Hi! I just recently entered the wonderful world of the so called "advanced routing" and decided to try and limit the bandwidth of a MASQed network here and ended up in trouble :(. The setup is (as far as I can tell) pretty straightforward. eth0 is connected to the "real" network with a proper IP, and eth2 is 192.168.10.x (the MASQed network). All of it is basicly right out of the advanced routing howto. My problem is that it only shapes traffic going into the MASQed network and not from it. I''ve been trying to figure out why, and the only reason I can think of is that once the traffic passes through eth0 going out to the public network the packets are no longer tagged with a 192.168.10.x ip, but rather the public address. Is this the case? (The MASQ-box I''m using actually has 6 NICs, but I''m only using two of them right now, which explains why only eth0 and eth2 are in the example). Here''s the setup as of right now: --- tc qdisc add dev eth0 root handle 10: cbq bandwidth 100Mbit avpkt 1000 tc qdisc add dev eth2 root handle 20: cbq bandwidth 100Mbit avpkt 1000 tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100Mbit \ rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000 tc class add dev eth2 parent 20:0 classid 20:1 cbq bandwidth 100Mbit \ rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000 tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth \ 100Mbit rate 2Mbit allot 1514 weight 200Kbit prio 5 maxburst 20 \ avpkt 1000 bounded tc class add dev eth2 parent 20:1 classid 20:100 cbq bandwidth \ 100Mbit rate 2Mbit allot 1514 weight 200Kbit prio 5 maxburst 20 \ avpkt 1000 bounded tc qdisc add dev eth0 parent 10:100 sfq quantum 1514b perturb 15 tc qdisc add dev eth2 parent 20:100 sfq quantum 1514b perturb 15 tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip src \ 192.168.10.0/24 flowid 10:100 tc filter add dev eth2 parent 20:0 protocol ip prio 100 u32 match ip dst \ 192.168.10.0/24 flowid 20:100 --- I hope someone can help! :) // Kim Lundgren
Hi,> My problem is that it only shapes traffic going into the MASQed network > and not from it. I''ve been trying to figure out why, and the only reason I > can think of is that once the traffic passes through eth0 going out to the > public network the packets are no longer tagged with a 192.168.10.x ip, > but rather the public address. Is this the case?Yes. But I guess you can use the firewall mark and let ipchains (and probably also netfilter in 2.4) mark masqgraded packets with some specific value and then use filters to match this specific mark. I have not tried this myself, though. Christian
Quoting Christian Worm Mortensen <worm@dkik.dk>:> Yes. But I guess you can use the firewall mark and let ipchains (and > probably also netfilter in 2.4) mark masqgraded packets with some > specific value and then use filters to match this specific mark. I have > not tried this myself, though.Ah :) I was hoping that might do the trick. I´m using ipchains to set up ipmasq right now and I have absolutely no idea of how to mark them. Is there anyone out there that could help me out? // Kim Lundgren
Hi,> > Yes. But I guess you can use the firewall mark and let ipchains (and > > probably also netfilter in 2.4) mark masqgraded packets with some > > specific value and then use filters to match this specific mark. I have > > not tried this myself, though. > > Ah :) I was hoping that might do the trick. I´m using ipchains to set up ipmasq > right now and I have absolutely no idea of how to mark them. Is there anyone > out there that could help me out?I think you should use ipchains to set up masqgrading and add an "-m 42" option to the line you do it with (i.e. "ipchains ... -m 42 - j MASQ) . Then you can probably use the u32 or the fwmark filter to match on packets which has the firewall mark set to the value 42. Christian
Quoting David Stes <stes@pandora.be>:> You have to compile the netfilter modules (and load them) such as > > ipt_MARK > > then you also have to compile (and load) the necessary QoS/queueing > modules such as > > cls_fw > sch_cbq > sch_sfq > > Then you have to configure this; either command line, or maybe you are > interested in a GUI. > > I have screenshots of the configuration for doing this with a GUI at > > http://users.pandora.be/stes/ipmenu.htmlIs this possible on the 2.2 kernel though? That´s what I´m using right now.. I´ll change if I have to, but I´d rather not as of yet. Thank you very much for pointing me to that excellent piece of software though :). // Kim Lundgren