Hi list,
Up front: A bit sorry this post turned out a wee bit long
I work as a system administrator for the Atlas College in the Netherlands. We
are what is called a merger school consisting of 5 separate (more or less)
locations and one central administration. The network is a class A network
(10.0.0.0/8) in which all locations have there own subnet (i.e. 10.9.0.0/16 for
the central administration). Sine 2004 the separate units share the 6 mbit
Internet access.
When we started with a central access to Internet it was still possible for one
of the locations to clog the access to the Internet. Giving an unfair situation.
For this reason we started to a HTB bandwidth shaper.
What I tried to achieve was giving the separate location a fair share of the
bandwidth (in relation to their student count) with as a ceiling the 6 mbit
maximum. As a complicating factor there is also a DMZ connected at LAN speed
(100 mbit).
So what I did was make a root class of 100/100 mbit, subclassing it in an
Internet class off 6/6mbit and a DMZ class of 94/100mbit. The default class is
the DMZ class.
The Internet class is subclassed further to make a class per unit.
I''ve enclosed the script below, it has worked well for 2 years now....
but there are changes at the horizon :D
The 6mbit Internet connection has been full ever since we bought it. Now people
are starting to complain about slow connection. So we''ve decided to
upgrade our contract to a 40mbit connection.
This could offcourse simply be done by changing the numbers. But there are 2
complications:
1)
Most locations are connected to our backbone with 8mbit microwaves. This means I
will not give them more than 6mbit on the internet without a change to borrow.
Not the reason I write this (long) message
2)
This is the reason:
I can no longer explain to myself what I have done in the script. The classes
and sub-classes I understand. I understand the filter rules I''ve made
for the locations. But looking at the filter rules for the DMZ I think they are
wrong.
The first rule I can dig:
61 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
62 match ip src 192.168.0.0/24 flowid 1:20
All traffic coming form 192.168.0.0/24 (the DMZ) belong to class 1:20 (the DMZ)
But I''ve got serious doubts about the next 2 rules:
63 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
64 match ip src 10.0.0.99 flowid 1:20
65 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
66 match ip dst 10.0.0.99 flowid 1:20
IP 10.0.0.99 is the ip address of eth1 (the LAN interface) of the router.
Traffic coming and going from that ip is put in to class 1:20. The only reason I
can imagine why I have done that is to put local traffic from the router in the
DMZ class because I do not want it in class 1:10 or one of its sub-classes.
So my question would be:
Does this script do the things I described above?
Could I not better leave those DMZ rules out because 1:20 is the default class
anyway?
Met Vriendelijke Groet,
Peter Kaagman
Systeembeheer Atlas College
p.kaagman@atlascollege.nl
1 # /bin/sh
2 # eth1: Lan link
3 # root
4 # 1:
5 # |
6 # base
7 # 100/100mbit
8 # _1:1_
9 # / \
10 # / \
11 # / \
12 # Internet DMZ
13 # 6/6mbit 94/100mbit
14 # 1:10 1:20
15 # |
16 # |
17 # |-- DDK 10.2.0.0/16
18 # | 1:12
19 # | 438kbit/6mbit 1)
20 # |
21 # |-- Tit 10.4.0.0/16
22 # | 1:14
23 # | 1254kbit/6mbit
24 # |
25 # |-- CSG 10.5.0.0/16
26 # | 1:15
27 # | 1605kbit/6mbit
28 # |
29 # |-- OSG 10.6.0.0/16
30 # | 1:16
31 # | 1605kbit/6mbit
32 # |
33 # |-- Tri 10.8.0.0/16
34 # | 1:18
35 # | 730kbit/6mbit
36 # |
37 # |-- CB 10.9.0.0/16
38 # 1:19
39 # 512kbit/6mbit
40 #
41
42 # root qdisc
43 /sbin/tc qdisc add dev eth1 root handle 1: htb default 20
44 # root class for borrow 100/100mbit
45 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit ceil
100mbit
46 # class for Internet 6/6mbit
47 /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 6mbit ceil
6mbit
48 # class for DMZ 94/100mbit
49 /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 94mbit ceil
100mbit
50
51 # child classes for divide
52 /sbin/tc class add dev eth1 parent 1:10 classid 1:12 htb rate 438kbit
ceil 6mbit
53 /sbin/tc class add dev eth1 parent 1:10 classid 1:14 htb rate 1254kbit
ceil 6mbit
54 /sbin/tc class add dev eth1 parent 1:10 classid 1:15 htb rate 1605kbit
ceil 6mbit
55 /sbin/tc class add dev eth1 parent 1:10 classid 1:16 htb rate 1605kbit
ceil 6mbit
56 /sbin/tc class add dev eth1 parent 1:10 classid 1:18 htb rate 730kbit
ceil 6mbit
57 /sbin/tc class add dev eth1 parent 1:10 classid 1:19 htb rate 512kbit
ceil 6mbit
58 # filters
59 # HTB rules should be attached to the root
60 # From DMZ to 1:20 rest 1:1*
61 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
62 match ip src 192.168.0.0/24 flowid 1:20
63 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
64 match ip src 10.0.0.99 flowid 1:20
65 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
66 match ip dst 10.0.0.99 flowid 1:20
67 # Locations
68 # 10.2.0.0/16 naar class 1:12
69 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
70 match ip dst 10.2.0.0/16 flowid 1:12
71 # 10.4.0.0/16 naar class 1:14
72 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
73 match ip dst 10.4.0.0/16 flowid 1:14
74 # 10.5.0.0/16 naar class 1:15
75 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
76 match ip dst 10.5.0.0/16 flowid 1:15
77 # 10.6.0.0/16 naar class 1:16
78 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
79 match ip dst 10.6.0.0/16 flowid 1:16
80 # 10.8.0.0/16 naar class 1:18
81 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
82 match ip dst 10.8.0.0/16 flowid 1:18
83 # 10.9.0.0/16 naar class 1:19
84 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \
85 match ip dst 10.9.0.0/16 flowid 1:19
86
87
88 # re-init
89 # /sbin/tc qdisc del dev eth1 root
