Hi list, Up front: A bit sorry this post turned out a wee bit long I work as a system administrator for the Atlas College in the Netherlands. We are what is called a merger school consisting of 5 separate (more or less) locations and one central administration. The network is a class A network (10.0.0.0/8) in which all locations have there own subnet (i.e. 10.9.0.0/16 for the central administration). Sine 2004 the separate units share the 6 mbit Internet access. When we started with a central access to Internet it was still possible for one of the locations to clog the access to the Internet. Giving an unfair situation. For this reason we started to a HTB bandwidth shaper. What I tried to achieve was giving the separate location a fair share of the bandwidth (in relation to their student count) with as a ceiling the 6 mbit maximum. As a complicating factor there is also a DMZ connected at LAN speed (100 mbit). So what I did was make a root class of 100/100 mbit, subclassing it in an Internet class off 6/6mbit and a DMZ class of 94/100mbit. The default class is the DMZ class. The Internet class is subclassed further to make a class per unit. I''ve enclosed the script below, it has worked well for 2 years now.... but there are changes at the horizon :D The 6mbit Internet connection has been full ever since we bought it. Now people are starting to complain about slow connection. So we''ve decided to upgrade our contract to a 40mbit connection. This could offcourse simply be done by changing the numbers. But there are 2 complications: 1) Most locations are connected to our backbone with 8mbit microwaves. This means I will not give them more than 6mbit on the internet without a change to borrow. Not the reason I write this (long) message 2) This is the reason: I can no longer explain to myself what I have done in the script. The classes and sub-classes I understand. I understand the filter rules I''ve made for the locations. But looking at the filter rules for the DMZ I think they are wrong. The first rule I can dig: 61 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 62 match ip src 192.168.0.0/24 flowid 1:20 All traffic coming form 192.168.0.0/24 (the DMZ) belong to class 1:20 (the DMZ) But I''ve got serious doubts about the next 2 rules: 63 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 64 match ip src 10.0.0.99 flowid 1:20 65 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 66 match ip dst 10.0.0.99 flowid 1:20 IP 10.0.0.99 is the ip address of eth1 (the LAN interface) of the router. Traffic coming and going from that ip is put in to class 1:20. The only reason I can imagine why I have done that is to put local traffic from the router in the DMZ class because I do not want it in class 1:10 or one of its sub-classes. So my question would be: Does this script do the things I described above? Could I not better leave those DMZ rules out because 1:20 is the default class anyway? Met Vriendelijke Groet, Peter Kaagman Systeembeheer Atlas College p.kaagman@atlascollege.nl 1 # /bin/sh 2 # eth1: Lan link 3 # root 4 # 1: 5 # | 6 # base 7 # 100/100mbit 8 # _1:1_ 9 # / \ 10 # / \ 11 # / \ 12 # Internet DMZ 13 # 6/6mbit 94/100mbit 14 # 1:10 1:20 15 # | 16 # | 17 # |-- DDK 10.2.0.0/16 18 # | 1:12 19 # | 438kbit/6mbit 1) 20 # | 21 # |-- Tit 10.4.0.0/16 22 # | 1:14 23 # | 1254kbit/6mbit 24 # | 25 # |-- CSG 10.5.0.0/16 26 # | 1:15 27 # | 1605kbit/6mbit 28 # | 29 # |-- OSG 10.6.0.0/16 30 # | 1:16 31 # | 1605kbit/6mbit 32 # | 33 # |-- Tri 10.8.0.0/16 34 # | 1:18 35 # | 730kbit/6mbit 36 # | 37 # |-- CB 10.9.0.0/16 38 # 1:19 39 # 512kbit/6mbit 40 # 41 42 # root qdisc 43 /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 44 # root class for borrow 100/100mbit 45 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit ceil 100mbit 46 # class for Internet 6/6mbit 47 /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 6mbit ceil 6mbit 48 # class for DMZ 94/100mbit 49 /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 94mbit ceil 100mbit 50 51 # child classes for divide 52 /sbin/tc class add dev eth1 parent 1:10 classid 1:12 htb rate 438kbit ceil 6mbit 53 /sbin/tc class add dev eth1 parent 1:10 classid 1:14 htb rate 1254kbit ceil 6mbit 54 /sbin/tc class add dev eth1 parent 1:10 classid 1:15 htb rate 1605kbit ceil 6mbit 55 /sbin/tc class add dev eth1 parent 1:10 classid 1:16 htb rate 1605kbit ceil 6mbit 56 /sbin/tc class add dev eth1 parent 1:10 classid 1:18 htb rate 730kbit ceil 6mbit 57 /sbin/tc class add dev eth1 parent 1:10 classid 1:19 htb rate 512kbit ceil 6mbit 58 # filters 59 # HTB rules should be attached to the root 60 # From DMZ to 1:20 rest 1:1* 61 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 62 match ip src 192.168.0.0/24 flowid 1:20 63 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 64 match ip src 10.0.0.99 flowid 1:20 65 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 66 match ip dst 10.0.0.99 flowid 1:20 67 # Locations 68 # 10.2.0.0/16 naar class 1:12 69 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 70 match ip dst 10.2.0.0/16 flowid 1:12 71 # 10.4.0.0/16 naar class 1:14 72 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 73 match ip dst 10.4.0.0/16 flowid 1:14 74 # 10.5.0.0/16 naar class 1:15 75 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 76 match ip dst 10.5.0.0/16 flowid 1:15 77 # 10.6.0.0/16 naar class 1:16 78 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 79 match ip dst 10.6.0.0/16 flowid 1:16 80 # 10.8.0.0/16 naar class 1:18 81 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 82 match ip dst 10.8.0.0/16 flowid 1:18 83 # 10.9.0.0/16 naar class 1:19 84 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 \ 85 match ip dst 10.9.0.0/16 flowid 1:19 86 87 88 # re-init 89 # /sbin/tc qdisc del dev eth1 root