHCP range? Looking at Robson's, I feel like if I replace the last line in the script with the following, it would treat the range as a single unit (rather than treating each individual IP within the range as a single unit): Code: iptables -t mangle -A POSTROUTING -m iprange --dst-range 192.168.2.100-192.168.2.150 -j MARK --set-mark 10 Please correct me if I'm wrong, but wouldn't this try to give 500kbit to this IP range as a whole, and cap this IP range (again, as a single unit) to 6000kbit? Because what I want is for each individual IP to generally get 500kbit with a cap of 6000kbit. I thought I might do this by individually listing each IP in the range, but Robson's limits things to 32 IPs. Plus, even if I could add 50 separate lines, it would seem like that would be a really bloated script. The IP tables commands I'm using to limit TCP and UDP connections for the DHCP range seem so elegant. Is there a similarly elegant way to institute a bandwidth ceiling (about 3/5ths of the incoming bandwidth) for each individual IP in the DHCP range? Thanks for your help!