Hi Heres the deal: I have a LAN behind a linux box. The Linux box acts as a NAT to all the hosts behind it. I''m classifying my hosts with iptables: /sbin/iptables -t mangle -A INPUT --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A INPUT --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A OUTPUT --out-interface $GREEN_DEV -d 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A OUTPUT --out-interface $GREEN_DEV -d 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A POSTROUTING --out-interface $GREEN_DEV -d 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A POSTROUTING --out-interface $GREEN_DEV -d 192.168.1.7 -j MARK --set-mark 7 Then I want to give everybody a rate of 18kbit # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc add dev eth1 root handle 10: htb tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 128kbit burst 4k tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 128kbit prio 2 burst 4k tc qdisc add dev eth1 parent 10:1 handle 1: sfq perturb 10 tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1 ... with hosts 2 to 7 works fine, while bandwidth of host 1 it is not shaped at all (all pakets go to default-root qdisc) The 192.168.1 is runing win xp and Zone Alarm firewall. Most of the hosts are runing WinXP with no problem. My question: Can it be that the packets are not being identified corectly because of the ZA firewall on Host 1? I had problems before with host 1 that blocked some ports with ZA that had the result of freazing the workgroup while it was online. that problem was fixed anyway. Now please dont ask me to try to disable the ZA firewall because i have no access to host1. And another thing: iptraf shows corectly that trafic is made from host 1 and its rate. Thanks _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/