Hello,
I am doing traffic shaping (internall) and I have some questions.
I have gateway with DSL (4MB/0,5MB) with masquarading on 40 PC''s.
I have made some classes. Some users have them classes. There is also
one default class and one with full wire speed:
For example - user 192.168.1.6 really like to download a lot of stuff
from www, and he also like upload a lot of stuff on P2P soft, so I
have made a class for him to download not to much when wire is really
used by others. But when wire is idle then he can use 50% of wire
speed. There are also other users like 192.168.1.6, so each one has
one class with the same rules (but other mark). Rest of computers are
simple users that read WWW or sometimes download not to much and not
to fast from P2P. So they don''t have them classed, but only one -
default. I only hope that is it working like that! Tell me if not.
Theory is fine, but it is not working like I want. For example user
192.168.1.6 can downlod files (f.e. from www) with full wire speed !
Why ? Probably he is also in my 1 MARK class for full wire speed for
tcp-ack. I don''t want him here! Or maybe I have to do MARK with
PREROUTING
option, not only mark integer ? Or maybe I have to set prioryty on 1 for
his class? Plese, advise me :/
tcdevices:
eth0 4096kbit 500kbit
//*********************************************************************//
tcclasses:
eth0 1 full full 1
tcp-ack,tos-minimize-delay
eth0 2 9*full/10 9*full/10 2 default
eth0 3 1*full/10 5*full/10 2
eth0 4 1*full/10 5*full/10 2
eth0 8 1*full/10 5*full/10 2
eth0 9 1*full/10 5*full/10 2
eth0 10 1*full/10 5*full/10 2
//*********************************************************************//
tcrules:
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
3 192.168.1.99 0.0.0.0/0 all #upload to internet
3 0.0.0.0/0 192.168.1.99 all #DL from internet
4 192.168.1.22 0.0.0.0/0 all #UL
5 192.168.1.65 0.0.0.0/0 all #UL
5 192.168.1.66 0.0.0.0/0 all #UL
5 192.168.1.75 0.0.0.0/0 all #UL
5 192.168.1.77 0.0.0.0/0 all #UL
6 192.168.1.27 0.0.0.0/0 all #UL
7 192.168.1.6 0.0.0.0/0 all #UL
7 0.0.0.0/0 192.168.1.6 all #DL
8 192.168.1.56 0.0.0.0/0 all #UL
8 0.0.0.0/0 192.168.1.56 all #DL
9 192.168.1.7 0.0.0.0/0 all #UL
10 192.168.1.32 0.0.0.0/0 all #UL
//*********************************************************************//
part of shorewall.conf:
TC_ENABLED=Internal
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
ETH0 - my DSL-internet interface
ETH1 - my LOCAL interface (with masquarading).
my local - 192.168.1.0/24
QUESTIONS:
- Why 192.168.1.6 can download with full wire speed ?
- Maybe rules should be like that ? :
7 192.168.1.6 0.0.0.0/0 all
7 0.0.0.0/0 192.168.1.6 all
- It is good idea to make each rule to each IP (with high traffic) ?
--
best wishes from Poland,
Maciej Kurkiewicz
ICQ: 3385742
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
- Maybe rules should be like that ? :
7:P 192.168.1.6 0.0.0.0/0 all
7:P 0.0.0.0/0 192.168.1.6 all
and other like that?
--
best wishes from Poland,
Maciej Kurkiewicz
ICQ: 3385742
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
sorry for mistakes, I have more classes: tcclasses: eth0 1 full full 1 tcp-ack,tos-minimize-delay eth0 2 9*full/10 9*full/10 2 default eth0 3 1*full/10 5*full/10 2 eth0 4 1*full/10 5*full/10 2 eth0 5 1*full/10 5*full/10 2 eth0 6 1*full/10 5*full/10 2 eth0 7 1*full/10 5*full/10 2 eth0 8 1*full/10 5*full/10 2 eth0 9 1*full/10 5*full/10 2 eth0 10 1*full/10 5*full/10 2 -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 29 March 2006 13:20, viuwier wrote:> > QUESTIONS: > > - Why 192.168.1.6 can download with full wire speed ?From http://www.shorewall.net/traffic_shaping.htm: -------------------------------------------------------------------------- You can only shape outgoing traffic. The reason for this is simple, the packets were already received by your network card before you can decide what to do with them. So the only choice would be to drop them which normally makes no sense (since you received the packet already, it went through the possible bottleneck (the incoming connection). The next possible bottleneck might come if the packet leaves on another interface, so this will be the place where queuing might occur. So, defining queues for incoming packets is not very useful, you just want to have it forwarded to the outgoing interface as fast as possible. -------------------------------------------------------------------------- So if you want to shape download traffic, you have to do it as it leaves your internal interface.> > - Maybe rules should be like that ? : > 7 192.168.1.6 0.0.0.0/0 all > 7 0.0.0.0/0 192.168.1.6 all > > - It is good idea to make each rule to each IP (with high traffic) ?It all depends on whether you want several IP addresses to share the same class or whether you want them to share a class. That is, do you want to set limits on each individual IP or do you want to set limits for the group. It''s up to you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Tom, Than you for answer ! !> So if you want to shape download traffic, you have to do it as it leaves your > internal interface.>> 7 192.168.1.6 0.0.0.0/0 all >> 7 0.0.0.0/0 192.168.1.6 allSo to shape download traffic in that case above rules should be: 7 192.168.1.6 0.0.0.0/0 all #upload to internet 7 eth1 192.168.1.6 all #download from internet and other traffic from internal/local interface f.e. samba, then every transfer from gateway on local interface will be limited to specified in tcdevices speed on eth1 and in tcclasses speed. And then there is no possibility to give fast 100MB/s samba transfer and slow 50kB/s internet download to one IP adress in LAN - it is correct ? And it is only one possibility, other packets are dropped ? Or I have misunderstood sth? I am wondersing - if there is no possibilyty to shape incoming traffic so there is also no possibility to prioritize incoming packets, so ther is no sense to write: NOPRIOHOSTDST=60.0.0.0/24 like: 3 0.0.0.0/0 60.0.0.0/24 all Because it is one interface, without bottleneck (to other eth). There is no sense for tcclasses (f.e. from wondershaper) making rules that would specify/shape the incoming traffic, because it will not work, it is correct ? -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 29 March 2006 16:38, viuwier wrote:> Hello Tom, > > Than you for answer ! ! > > > So if you want to shape download traffic, you have to do it as it leaves > > your internal interface. > > > >> 7 192.168.1.6 0.0.0.0/0 all > >> 7 0.0.0.0/0 192.168.1.6 all > > So to shape download traffic in that case above rules should be: > > 7 192.168.1.6 0.0.0.0/0 all #upload to internet > 7 eth1 192.168.1.6 all #download fromUnless you shape traffic *LEAVING YOUR LAN INTERFACE*, no tcrules are going to have any effect on download traffic.> internet and other traffic from internal/local interface f.e. samba, then > every transfer from gateway on local interface will be limited to specified > in tcdevices speed on eth1 and in tcclasses speed. And then there is no > possibility to give fast 100MB/s samba transfer and slow 50kB/s internet > download to one IP adress in LAN - it is correct ?No, that''s not correct -- if you mark the packets in the FORWARD chain like this: 7:F eth1 192.168.1.6 Then only traffic entering the firewall on eth1 will be marked.> And it is only one > possibility, other packets are dropped ? Or I have misunderstood sth? > > I am wondersing - if there is no possibilyty to shape incoming traffic > so there is also no possibility to prioritize incoming packets, so > ther is no sense to write: > > NOPRIOHOSTDST=60.0.0.0/24 > > like: > 3 0.0.0.0/0 60.0.0.0/24 all > > Because it is one interface, without bottleneck (to other eth). There is > no sense for tcclasses (f.e. from wondershaper) making rules that would > specify/shape the incoming traffic, because it will not work, it is > correct ?No, that''s not correct -- you can limit how fast it handles traffic from the internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello,> No, that''s not correct -- if you mark the packets in the FORWARD chain like > this: > 7:F eth1 192.168.1.6 > Then only traffic entering the firewall on eth1 will be marked.First of all I have tried to add my local interface with full speed: [tcdevices] eth0 4096kbit 500kbit eth1 100mbit 100mbit [tcclasses] eth0 1 full full 1 tcp-ack,tos-minimize-delay eth0 2 9*full/10 9*full/10 2 default eth1 101 5*full/10 full 1 tcp-ack,tos-minimize-delay eth1 102 5*full/10 full 2 default But transfers from samba serwer from this gateway are really slow, it starts fast(about mB/s) and after few second gets slow (kome kB/s). ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
... But transfers _TO_ samba serwer _TO_ this gateway are really slow, it starts fast(about mB/s) and after few second gets slow (kome kB/s)... FROM gateway are OK ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 29 March 2006 18:15, viuwier wrote:> > But transfers from samba serwer from this gateway are really slow, it > starts fast(about mB/s) and after few second gets slow (kome kB/s).I have no idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> I have no idea.ok, i''ll try to solve the problem, without that tcdevices rule transfers are fast, with that rule sth goes wrong with slow transfer when I want to upload to my gateway :/ -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Maciej Two questions: 1) Is your samba server on your local net or somewhere on the internet? 2) Is the transfer from samba to gateway slow even when there is no other traffic at all, or only when some other traffic is present? Note that if you want to shape incoming traffic (this is not an ideal solution, but may be necessary none the less), you can either shape on the local interface, as Tom suggested, or you can use IMQ (www.linuximq.net) to make a pseudo-interface that incoming traffic passes through. Shaping on the local interface is really only an option if the gateway has little or no traffic of its own -- the gateway''s own traffic will not be correctly shaped. IMQ is a bit more complicated, as you need to patch your kernel and iptables. Kernel 2.6.16 has a new function called IFB which should do more or less the same as IMQ, but I have not tried using that. Rune On 3/30/06, viuwier <viuwier@wp.pl> wrote:> > I have no idea. > > ok, i''ll try to solve the problem, without that tcdevices rule > transfers are fast, with that rule sth goes wrong with slow transfer > when I want to upload to my gateway :/ > > > -- > best wishes from Poland, > Maciej Kurkiewicz > ICQ: 3385742 > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hello,> 1) Is your samba server on your local net or somewhere on the internet?On local net, on that computer is also internet gateway. It is not samba from internet, I''ve set full 100MB speed in tdcevices and I can''t upload to that computer (in LAN) with full speed :/ Without shaping (with full speed) in shorewall tranfers to gateway samba serwer are really fast.> 2) Is the transfer from samba to gateway slow even when there is no > other traffic at all, or only when some other traffic is present?tranfer is slow also when there is no trrafic, also not to internet through this gateway.> Note that if you want to shape incoming traffic (this is not an ideal > solution, but may be necessary none the less), you can either shape on > the local interface, as Tom suggestedthe best solution will be to shape only incoming traffic from internet, not traffic from local samba from that computer (gateway with shorewall), (eth0 - DSL, eth1 - LAN with masq).> Shaping on the local interface is really only an option if the gateway > has little or no traffic of its own -- the gateway''s own traffic will > not be correctly shaped.F.e. I don''t want to shape gateway''s own traffic like samba (on gateway is smbd, also local ftp serwer and I don''t want to shape it if it is possible - only incoming traffic on eth0(internet) and put with masq on local eth1).> IMQ is a bit more complicated, as you need to patch your kernel and > iptables. Kernel 2.6.16 has a new function called IFB which should do > more or less the same as IMQ, but I have not tried using that.First I will learn shorewall possibilities and try to do it in shorewall, probably I have made a mistake :/ I don''t know :/ Outgoing shaping from LAN to internet DSL works excellent! Thank you for your answer! -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Now, maybe I''m saying things that you already know, but just in case: - Traffic arrives from internet at a rate of at most 4 Mbit. - Really, one would want to do the shaping of incoming packets on the ADSL-facing interface, but Linux''s support for doing that is limited; therefore we do the shaping of outgoing packets on the local interface instead. - If the gateway doesn''t have any traffic itself, the amount of traffic on the ADSL interface and the local interface ought to be the same. So, what we need to do is limit the traffic going out of the local interface to slightly less than 4 Mbit, and shape that. But when the gateway has traffic of its own, this gets problematic. If the gateway receives data from the internet, there is no way to include that in the shaping. That means that your shaping will have no effect: even if the ADSL-line is maxed-out, the local interface won''t reach its limit. If the gateway sends its own data to the local net, you could exclude that from the shaping by using advanced rules. So this is possible, but difficult. Therefore, if you want it simple, I suggest you make sure your gateway has no traffic of its own. Rune On 3/30/06, viuwier <viuwier@wp.pl> wrote:> Hello, > > > 1) Is your samba server on your local net or somewhere on the internet? > > On local net, on that computer is also internet gateway. It is not > samba from internet, I''ve set full 100MB speed in tdcevices and I > can''t upload to that computer (in LAN) with full speed :/ Without > shaping (with full speed) in shorewall tranfers to gateway samba > serwer are really fast. > > > 2) Is the transfer from samba to gateway slow even when there is no > > other traffic at all, or only when some other traffic is present? > > tranfer is slow also when there is no trrafic, also not to internet > through this gateway. > > > Note that if you want to shape incoming traffic (this is not an ideal > > solution, but may be necessary none the less), you can either shape on > > the local interface, as Tom suggested > > the best solution will be to shape only incoming traffic from > internet, not traffic from local samba from that computer (gateway > with shorewall), (eth0 - DSL, eth1 - LAN with masq). > > > Shaping on the local interface is really only an option if the gateway > > has little or no traffic of its own -- the gateway''s own traffic will > > not be correctly shaped. > > F.e. I don''t want to shape gateway''s own traffic like samba (on gateway > is smbd, also local ftp serwer and I don''t want to shape it if it is > possible - only incoming traffic on eth0(internet) and put with masq on > local eth1). > > > IMQ is a bit more complicated, as you need to patch your kernel and > > iptables. Kernel 2.6.16 has a new function called IFB which should do > > more or less the same as IMQ, but I have not tried using that. > > First I will learn shorewall possibilities and try to do it in > shorewall, probably I have made a mistake :/ I don''t know :/ Outgoing > shaping from LAN to internet DSL works excellent! > > Thank you for your answer! > > > -- > best wishes from Poland, > Maciej Kurkiewicz > ICQ: 3385742 > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642