Hello,
really new to advanced linux routing, but I have managed to setup
something that sort of works for my needs.
I have a linux box with this configuration:
Internet - eth0 - eth1 - many users
I''m using a NAT to allow my users Internet access.
On some users, I wish to shape their download speeds as to not overload
our outside connection.
Here is what I do to shape them at 64k down: (only two users shown in
this example(but I have hundreds that will be shaped))
SIXFOUR=64
DEV=eth1
# clean up qdiscs
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 50mbit
# DELL
tc class add dev $DEV parent 1: classid 1:1 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.199 flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
# TYR
tc class add dev $DEV parent 1: classid 1:2 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.133 flowid 1:2
tc qdisc add dev $DEV parent 1:2 sfq perturb 10
each user gets their own section.
This works great for downspeed only, but I also want to shape them at
64k up as well. I can''t shape them on eth0, because by the time their
packets get to that interface, they''ve already been NAT''d to a
different
address.
After lots of reading on the mailing list archive, it appears the best
way to handle this is to mark packets from each user, then on eth0 have
HTB or CBQ (really unsure which to use) shape each marked packet
accordingly. Currently, I''m matching by IP (u32?), so should I match
by
fwmark instead?
Any help is really appreciated or even a sample script concept would
make the operation more clear!
Ron
On Mer 27 avril 2005 16:36, Ron McKown a écrit :> Hello, > really new to advanced linux routing, but I have managed to setupsomething that sort of works for my needs.> > I have a linux box with this configuration: > > Internet - eth0 - eth1 - many users > > I''m using a NAT to allow my users Internet access. > > On some users, I wish to shape their download speeds as to not overloadour outside connection.> > Here is what I do to shape them at 64k down: (only two users shown inthis example(but I have hundreds that will be shaped))> SIXFOUR=64 > DEV=eth1 > # clean up qdiscs > tc qdisc del dev $DEV root 2> /dev/null > /dev/null > tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 50mbit > > # DELL > tc class add dev $DEV parent 1: classid 1:1 cbq rate ${SIXFOUR}kbitallot 1500 prio 5 bounded isolated> tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst192.168.0.199 flowid 1:1> tc qdisc add dev $DEV parent 1:1 sfq perturb 10 > > # TYR > tc class add dev $DEV parent 1: classid 1:2 cbq rate ${SIXFOUR}kbitallot 1500 prio 5 bounded isolated> tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst192.168.0.133 flowid 1:2> tc qdisc add dev $DEV parent 1:2 sfq perturb 10 > > each user gets their own section. > This works great for downspeed only, but I also want to shape them at64k up as well. I can''t shape them on eth0, because by the time their packets get to that interface, they''ve already been NAT''d to a different address.> > After lots of reading on the mailing list archive, it appears the bestway to handle this is to mark packets from each user, then on eth0 have HTB or CBQ (really unsure which to use) shape each marked packet accordingly. Currently, I''m matching by IP (u32?), so should I match by fwmark instead?> > Any help is really appreciated or even a sample script concept wouldmake the operation more clear!> > Ronhttp://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2241 tc qdisc add dev $DEV handle ffff: ingress tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 This means you can limit bandwidth for incoming packets too. I think you can shape your users'' UL on eth1 with "ingress" without having to mark packets... Regards, Sylvain
Ron McKown wrote:> After lots of reading on the mailing list archive, it appears the best > way to handle this is to mark packets from each user, then on eth0 have > HTB or CBQ (really unsure which to use) shape each marked packet > accordingly. Currently, I''m matching by IP (u32?), so should I match by > fwmark instead?Yes you could do that or if you are using recent kernel/iptables you can classify directly. http://www.netfilter.org/patch-o-matic/pom-submitted.html If you need to use mark just do something like $IPTABLES -t mangle -A POSTROUTING --src 192.168.0.4 -j MARK --set-mark 34 and then match it with a filter on eth0 $TC filter add dev eth0 parent 1:0 prio 6 protocol ip handle 34 fw flowid 1:34 Andy.
Hi Andy,
I''ve followed your advice and it works brilliant. However, I did fail
to mention something else which is causing a problem:
Internet - eth0 - eth1 users (192.168.x.x)
local net- eth2 (10.0.x.x)
There is another interface in this router (eth2) that should not be
shaped at all (it goes to another local network).
My problem is, I can shape Internet traffic going to user on eth1
(down), and user traffic going to Internet on eth0 (up).
However, if the downspeed is being shaped on the eth1, that means that
customers wanting something from eth2 will also be shaped.
I thought maybe I could only mark packets with a destination to eth0,
which means packets going to eth2 would be left untouched, but that
doesn''t appear to work, or maybe I''m making a mistake.
here''s my marking rule:
iptables -t mangle -A POSTROUTING --src 192.168.0.84 -o eth0 -j MARK --
set-mark 34
and here''s the cbq rules (should I be using HTB for this??)
SIXFOUR=75
VEGA=90
DEV=eth1
DEVTEST=eth0
tc class add dev $DEV parent 1: classid 1:30 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: prio 6 protocol ip handle 34 fw flowid
1:30
tc qdisc add dev $DEV parent 1:30 sfq perturb 10
tc class add dev $DEVTEST parent 1: classid 1:30 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEVTEST parent 1: prio 6 protocol ip handle 34 fw
flowid 1:30
tc qdisc add dev $DEVTEST parent 1:30 sfq perturb 10
This current setup does not shape eth0 traffic going to eth1 (because
I''m not using u32, I''m trying to shape on the mark).
On $DEV, if I replace the mark handle with a u32 ip address match, then
shaping will work, but then users downloading from interface eth2 will
also be shaped, which I don''t want.
Am I getting close or really going down the wrong path here?
Thanks so much,
Ron
On Wed, 2005-04-27 at 21:24 +0100, Andy Furniss wrote:> Ron McKown wrote:
>
> > After lots of reading on the mailing list archive, it appears the best
> > way to handle this is to mark packets from each user, then on eth0
have
> > HTB or CBQ (really unsure which to use) shape each marked packet
> > accordingly. Currently, I''m matching by IP (u32?), so should
I match by
> > fwmark instead?
>
> Yes you could do that or if you are using recent kernel/iptables you can
> classify directly.
>
> http://www.netfilter.org/patch-o-matic/pom-submitted.html
>
> If you need to use mark just do something like
>
> $IPTABLES -t mangle -A POSTROUTING --src 192.168.0.4 -j MARK --set-mark 34
>
> and then match it with a filter on eth0
>
> $TC filter add dev eth0 parent 1:0 prio 6 protocol ip handle 34 fw
> flowid 1:34
>
> Andy.
Ron McKown wrote:> Hi Andy, > I''ve followed your advice and it works brilliant. However, I did fail > to mention something else which is causing a problem: > > Internet - eth0 - eth1 users (192.168.x.x) > local net- eth2 (10.0.x.x) > > There is another interface in this router (eth2) that should not be > shaped at all (it goes to another local network). > > My problem is, I can shape Internet traffic going to user on eth1 > (down), and user traffic going to Internet on eth0 (up). > However, if the downspeed is being shaped on the eth1, that means that > customers wanting something from eth2 will also be shaped. > > I thought maybe I could only mark packets with a destination to eth0, > which means packets going to eth2 would be left untouched, but that > doesn''t appear to work, or maybe I''m making a mistake. > > here''s my marking rule: > iptables -t mangle -A POSTROUTING --src 192.168.0.84 -o eth0 -j MARK -- > set-mark 34I would change marking to FORWARD you can use -i and -o then so for upload from eth1 to internet. iptables -t mangle -A FORWARD -i eth1 -o eth0 -j MARK -- set-mark 34 and download iptables -t mangle -A FORWARD -i eth0 -o eth1 -j MARK -- set-mark 34> > and here''s the cbq rules (should I be using HTB for this??)I always use htb because it''s what I am used to - I never really played around with CBQ so can''t say it''s better or worse. When I first read LARTC it said HTB was easier - so that''s what I used. Andy.