LARTC - Apr 2004 - wondershaper, host *exclusion*?

Hi,

I really like the wondershaper script, it works very well for me. My
question is this. Is there a way to get certain remote hosts to be
excluded from the shaping? I ask because I don''t have my box connected
directly through the net. It sits behind a nat device, and has ports
forwarded in for services. I''d like to limit the ports and services,
but
only to things going outside of my local network.

Is there a way I can leave most things as-is, and just say "don''t
affect
any packets that are involved with 192.168.0.*"?

Thanks,
Marc
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Marc Reichman wrote:
> Hi,
>
> I really like the wondershaper script, it works very well for me. My
> question is this. Is there a way to get certain remote hosts to be
> excluded from the shaping? I ask because I don''t have my box
connected
> directly through the net. It sits behind a nat device, and has ports
> forwarded in for services. I''d like to limit the ports and
services, but
> only to things going outside of my local network.
>
> Is there a way I can leave most things as-is, and just say
"don''t affect
> any packets that are involved with 192.168.0.*"?
I''m not sure I understand your topology, but I figure you''re
behind a
NATting adsl/cable modem with a built-in switch?

You should probably add a separate queue which is not limited in 
bandwidth and create a filter for ip range 192.168.0.0/24 to be directed 
to that queue. The other traffice should be directed to the other queue 
which is standard in wshaper. I don''t have specific code-lines, but 
you''re probably helped more anyway if you find out how to do this from 
the howto ;-)

Cheers

Simon

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I will research in the howto, but I must say a lot of the terminology 
goes over my head.

To summarize, my steps are:
1. create a queue with no bw limitations
2. create a filter for the 192.168.0.0/24 and point it at that queue.

Correct?

-Marc

Simon Oosthoek wrote:
> Marc Reichman wrote:
> 
>> Hi,
>>
>> I really like the wondershaper script, it works very well for me. My
>> question is this. Is there a way to get certain remote hosts to be
>> excluded from the shaping? I ask because I don''t have my box
connected
>> directly through the net. It sits behind a nat device, and has ports
>> forwarded in for services. I''d like to limit the ports and
services, but
>> only to things going outside of my local network.
>>
>> Is there a way I can leave most things as-is, and just say
"don''t affect
>> any packets that are involved with 192.168.0.*"?
> 
> 
> I''m not sure I understand your topology, but I figure
you''re behind a
> NATting adsl/cable modem with a built-in switch?
> 
> You should probably add a separate queue which is not limited in 
> bandwidth and create a filter for ip range 192.168.0.0/24 to be directed 
> to that queue. The other traffice should be directed to the other queue 
> which is standard in wshaper. I don''t have specific code-lines,
but
> you''re probably helped more anyway if you find out how to do this
from
> the howto ;-)
> 
> Cheers
> 
> Simon
> 
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Marc Reichman wrote:
> I will research in the howto, but I must say a lot of the terminology 
> goes over my head.
>
> To summarize, my steps are:
> 1. create a queue with no bw limitations
> 2. create a filter for the 192.168.0.0/24 and point it at that queue.
>
> Correct?
yes, however, now I think about it some more, you probably have a 
similar problem as myself (see my other (double) posting). The problem 
is that you want to shape the traffic in 2 directions, but the ingress 
queue (interface _before_ routing) is less flexible to manage than the 
egress queue (interface _after_ routing).

On the egress side, it''s quite easy to add queues and make filters to 
it, but I''m not so sure about the ingress side. It might be possible to
simply bypass the ingress bandwidth limiting queue for a certain 
ip-range (so you then don''t have to add another queue for that). But if
you want (like I do) to apply different restrictions to certain remote 
addresses, than the default, I don''t have answers for that (only 
questions ;-)

Cheers

Simon

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I have no real interest in doing anything with specific remote hosts, I 
just want to bypass the limiting for the certain IP range. I imagine
I''d
do this by adding something referencing 192.168.0.0/24 to an existing 
line in the script? Have an idea of which?

-Marc

Simon Oosthoek wrote:
> Marc Reichman wrote:
> 
>> I will research in the howto, but I must say a lot of the terminology 
>> goes over my head.
>>
>> To summarize, my steps are:
>> 1. create a queue with no bw limitations
>> 2. create a filter for the 192.168.0.0/24 and point it at that queue.
>>
>> Correct?
> 
> 
> yes, however, now I think about it some more, you probably have a 
> similar problem as myself (see my other (double) posting). The problem 
> is that you want to shape the traffic in 2 directions, but the ingress 
> queue (interface _before_ routing) is less flexible to manage than the 
> egress queue (interface _after_ routing).
> 
> On the egress side, it''s quite easy to add queues and make filters
to
> it, but I''m not so sure about the ingress side. It might be
possible to
> simply bypass the ingress bandwidth limiting queue for a certain 
> ip-range (so you then don''t have to add another queue for that).
But if
> you want (like I do) to apply different restrictions to certain remote 
> addresses, than the default, I don''t have answers for that (only 
> questions ;-)
> 
> Cheers
> 
> Simon
> 
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Marc Reichman wrote:
> I have no real interest in doing anything with specific remote hosts, 
> I just want to bypass the limiting for the certain IP range. I imagine 
> I''d do this by adding something referencing 192.168.0.0/24 to an 
> existing line in the script? Have an idea of which?
>
tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src \
  192.168.0.0/24 police rate 100mbit burst 10k continue flowid :1

try adding the above line(s) to the wondershaper script, maybe that will 
do it?

/Simon
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I added, changing eth0 to the dev variable. I''ll have to find out when
i
  get home if it''s going to work right for local stuff. Thanks for your
help.

-Marc

Simon Oosthoek wrote:
> Marc Reichman wrote:
> 
>> I have no real interest in doing anything with specific remote hosts, 
>> I just want to bypass the limiting for the certain IP range. I imagine 
>> I''d do this by adding something referencing 192.168.0.0/24 to
an
>> existing line in the script? Have an idea of which?
>>
> tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src \
>  192.168.0.0/24 police rate 100mbit burst 10k continue flowid :1
> 
> try adding the above line(s) to the wondershaper script, maybe that will 
> do it?
> 
> /Simon
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/