Hi! I have to make a firewall which guarantees bandwidth to several clients (both upstream and downstream should be limitied). It has three interfaces, eth0 facing to the internet, eth1 to local network with several ip addresses (different subnets) and eth2 to dmz (webserver). Egress traffic is ok, I set up the tc rules to eth0 and the upstream limiting is fine. But I have to manage bandwidth of downloading too. While eth0 has one public ip address, the firewall does masquerading to the local subnets (with local ip ranges). So should I set up an imq device on eth1 with iptables mangle through the prerouting chain to do traffic shaping to the subnets? In this case the packets arrive to eth1 already masqueraded (am I right?) and I can limit the ingress traffic of local adresses. Or should I use the imq on eth0? Doesn''t it bothers egress shaping? I''m confused a little bit... :-s Can you help me? Thanks Tom _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Szálka Tamás wrote:> Hi! > > I have to make a firewall which guarantees bandwidth to several > clients (both upstream and downstream should be limitied). It has > three interfaces, eth0 facing to the internet, eth1 to local network > with several ip addresses (different subnets) and eth2 to dmz > (webserver). Egress traffic is ok, I set up the tc rules to eth0 and > the upstream limiting is fine. But I have to manage bandwidth of > downloading too. > While eth0 has one public ip address, the firewall does masquerading > to the local subnets (with local ip ranges). So should I set up an imq > device on eth1 with iptables mangle through the prerouting chain to do > traffic shaping to the subnets? In this case the packets arrive to > eth1 already masqueraded (am I right?) and I can limit the ingress > traffic of local adresses. Or should I use the imq on eth0? Doesn''t it > bothers egress shaping? I''m confused a little bit... :-s > Can you help me? > > Thanks > Tom >I feel imq+HTB on eth0 is an ideal solution for ur requirement. Regards -Raghu> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
At 16:51 2003. 09. 10. +0530, you wrote:>Szálka Tamás wrote: > >>Hi! >> >>I have to make a firewall which guarantees bandwidth to several clients >>(both upstream and downstream should be limitied). It has three >>interfaces, eth0 facing to the internet, eth1 to local network with >>several ip addresses (different subnets) and eth2 to dmz (webserver). >>Egress traffic is ok, I set up the tc rules to eth0 and the upstream >>limiting is fine. But I have to manage bandwidth of downloading too. >>While eth0 has one public ip address, the firewall does masquerading to >>the local subnets (with local ip ranges). So should I set up an imq >>device on eth1 with iptables mangle through the prerouting chain to do >>traffic shaping to the subnets? In this case the packets arrive to eth1 >>already masqueraded (am I right?) and I can limit the ingress traffic of >>local adresses. Or should I use the imq on eth0? Doesn''t it bothers >>egress shaping? I''m confused a little bit... :-s >>Can you help me? >> >>Thanks >>Tom >I feel imq+HTB on eth0 is an ideal solution for ur requirement. > >Regards >-RaghuI''d like to filter the packages on their SNAT-ed (local) ip addresses. when the package enters the IMQ right after the iptables PREROUTING chain, does it have SNAT-ed ip addresses? As far as I know the SNAT happens in the POSTROUTING chain. Am I wrong? Or am I even more confused? :) Tom _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 10 September 2003 20:13, Szálka Tamás wrote:> At 16:51 2003. 09. 10. +0530, you wrote: > >Szálka Tamás wrote: > >>Hi! > >> > >>I have to make a firewall which guarantees bandwidth to several clients > >>(both upstream and downstream should be limitied). It has three > >>interfaces, eth0 facing to the internet, eth1 to local network with > >>several ip addresses (different subnets) and eth2 to dmz (webserver). > >>Egress traffic is ok, I set up the tc rules to eth0 and the upstream > >>limiting is fine. But I have to manage bandwidth of downloading too. > >>While eth0 has one public ip address, the firewall does masquerading to > >>the local subnets (with local ip ranges). So should I set up an imq > >>device on eth1 with iptables mangle through the prerouting chain to do > >>traffic shaping to the subnets? In this case the packets arrive to eth1 > >>already masqueraded (am I right?) and I can limit the ingress traffic of > >>local adresses. Or should I use the imq on eth0? Doesn''t it bothers > >>egress shaping? I''m confused a little bit... :-s > >>Can you help me? > >> > >>Thanks > >>Tom > > > >I feel imq+HTB on eth0 is an ideal solution for ur requirement. > > > >Regards > >-Raghu > > I''d like to filter the packages on their SNAT-ed (local) ip addresses. when > the package enters the IMQ right after the iptables PREROUTING chain, does > it have SNAT-ed ip addresses? As far as I know the SNAT happens in the > POSTROUTING chain. Am I wrong? Or am I even more confused? :)See http://www.docum.org/stef.coene/qos/kptd/ Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >See >http://www.docum.org/stef.coene/qos/kptd/ > >Stefthanks, that''s very useful for me Tom _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Stef, I would like to clarify how to use iptable setmark option with CBQ egress shaping. For example, If my WAN interface is eth0, LAN interface is eth1 and DMZ is eth2. I would like to do egress shaping using CBQ at eth0 for hosted servers placed either in DMZ or LAN. If my hosted http server local IP is 192.168.1.12 with port 80. What rules should I frame to make it happen, my eth0 interface bandwidth is 100Mbits and rate is 512Kbits. I would like to restrict outgoing bandwidth for my hosted http server to 128Kbits and left bandwidth(512Kbits - 128Kbits) for others(default). An example with similar scenario will definately help. Regards -Raghu _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > > > I''d like to filter the packages on their SNAT-ed (local) ip addresses. when > > the package enters the IMQ right after the iptables PREROUTING chain, does > > it have SNAT-ed ip addresses? As far as I know the SNAT happens in the > > POSTROUTING chain. Am I wrong? Or am I even more confused? :) > See > http://www.docum.org/stef.coene/qos/kptd/ > > StefStef, The picture you have in http://www.docum.org/stef.coene/qos/kptd is with (or without) the IMQ NAT patch? -- Toshiro Viera <tviera@arnaldocastro.com.uy> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 11 September 2003 14:39, Toshiro Viera wrote:> > > I''d like to filter the packages on their SNAT-ed (local) ip addresses. > > > when the package enters the IMQ right after the iptables PREROUTING > > > chain, does it have SNAT-ed ip addresses? As far as I know the SNAT > > > happens in the POSTROUTING chain. Am I wrong? Or am I even more > > > confused? :) > > > > See > > http://www.docum.org/stef.coene/qos/kptd/ > > > > Stef > > Stef, > > The picture you have in http://www.docum.org/stef.coene/qos/kptd is with > (or without) the IMQ NAT patch?Without. In prerouting, you see that IMQ is before nat. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 11 September 2003 09:39, Raghuveer wrote:> Hi Stef, > > I would like to clarify how to use iptable setmark option with CBQ > egress shaping. For example, If my WAN interface is eth0, LAN interface > is eth1 and DMZ is eth2. I would like to do egress shaping using CBQ at > eth0 for hosted servers placed either in DMZ or LAN. If my hosted http > server local IP is 192.168.1.12 with port 80. What rules should I frame > to make it happen, my eth0 interface bandwidth is 100Mbits and rate is > 512Kbits. I would like to restrict outgoing bandwidth for my hosted http > server to 128Kbits and left bandwidth(512Kbits - 128Kbits) for > others(default). An example with similar scenario will definately help.I can''t provide you with a real example, but you can find some documentation at www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi All, For default IP traffic we are placing 0/0, similarly whether anyone has idea about default port....?. This is the scenario when rules are framed based on ports. -Raghu _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
At 19:15 2003. 09. 11.istory. +0200, you wrote:> > > > The picture you have in http://www.docum.org/stef.coene/qos/kptd is with > > (or without) the IMQ NAT patch? >Without. In prerouting, you see that IMQ is before nat. > >StefWith the IMQ NAT patch the order is reversed? The filtering on de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn''t it? Tom _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday 12 September 2003 17:22, Szálka Tamás wrote:> At 19:15 2003. 09. 11.istory. +0200, you wrote: > > > The picture you have in http://www.docum.org/stef.coene/qos/kptd is > > > with (or without) the IMQ NAT patch? > > > >Without. In prerouting, you see that IMQ is before nat. > > > >Stef > > With the IMQ NAT patch the order is reversed? The filtering on > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn''t > it? TomThe nat in prerouting is also reponsible for rewriting the addresses of natted packets. So you want IMQ after nat so the packets entering the imq device have the real ip address. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
At 18:58 2003. 09. 12. +0200, you wrote:> > > > With the IMQ NAT patch the order is reversed? The filtering on > > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn''t > > it? Tom >The nat in prerouting is also reponsible for rewriting the addresses of >natted >packets. So you want IMQ after nat so the packets entering the imq device >have the real ip address. > >StefWhat do mean by "real ip address"? So when the packet arrives into the imq, the address in the packet is the local (i.e. 10.0.0.x) address? Thanks Tom _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday 12 September 2003 21:07, Szálka Tamás wrote:> At 18:58 2003. 09. 12. +0200, you wrote: > > > With the IMQ NAT patch the order is reversed? The filtering on > > > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, > > > isn''t it? Tom > > > >The nat in prerouting is also reponsible for rewriting the addresses of > >natted > >packets. So you want IMQ after nat so the packets entering the imq device > >have the real ip address. > > > >Stef > > What do mean by "real ip address"? So when the packet arrives into the imq, > the address in the packet is the local (i.e. 10.0.0.x) address?Yes. At least it should. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi All, I have following queries :-- 1. For indicating any default IP we are placing 0/0 as src or dst in the tc script, similarly what can I use for default port....?. This is the scenario when rules are framed based on ports. For example, For a firewall with eth0(WAN), eth1(LAN) and eth2(DMZ), Iam doing CBQ outgoing (egress) traffic shaping at eth0 interface for public hosted servers located at eth2(DMZ) based on ports(80 for http etc). Now I want to frame a rule for remaining traffic (default) allocating remaining bandwidth(total rate is 512Kbits, 256 Kbits provided to the hosted servers, rest 256KBits is for other traffic). My rules for identifying the hosted servers is based entirely on src port. Hence what rule should I frame for all other traffic coming from eth1(LAN). 2. Is the rule sequence play any role, like if there is any conflict between the rules then the last rule will be given preference. what happens exactly if there is any conflict...? Any suggestions and reply is very much helpful. Regards -Raghu _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 22 September 2003 13:25, Raghuveer wrote:> Hi All, > > I have following queries :-- > > 1. For indicating any default IP we are placing 0/0 as src or dst in the > tc script, similarly what can I use for default port....?. This is the > scenario when rules are framed based on ports. For example, For a > firewall with eth0(WAN), eth1(LAN) and eth2(DMZ), Iam doing CBQ outgoing > (egress) traffic shaping at eth0 interface for public hosted servers > located at eth2(DMZ) based on ports(80 for http etc). Now I want to > frame a rule for remaining traffic (default) allocating remaining > bandwidth(total rate is 512Kbits, 256 Kbits provided to the hosted > servers, rest 256KBits is for other traffic). My rules for identifying > the hosted servers is based entirely on src port. Hence what rule should > I frame for all other traffic coming from eth1(LAN).There is no such thing as default port. But I don''t understand why you need this. I think it can be done with the dst/src parameter.> 2. Is the rule sequence play any role, like if there is any conflict > between the rules then the last rule will be given preference. what > happens exactly if there is any conflict...?The first rule that''s a match wil be followed. Order is based on prio and the order they are entered. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Stef, Stef Coene wrote:>On Monday 22 September 2003 13:25, Raghuveer wrote: > > >>Hi All, >> >>I have following queries :-- >> >>1. For indicating any default IP we are placing 0/0 as src or dst in the >>tc script, similarly what can I use for default port....?. This is the >>scenario when rules are framed based on ports. For example, For a >>firewall with eth0(WAN), eth1(LAN) and eth2(DMZ), Iam doing CBQ outgoing >>(egress) traffic shaping at eth0 interface for public hosted servers >>located at eth2(DMZ) based on ports(80 for http etc). Now I want to >>frame a rule for remaining traffic (default) allocating remaining >>bandwidth(total rate is 512Kbits, 256 Kbits provided to the hosted >>servers, rest 256KBits is for other traffic). My rules for identifying >>the hosted servers is based entirely on src port. Hence what rule should >>I frame for all other traffic coming from eth1(LAN). >> >> >There is no such thing as default port. But I don''t understand why you need >this. I think it can be done with the dst/src parameter. > >Here are the rules Iam applying to control outgoing traffic at WAN(eth0) interface for public hosted services. Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is 192.168.1.2 tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 bounded /* Hosted http server bandwidth = 64Kbit */ tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src 192.168.1.2 match ip sport 80 0xffff classid 1:2 /* Hosted ftp server bandwidth = 64Kbit */ tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src 192.168.1.2 match ip sport 21 0xffff classid 1:3 /* Default : Rest/Other traffic */ tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate 369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 /* Here I want replace the below rule with a simple rule based only on port i.e by using some default port other than 80, 21 as sport, which according to your last mail is not possible, hence pls check whether the below rule will do for remaining traffic */ tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:4 Pls let me know whether the above rules are framed correctly or can be done in a better way.>>2. Is the rule sequence play any role, like if there is any conflict >>between the rules then the last rule will be given preference. what >>happens exactly if there is any conflict...? >> >> >The first rule that''s a match wil be followed. Order is based on prio and the >order they are entered. > >Thanks for this confirmation. Regards -Raghu>Stef > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tuesday 23 September 2003 07:56, Raghuveer wrote:> Here are the rules Iam applying to control outgoing traffic at WAN(eth0) > interface for public hosted services. > Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is > 192.168.1.2 > > tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell > 8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > bounded > /* Hosted http server bandwidth = 64Kbit */ > tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate > 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > 192.168.1.2 match ip sport 80 0xffff classid 1:2 > > /* Hosted ftp server bandwidth = 64Kbit */ > tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate > 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > 192.168.1.2 match ip sport 21 0xffff classid 1:3 > > /* Default : Rest/Other traffic */ > tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate > 369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > /* Here I want replace the below rule with a simple rule based only on > port i.e by using some default port other than 80, 21 as sport, which > according to your last mail is not possible, hence pls check whether the > below rule will do for remaining traffic */ > tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 0/0 classid 1:4 > > Pls let me know whether the above rules are framed correctly or can be > done in a better way.I can''t do it better then you did :) Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene wrote:>On Tuesday 23 September 2003 07:56, Raghuveer wrote: > > >>Here are the rules Iam applying to control outgoing traffic at WAN(eth0) >>interface for public hosted services. >>Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is >>192.168.1.2 >> >>tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell >>8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate >>497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>bounded >>/* Hosted http server bandwidth = 64Kbit */ >>tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>192.168.1.2 match ip sport 80 0xffff classid 1:2 >> >>/* Hosted ftp server bandwidth = 64Kbit */ >>tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>192.168.1.2 match ip sport 21 0xffff classid 1:3 >> >>/* Default : Rest/Other traffic */ >>tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate >>369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>/* Here I want replace the below rule with a simple rule based only on >>port i.e by using some default port other than 80, 21 as sport, which >>according to your last mail is not possible, hence pls check whether the >>below rule will do for remaining traffic */ >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 0/0 classid 1:4 >> >>Pls let me know whether the above rules are framed correctly or can be >>done in a better way. >> >> >I can''t do it better then you did :) > >Stef, Traffic Control is not taking place after applying the above rules. Here follows the test setup:- 1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits ADSL and eth1 to the LAN. 2. I tried doing traffic control for incoming(at eth1) and outgoing(at eth0) traffic using CBQ(above rules). 3. In LAN, I connected 3 m/c''s(all linux). 4. The ISP rate taken is 97% of 128Kbits. 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c''s. I have few observations and queries, as follows:-- 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits for 128Kbits ADSL. 2. I have not added any filter for the parent class. Is it required...? What happens if I add...? 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on each LAN m/c. 4. Whether shall I take outgoing and incoming ISP rate''s in 30:70 ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). Can you pls guide me where amI going wrong..? Regards -Raghu>Stef > > >-- ****** This email is confidential and is intended for the original recipient(s) only. If you have erroneously received this mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless the sender has done so expressly with due authority of Gsec1.****** _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Stef,
Iam stucked as my traffic control is not working, I just tried first
with incoming traffic shaping, below is the test setup and rules
applied. Your valuable suggestion will surely help me and make it right.
Traffic Control is not taking place after applying the below rules. Here
follows the test setup:-
1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits ADSL
and eth1 to the LAN.
2. I tried doing traffic control for incoming(at eth1).
3. In LAN, I connected 3 m/c''s(all linux).
4. The ISP rate taken is 97% of 128Kbits.
5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c''s.
Here are the rules Iam applying to control incoming traffic at LAN
interface(eth1) for LAN users.
Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is
192.168.5.1
/* root qdisc */
tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell
8
/* Parent Class */
tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate
124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000
bounded
/* Whether should I place the below filter for Parent class..???
tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src
0/0 match ip dst 0/0 classid 1:1
*/
/* Child Classes */
/* 1st LAN user<192.168.5.2> = 37Kbit */
tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate
37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000
tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src
0/0 match ip dst 192.168.5.2 classid 1:2
/* 2nd LAN user<192.168.5.3> = 24Kbit */
tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate
24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000
tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src
0/0 match ip dst 192.168.5.3 classid 1:3
/* 3rd LAN user<192.168.5.4> = 12Kbit */
tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate
12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000
tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src
0/0 match ip dst 192.168.5.4 classid 1:4
/* Default : Rest/Other traffic = 51Kbit*/
tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate
51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000
tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src
0/0 match ip dst 0/0 classid 1:5
I have few observations and queries, as follows:--
1.In my test setup the ISP rate is fluctuating in the range of 21Kbits
to 131 Kbits for 128Kbits ADSL.
2. I have not added any filter for the parent class. Is it required...?
What happens if I add...?
3. Is "iptraf " tool OK for monitoring the distribution of bandwidth
on
each LAN m/c.
4. In case, if I shape outgoing traffic on eth0 interface, whether shall
I take outgoing and incoming ISP rate''s in 30:70 ratio, i.e 30% if
128Kbits for
outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits
rate being asyncronous(ADSL).
Can you pls guide me where amI going wrong..?
Regards
-Raghu
Raghuveer K wrote:
> Stef Coene wrote:
>
>> On Tuesday 23 September 2003 07:56, Raghuveer wrote:
>>
>>
>>> Here are the rules Iam applying to control outgoing traffic at
>>> WAN(eth0)
>>> interface for public hosted services.
>>> Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0
ip is
>>> 192.168.1.2
>>>
>>> tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt
>>> 1000 cell
>>> 8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth
100Mbit
>>> rate
>>> 497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
>>> bounded
>>> /* Hosted http server bandwidth = 64Kbit */
>>> tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit
rate
>>> 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
>>> tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip
src
>>> 192.168.1.2 match ip sport 80 0xffff classid 1:2
>>>
>>> /* Hosted ftp server bandwidth = 64Kbit */
>>> tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit
rate
>>> 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
>>> tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip
src
>>> 192.168.1.2 match ip sport 21 0xffff classid 1:3
>>>
>>> /* Default : Rest/Other traffic */
>>> tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit
rate
>>> 369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
>>> /* Here I want replace the below rule with a simple rule based only
on
>>> port i.e by using some default port other than 80, 21 as sport,
which
>>> according to your last mail is not possible, hence pls check
whether
>>> the
>>> below rule will do for remaining traffic */
>>> tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip
src
>>> 0/0 match ip dst 0/0 classid 1:4
>>>
>>> Pls let me know whether the above rules are framed correctly or can
be
>>> done in a better way.
>>>
>>
>> I can''t do it better then you did :)
>>
>>
> Stef,
> Traffic Control is not taking place after applying the above rules.
> Here follows the test setup:-
> 1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits
ADSL
> and eth1 to the LAN.
> 2. I tried doing traffic control for incoming(at eth1) and
> outgoing(at eth0) traffic using CBQ(above rules).
> 3. In LAN, I connected 3 m/c''s(all linux).
> 4. The ISP rate taken is 97% of 128Kbits.
> 5. Bandwidth Monitoring is done by using IPTraf on each LAN
m/c''s.
>
> I have few observations and queries, as follows:--
> 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131
> Kbits for 128Kbits ADSL.
> 2. I have not added any filter for the parent class. Is it
> required...? What happens if I add...?
> 3. Is "iptraf " tool OK for monitoring the distribution of
bandwidth
> on each LAN m/c.
> 4. Whether shall I take outgoing and incoming ISP rate''s in 30:70
> ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming
> Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL).
>
> Can you pls guide me where amI going wrong..?
>
> Regards
> -Raghu
>
>> Stef
>>
>>
>>
>
>
--
****** This email is confidential and is intended for the original recipient(s)
only. If you have erroneously received this mail, please delete it immediately
and notify the sender. Unauthorized copying, disclosure or distribution of the
material in this mail is prohibited. Views expressed in this mail are those of
the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless
the sender has done so expressly with due authority of Gsec1.******
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Stef/Martin, Iam resending this mail for the third time, I request you to please respond ASAP. Iam stucked as my traffic control is not working, I just tried first with incoming traffic shaping, below is the test setup and rules applied. Your valuable suggestion will surely help me and make it right. Traffic Control is not taking place after applying the below rules. Here follows the test setup:- 1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits ADSL and eth1 to the LAN. 2. I tried doing traffic control for incoming(at eth1). 3. In LAN, I connected 3 m/c''s(all linux). 4. The ISP rate taken is 97% of 128Kbits. 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c''s. Here are the rules Iam applying to control incoming traffic at LAN interface(eth1) for LAN users. Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is 192.168.5.1 /* root qdisc */ tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell 8 /* Parent Class */ tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 bounded /* Whether should I place the below filter for Parent class..??? tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:1 */ /* Child Classes */ /* 1st LAN user<192.168.5.2> = 37Kbit */ tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.2 classid 1:2 /* 2nd LAN user<192.168.5.3> = 24Kbit */ tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.3 classid 1:3 /* 3rd LAN user<192.168.5.4> = 12Kbit */ tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate 12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.4 classid 1:4 /* Default : Rest/Other traffic = 51Kbit*/ tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate 51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:5 I have few observations and queries, as follows:-- 1.In my test setup the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits for 128Kbits ADSL. 2. I have not added any filter for the parent class. Is it required...? What happens if I add...? 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on each LAN m/c. 4. In case, if I shape outgoing traffic on eth0 interface, whether shall I take outgoing and incoming ISP rate''s in 30:70 ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). Can you pls guide me where am I going wrong..? Do I continue using CBQ or try instead HTB rules. Regards -Raghu _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 30 October 2003 11:29, Raghuveer K wrote:> Hi Stef/Martin, > > Iam resending this mail for the third time, I request you to please > respond ASAP.You mail ended twice in my "to read" folder.> Iam stucked as my traffic control is not working, I just tried first > with incoming traffic shaping, below is the test setup and rules > applied. Your valuable suggestion will surely help me and make it right. > > Traffic Control is not taking place after applying the below rules. Here > follows the test setup:- > 1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits ADSL > and eth1 to the LAN. > 2. I tried doing traffic control for incoming(at eth1). > 3. In LAN, I connected 3 m/c''s(all linux). > 4. The ISP rate taken is 97% of 128Kbits. > 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c''s. > > Here are the rules Iam applying to control incoming traffic at LAN > interface(eth1) for LAN users. > Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is > 192.168.5.1 > > /* root qdisc */ > tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell > 8 > > /* Parent Class */ > tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > bounded > /* Whether should I place the below filter for Parent class..??? > tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 0/0 classid 1:1 > */You can also add the other filters to the root qdisc 1:0.> /* Child Classes */ > > /* 1st LAN user<192.168.5.2> = 37Kbit */ > tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate > 37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 192.168.5.2 classid 1:2 > > /* 2nd LAN user<192.168.5.3> = 24Kbit */ > tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate > 24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 192.168.5.3 classid 1:3 > > /* 3rd LAN user<192.168.5.4> = 12Kbit */ > tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate > 12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 192.168.5.4 classid 1:4 > > /* Default : Rest/Other traffic = 51Kbit*/ > tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate > 51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 0/0 classid 1:5 > > I have few observations and queries, as follows:-- > 1.In my test setup the ISP rate is fluctuating in the range of 21Kbits > to 131 Kbits for 128Kbits ADSL. > 2. I have not added any filter for the parent class. Is it required...? > What happens if I add...?Add all your filters to the root qdisc and put the traffic in the destination class. Like : tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:5> 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on > each LAN m/c.Yes.> 4. In case, if I shape outgoing traffic on eth0 interface, whether shall > I take outgoing and incoming ISP rate''s in 30:70 ratio, i.e 30% if > 128Kbits for > outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits > rate being asyncronous(ADSL).What''s the speed of your connection? 128kbits for download, but how much for uploads?> Can you pls guide me where am I going wrong..? Do I continue using CBQ > or try instead HTB rules.If you can, go for htb. Much less confusing options. Als, check out with tc -s -d class show dev eth1 if the filters are working and each class is processing packets. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thanks Stef, Let me incorporate and test with your valuable suggestions. I will get back to you soon. Regards -Raghu Stef Coene wrote:>On Thursday 30 October 2003 11:29, Raghuveer K wrote: > > >>Hi Stef/Martin, >> >>Iam resending this mail for the third time, I request you to please >>respond ASAP. >> >> >You mail ended twice in my "to read" folder. > > > >>Iam stucked as my traffic control is not working, I just tried first >>with incoming traffic shaping, below is the test setup and rules >>applied. Your valuable suggestion will surely help me and make it right. >> >>Traffic Control is not taking place after applying the below rules. Here >>follows the test setup:- >>1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits ADSL >>and eth1 to the LAN. >>2. I tried doing traffic control for incoming(at eth1). >>3. In LAN, I connected 3 m/c''s(all linux). >>4. The ISP rate taken is 97% of 128Kbits. >>5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c''s. >> >>Here are the rules Iam applying to control incoming traffic at LAN >>interface(eth1) for LAN users. >>Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is >>192.168.5.1 >> >>/* root qdisc */ >>tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell >>8 >> >>/* Parent Class */ >>tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate >>124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>bounded >>/* Whether should I place the below filter for Parent class..??? >>tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 0/0 classid 1:1 >>*/ >> >> >You can also add the other filters to the root qdisc 1:0. > > > >>/* Child Classes */ >> >>/* 1st LAN user<192.168.5.2> = 37Kbit */ >>tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate >>37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 192.168.5.2 classid 1:2 >> >>/* 2nd LAN user<192.168.5.3> = 24Kbit */ >>tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate >>24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 192.168.5.3 classid 1:3 >> >>/* 3rd LAN user<192.168.5.4> = 12Kbit */ >>tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate >>12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 192.168.5.4 classid 1:4 >> >>/* Default : Rest/Other traffic = 51Kbit*/ >>tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate >>51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 0/0 classid 1:5 >> >>I have few observations and queries, as follows:-- >>1.In my test setup the ISP rate is fluctuating in the range of 21Kbits >>to 131 Kbits for 128Kbits ADSL. >>2. I have not added any filter for the parent class. Is it required...? >>What happens if I add...? >> >> >Add all your filters to the root qdisc and put the traffic in the destination >class. Like : >tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 >match ip dst 0/0 classid 1:5 > > > >>3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on >>each LAN m/c. >> >> >Yes. > > > >>4. In case, if I shape outgoing traffic on eth0 interface, whether shall >>I take outgoing and incoming ISP rate''s in 30:70 ratio, i.e 30% if >>128Kbits for >> outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits >>rate being asyncronous(ADSL). >> >> >What''s the speed of your connection? 128kbits for download, but how much for >uploads? > > > >>Can you pls guide me where am I going wrong..? Do I continue using CBQ >>or try instead HTB rules. >> >> >If you can, go for htb. Much less confusing options. >Als, check out with tc -s -d class show dev eth1 if the filters are working >and each class is processing packets. > >Stef > > >-- ****** This email is confidential and is intended for the original recipient(s) only. If you have erroneously received this mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless the sender has done so expressly with due authority of Gsec1.****** _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/