I'm new here. I've already searched in the community forum, but didn't find the solution yet. Maybe I don't see it, please just forward me to the correct post.

SITUATION:

eth0 = WAN

eth1 = LAN, 192.168.123.0/24, gateway:192.168.123.253 (=ERL)

I've a web proxy (Synology DS) on 192.168.123.1:3128.

QUESTION:

I want that my clients on the LAN uses the web proxy for al requests regarding www (port 80).

WHAT I'VE ALREADY TRIED:

set service dns forwarding options dhcp-option=252,http://192.168.123.1/wpad.dat

set service dhcp-server shared-network-name LAN1 subnet 192.168.123.0/24 wpad-url http://192.168.123.1/wpad.dat

With the wpad.dat the following (standard by Synology) information:

function FindProxyForURL(url, host)
{
        return "PROXY 192.168.123.1:3128; DIRECT";
}

But those are not succesfull, it depends on the clients if they want to use it.

The only solution that stays is to push the ERL the request transparantly to the web proxy. I've seen some posts about it, but I don't know if it responds to my needs or are complete. Can someone help me further in this?

The objective is to create a step-by-step manual for newbies.

Hi, I finally managed to set up my dual WAN with failover on EdgeRouter PoE, and it works perfectly. I also set up a trigger script that for now just logs to a file when something changes.

My primary WAN is eth1, and the failover WAN is eth0. I have a single DDNS entry on eth1, and it works great. How do I make it so that my DDNS points to eth0 when a failover happens?

Is the trigger script the way to go, or could I maybe create a second DDNS entry on eth0 with the same parameters? or is there a way to have eth1 talk to the internet via eth0 when it's failed over over eth1.local?

So I was trying to install Lets Encrypt by using https://github.com/photinus/ubnt-letsencrypt . It failed for some reason and now I have no access to the web UI. Any thoughts on how I could reset it?

I would like to limit ALL traffic, not just incoming, to certain countries on my ERLite router.  I am worried that my wife or kids will get one of my PC's infected and that infection will send personal data like ID's & PW's to foreign countries.  I would prefer to limit all traffic to just North American & western Europe, but could just block certain high profile hacker countries.  Is this even possible on an ERLite router?

When configuring dhcpd.conf directly, you can have additional "groups" within a subnet, which can be very helpful for creating sub-pools, setting tftp server, modifying gateway addresses, or other random options. It makes it really easy to set up new devices... with a flat network. 

I have a remote office that has 18 desks, but 24 phones, four printers, and some security equipment.  With phones and tablets, there is less than 70 devices. I have one (remote) syslog server for network equipment, one for phones, and one for printers.  I want an easier way to manage my dhcp options that I get with Edgemax. Right now there are ~40 static leases with additional options set on the ER-Pro. It is a pain to manage, especially as the environment seems fairly dynamic. 

I have a VMware host locally, but I hate the idea of using dhcp on a VM. It makes some of the recovery issues from a power outage or crash painful. 

Anybody have an an idea for simplifying the process, barring ubnt adding in support for groups?

I would like to set my router up to run dual stack using Comcast. I am currently using a Ubiquiti EdgeMax router in a IPV4 environment. All of my computers are capable of IPV6 addressing. Unfortunately, I am a network rookie and I could use some step by step help. Can anybody help?

The following is what I currently have:

 

 

Hi,

I'm having fun (fighting) with IGMP and multicast for IPTV and I would like to know how I can generate in the /etc/igmpproxy.conf file the settings for the disabled interfaces.

Right now the config allows me to define upstream and downstream interfaces, but even if I set as downstream only a single interface (switch0.99 : I have 4 VLAN on switch0 in my ER-X SFP, 99 is the one I use for IPTV and where I want the IGMP proxy) if I run igmp in debug mode (killing it first and then sudo /sbin/igmpproxy -d -v /etc/igmpproxy.conf) I see it starts doing things with all my interfaces not defined in igmp-proxy (so the other 3 VLAN on switch0, vtun0 and lo as well).

If I add to  /etc/igmpproxy.conf all the disabled configs:

phyint lo disabled
phyint vtun0 disabled
phyint switch0.1 disabled
phyint switch0.10 disabled
phyint switch0.20 disabled

And start IGMP proxy in debug mode again it stop interacting with all my interfaces and just do it with the one defined as downstream.

The issue is that if I then use "configure" to change something /etc/igmpproxy.conf is replaced with only the content of the config, so I lose my additions to disable interfaces.

Any idea for a quick-win solution or workaround (at least to avoid the config file to be overwritten) ?

Would also be good if UBNT would add this setting in configure (it's quite simple I guess).

Thanks a lot

I have configured several firewall rules to enable logging.  I am not seeing any firewall log activity in either the local /var/log/messages or the remote syslog server that is receiving logs from the EdgeMax.

I know that the firewall rules are getting run because most of those that I have logging enabled on are 'accept' rules and I am able to get into the router from the outside using the rules.

Here is the configuration:

Version: v1.9.1
Build ID: 4939093
Build on: 12/14/16 07:05
Copyright: 2012-2016 Ubiquiti Networks, Inc.
HW model: EdgeRouter Lite 3-Port

set firewall name WAN_IN rule 3002 log enable
set firewall name WAN_IN rule 3003 log enable
set firewall name WAN_IN rule 3004 log enable
set firewall name WAN_IN rule 3005 log enable
set firewall name WAN_IN rule 3006 log enable
set firewall name WAN_IN rule 3007 log enable

set system syslog global facility all level notice
set system syslog global facility auth level err
set system syslog global facility protocols level notice
set system syslog host 192.168.0.100 facility all level info

My log (and syslog) are getting flooded with the following messages, does anyone know how to disable them?

pam_unix(sudo:session): session opened for user root by (uid=0)
pam_unix(sudo:session): session closed for user root
root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/iptables -t nat -L UBNT_PFOR_DNAT_RULES -vnx

Version: v1.9.1
Build ID: 4939093
Build on: 12/14/16 07:05
Copyright: 2012-2016 Ubiquiti Networks, Inc.
HW model: EdgeRouter Lite 3-Port

Hi Everyone,

I need some help setting up a site-to-site VPN from an Edge Router Pro (remote site) to a SonicWall TZ200 (Office). I followed the instructions in this guide: https://help.ubnt.com/hc/en-us/articles/204976304-EdgeMAX-Configure-the-EdgeRouter-to-work-with-SonicWall-VPN and had the IT people at the office set up the SonicWall also per that guide (I don't have access to it, and am only guessing they did it right). Hopefully there's something really obvious that one of you will point out

On the ER, it just says it's connecting but never comes up.

Thanks in advance for any help!

Oh, also I'm running EdgeOS v1.9.1

Here's my config:

ubnt@EdgeRouter:~$ show configuration 
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 100 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        address 10.0.22.1/24
        description Local
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/auth/my_expressvpn_usa_-_chicago_udp.ovpn
        description "ExpressVPN Interface"
        disable
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
            failover-only
        }
        lb-local enable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth6<Snip - No one cares about these>
    wan-interface eth0
}
protocols {
    static {
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                    description TEST
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 10.0.22.0/24 {
                default-router 10.0.22.1
                dns-server 4.2.2.2
                dns-server 8.8.8.8
                lease 86400
                start 10.0.22.80 {
                    stop 10.0.22.99
                }<Snip - No one cares about the leases>
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth6
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "Test VPN"
            log disable
            outbound-interface vtun0
            protocol all
            source {
                address 10.0.22.60/32
            }
            type masquerade
        }
        rule 5001 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp {
        listen-on eth6 {
            outbound-interface eth0
        }
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name EdgeRouter
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 4.2.2.2
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
vpn {
    ipsec {
        disable-uniqreqids
        esp-group Site2Site {
            compression disable
            lifetime 1800
            mode tunnel
            pfs disable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group Site2Site {
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-traversal enable
        site-to-site {
            peer x.x.x.x { <-- Routable IP of SonicWall
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group Site2Site
                description "Site2Site VPN"
                ike-group Site2Site
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group Site2Site
                    local {
                        prefix 10.0.22.0/24
                    }
                    remote {
                        prefix 10.1.10.0/24
                    }
                }
            }
        }
    }
}

Here's the debug:

ubnt@EdgeRouter:~$ show vpn debug 
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64):
  uptime: 27 minutes, since Jan 06 18:44:11 2017
  malloc: sbrk 382096, mmap 0, used 270136, free 111960
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
  10.0.22.1
  y.y.y.y <-- The outside interface of this ER
Connections:
peer-x.x.x.x-tunnel-1:  %any...x.x.x.x  IKEv1  <-- The outside interface of the SonicWall
peer-x.x.x.x-tunnel-1:   local:  uses pre-shared key authentication
peer-x.x.x.x-tunnel-1:   remote: [x.x.x.x] uses pre-shared key authentication
peer-x.x.x.x-tunnel-1:   child:  10.0.22.0/24 === 10.1.10.0/24 TUNNEL
Routed Connections:
peer-x.x.x.x-tunnel-1{1}:  ROUTED, TUNNEL
peer-x.x.x.x-tunnel-1{1}:   10.0.22.0/24 === 10.1.10.0/24 
Security Associations (1 up, 0 connecting):
peer-x.x.x.x-tunnel-1[1]: CONNECTING, y.y.y.y[%any]...x.x.x.x[%any]
peer-x.x.x.x-tunnel-1[1]: IKEv1 SPIs: ab0aaec2dc4763fe_i* 0000000000000000_r
peer-x.x.x.x-tunnel-1[1]: Tasks queued: QUICK_MODE 
peer-x.x.x.x-tunnel-1[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD 

i have a problem loading some pages in particular way 

this pages: 

bbc.com

stackoverflow.com

github.com 

i was trying changing tcp mss clamp 

and seting firewall rule out modify tcp mss 

but do not working 

the firewall is disabled 

pls help me i dont know what's going on

this is my edge router configuration :

 show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN {
            description ""
            network 192.168.1.0/24
            network 192.168.0.0/24
            network 192.168.200.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify eth6-out {
        rule  {
            action modify
            modify {
                tcp-mss 1452
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }
    name Reject_WAN {
        default-action drop
        description ""
        rule 10 {
            action accept
            description "Allow Ping"
            destination {
                group {
                    address-group NETv4_eth6
                }
            }
            log disable
            protocol icmp
        }
        rule 20 {
            action drop
            description "Reject SSH"
            destination {
                group {
                    address-group NETv4_eth7
                }
                port 22
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action drop
            description "Reject Telnet"
            destination {
                group {
                    address-group NETv4_eth7
                }
                port 23
            }
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action drop
            description "Reject Web Managment"
            destination {
                group {
                    address-group NETv4_eth7
                }
                port 65534
            }
            log disable
            protocol tcp_udp
        }
        rule 50 {
            action accept
            description "Accept New"
            destination {
                group {
                    address-group NETv4_eth7
                }
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name Reject_WAN_CBL {
        default-action drop
        description ""
        rule 10 {
            action accept
            description "Allow Ping"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
        rule 20 {
            action drop
            description "Reject SSH"
            destination {
                group {
                    address-group NETv4_eth1
                }
                port 22
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action drop
            description "Reject Telnet"
            destination {
                group {
                    address-group NETv4_eth1
                }
                port 23
            }
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action drop
            description "Reject Web Managment"
            destination {
                group {
                    address-group NETv4_eth1
                }
                port 65534
            }
            log disable
            protocol tcp_udp
        }
        rule 50 {
            action accept
            description "Accept New"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1450
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.254/24
        address 192.168.0.1/24
        description LAN
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description CBL
        disable
        duplex auto
        firewall {
            local {
            }
            out {
            }
        }
        mtu 1492
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        address XXX.XXX.XXX/28
        description "WAN"
        duplex auto
        firewall {
            local {
            }
            out {
                modify eth6-out
            }
        }
        speed auto
    }
    ethernet eth7 {
        address 172.16.255.2/30
        description "LAN To LAN"
        duplex auto
        ip {
        }
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop XXX.XXX.XXX {
                description "Internet"
                distance 1
            }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            system
        }
    }
    gui {
        http-port 80
        https-port 65534
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "Masquerade For WAN"
            destination {
            }
            log disable
            outbound-interface eth6
            protocol all
            source {
            }
            type masquerade
        }
        rule 5001 {
            description Cable
            destination {
                address 0.0.0.0/0
            }
            disable
            log enable
            outbound-interface eth1
            outside-address {
            }
            protocol all
            source {
                address 192.168.1.49
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name ""
            level admin
        }
    }
    name-server 200.57.88.38
    name-server 200.57.87.33
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipv4 {
            forwarding enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Mexico_City
    traffic-analysis {
        dpi enable
        export enable
    }
}

I am trying to delete the components of a vti-based VPN from the CLI

If I try to delete the vti interface and commit I am told that the vti interface is still used in a VPN.

When I try to delete just the site-to-site VPN peer or even all the config parameters of the peer, when I commit the changes the router restarts and the vti and the VPN are still in the config when the router comes back up.

I can understand ipsec restarting when the commit doesn't go quite right (or even if it did) but I don't think the router should reboot.

My question becomes: what is the canonical and correct way to completely remove a single site-to-site ipsec vpn?

Thank you

-Nate

Version:      v1.9.1
Build ID:     4939098
Build on:     12/14/16 07:33
Copyright:    2012-2016 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Pro 8-Port
HW S/N:       44D9E74109AB
Uptime:       21:26:14 up 6 min,  1 user,  load average: 0.30, 0.51, 0.27

Why is hardware offloading disabled by default?  Is there any use case where you would want hardware offloading disabled?  Should I always just enable all hardware offloading as part of initial config when setting up these devices?

I am trying to swap my Zyxel edge router out with the Ubiquiti EdgeRouterX. Problem is the ISP ONT connects into Zyxel router Lan 4.

The ubiquiti EdgeRouter X seems to only allow port Eth01 to connect to ISP(ONT). When I connect it this way, it does not get IP address of ONT thus no Internet connection.

I called ISP call centre and they say there is no option other than port 4. This appears to be accurate, I tried the Zyxel router again with all ports connecting to the ONT and ony port 4 worked.

Seems to be a stalemate between ISP only using port 4 and Ubiquiti only using Eth0 - does anyone have any experience in this?

I understand that Wheezy has moved into LTS and Debian no longer hosts binary security updates for Wheezy. Ubnt will continue to recompile/backport security updates from Debian and include it within future releases.

(https://community.ubnt.com/t5/EdgeMAX/Problem-compiling-tarsnap-after-upgrading-to-1-8-5/m-p/1615662)

However, for the few ubnt manually updated packages, i.e., libexpat1, the system will be unable to locate the corresponding -dev packages:

$ cat /etc/apt/sources.list
deb http://httpredir.debian.org/debian wheezy-updates main contrib non-free # wheezy-updates #
deb http://httpredir.debian.org/debian wheezy main contrib non-free # wheezy #
deb http://httpredir.debian.org/debian wheezy-backports main # wheezy-backports #
deb http://httpredir.debian.org/debian wheezy-backports-sloppy main # wheezy-backports-sloppy #

# apt-get install python2.7-dev libexpat1-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libexpat1-dev : Depends: libexpat1 (= 2.1.0-1+deb7u2) but 2.1.0-1+deb7u4 is to be installed
E: Unable to correct problems, you have held broken packages.

Any ideas on where to obtain the updated libexpat1-dev mips binaries? 

The current behaviour is (observed):

• If radius server's are defined, try authenticating the user via radius
  1. If the radius server sends an AccessAccept, user is given access
  2. If the radius server sends an AccessReject, local password authentication is attempted

I would like to reject the authentication request immediately if the radius server sends an AccessReject.

I would like to provide backup local passwords for devices however I do not want these backup passwords to be usable in normal operation (i.e. radius server reachable).

The behaviour would be consistent with how Cisco/Juniper perform authentication.

Thanks,

Hi,

I need to have a modify applied to a VLAN interface:

 ethernet eth0 {
     address 192.168.3.1/24
     description Local
     duplex auto
     firewall {
         in {
             modify MARKING_IN
         }
     }
     speed auto
     vif 100 {
         address 192.168.1.1/24
         description dmzlike
     }
 }

The MARKING_IN modifier must also apply to vif 100.  I have veryfied that the modification is not applied when traffic on VLAN 100 enters eth0: Creating traffic that should have been marked from machines on vif 100 is not marked while creating traffic on machines on eth0 is marked.

The CLI doesn't let me set a modifier for vif 100 because that type of interface is not one of the types allowed

Hi,

since none of my attempts with traffic shaping provided acceptable results, I want to resort to limit the downstream traffic I'm receiving by limiting the upstream traffic I'm sending.  The TCP protocol uses some sort of acknowledging traffic; IIUC the sender expects the recipient to send some acknowledgement that the traffic was received.  By delaying these acknowledgements, the recipient can have some control about how fast the sender sends traffic.  Using such delays can effectively limit the bandwidth.

But how do I do that?

I've already put a traffic shaper on eth1 which is the pppoe interface connected to my DSL modem to limit the outgoing bandwidth on ports 80 and 443.  That didn't have any effect.

I was thinking of using connection marks to match outgoing traffic in order to somehow limit it, but that failed because I couldn't figure out how to mark the traffic on the VLAN interface.  Then I thought about it and decided to try matching by destionation ports, but I found  that a limiter can not be applied to the outgoing side of an interface, hence I used the shaper which then didn't have any effect.

IIUC, the acknowledgement traffic goes to the destination port the original request was sent to, i. e. getting a website sends a request to port 80, receives a response from some port to the port the request was coming from, and the acknowledgement from the recipient goes to port 80.

Is that so, or am I mistaken?  Why didn't the shaper have any effect?