Hello, LARTC-List I still try to get my traffic-shaping done with Wondershaper 1.1a, but it does not work as expected. When I run the script, the verbose output looks good (using a SuSE-8.2-SMP-box with iproute2-2.4.7-473): + DOWNLINK=1800 + UPLINK=150 + DEV=ppp0 + NOPRIOHOSTSRC+ NOPRIOHOSTDST+ NOPRIOPORTSRC+ NOPRIOPORTDST+ ''['' '''' = status '']'' + tc qdisc del dev ppp0 root + tc qdisc del dev ppp0 ingress + ''['' '''' = stop '']'' + tc qdisc add dev ppp0 root handle 1: cbq avpkt 1000 bandwidth 10mbit + tc class add dev ppp0 parent 1: classid 1:1 cbq rate 150kbit allot 1500 prio 5 bounded isolated + tc class add dev ppp0 parent 1:1 classid 1:10 cbq rate 150kbit allot 1600 prio 1 avpkt 1000 + tc class add dev ppp0 parent 1:1 classid 1:20 cbq rate 135kbit allot 1600 prio 2 avpkt 1000 + tc class add dev ppp0 parent 1:1 classid 1:30 cbq rate 120kbit allot 1600 prio 2 avpkt 1000 + tc qdisc add dev ppp0 parent 1:10 handle 10: sfq perturb 10 + tc qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10 + tc qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10 + tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 + tc filter add dev ppp0 parent 1:0 protocol ip prio 11 u32 match ip protocol 1 0xff flowid 1:10 + tc filter add dev ppp0 parent 1: protocol ip prio 12 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 flowid 1:10 + tc filter add dev ppp0 parent 1: protocol ip prio 18 u32 match ip dst 0.0.0.0/0 flowid 1:20 + tc qdisc add dev ppp0 handle ffff: ingress + tc filter add dev ppp0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1800kbit burst 10k drop flowid :1 My ADSL-Line performs 2MBit down and 192kbit upstream, so I guess the values are allright. I then start an upload and am pleased to see that the upload-rate stays at 150kBit, as set. Pings then are fine. But that upload limit is somehow not really enforced. When starting a second upload, the total rate (checked with iptraf) exceeds the set 150kBit and is only restricted by the line limit - pings of well over 3 seconds are the result. What did I do wrong? -- Sincerely, Michael _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi! I''ve the next network: inet | | | 20.5.90.194/26 | 20.5.90.195/26 --------------------- | eth0 | | | | internet gateway | | | | eth1 | --------------------- | 192.168.100.254/24 | 192.168.210.254/24 | +------------------+-----+----------------+ | | | | 192.168.100.1/24 | 192.168.210.1 | | | |192.168.210.2 -------------- +------------+ +--------+ | eth0 | | host 1 | | host 2 | | SENDMAIL | +------------+ +--------+ -------------- The internet gateway is a linux 2.4.21 with iptables 1.2.8 On eth0, it haves two IPs public: 20.5.90.194/26 20.5.90.195/26 Since I can''t to route last public IPs, and I need to run a Sendmail server that can be visible from internet, I have maked a DNAT rule, (and some SNAT rules too, in order to provide internet access to LAN) # iptables -L -t nat -n give me the next: Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 200.5.90.195 to:192.168.100.1 ACCEPT all -- 192.168.100.1 0.0.0.0/0 ACCEPT all -- 192.168.210.1 0.0.0.0/0 ACCEPT all -- 192.168.210.2 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.100.0/24 SNAT all -- 192.168.100.1 0.0.0.0/0 to:20.5.90.195 SNAT all -- 192.168.210.1 0.0.0.0/0 to:20.5.90.194 SNAT all -- 192.168.210.2 0.0.0.0/0 to:20.5.90.194 Chain OUTPUT (policy ACCEPT) target prot opt source destination From Internet (wan site), I can reach without problems the Sendmail server host, making ping to 20.5.90.195, and open port 25. From Lan side (hosts 192.168.102.1 or 192.168.102.2), I can ping to 20.5.90.195 but I can''t to open port 25... (but sometimes, I can do it !!) What happen ???????? Thank you very very much in advance. Mac _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello there Mac, [ nicely drawn map snipped ] [ succinct NAT tables snipped ] : From Internet (wan site), I can reach without problems the Sendmail : server host, making ping to 20.5.90.195, and open port 25. Seems correct. : From Lan side (hosts 192.168.102.1 or 192.168.102.2), I can ping to : 20.5.90.195 but I can''t to open port 25... Interesting. I wouldn''t expect that to work at all. : (but sometimes, I can do it !!) Even more interesting.... Is the linux NAt/masq router perhaps not suppressing ICMP redirects? : What happen ???????? I''d suggest using DNAT for packets on the way in from the internal network (your existing rules should take care of this), and using SNAT for packets destined for the sendmail box from the internal network. iptables -t nat -s 192.168.102.0/24 -d 20.5.90.195 -p tcp --dport 25 \ -j SNAT --to-source 192.168.100.254 -Martin P.S., A far better solution would be to use split-horizon DNS and have the internal hosts connect to the private IP address. -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/