Quick Question- Is it possible to still use traffic shaping in combination with multi-ISP setup in Shorewall? Since both make use of tcrules it seems like there may be a possible collision. I''m getting ready to build a linux router using a Sangoma 104 (4 T1''s) in concert with an internal Ethernet card doing NAT / PNAT / DNAT. My current connection uses two Ethernet cards and makes pretty extensive use of the traffic shaping features of Shorewall for VOIP priority. Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 11 April 2006 11:19, Keith Mitchell wrote:> Quick Question- > > Is it possible to still use traffic shaping in combination with > multi-ISP setup in Shorewall? Since both make use of tcrules it seems > like there may be a possible collision. I''m getting ready to build a > linux router using a Sangoma 104 (4 T1''s) in concert with an internal > Ethernet card doing NAT / PNAT / DNAT. My current connection uses two > Ethernet cards and makes pretty extensive use of the traffic shaping > features of Shorewall for VOIP priority. >Keith, The answer with Shorewall 3.0 is "sort of". - If you don''t use ''track'' in /etc/shorewall/providers then it works. Otherwise: - Marks for traffic shaping may not be assigned in the PREROUTING chain -- they must be assigned in the FORWARD chain. - Traffic shaping may not use connection marks. In Shorewall 3.2, I just added a HIGH_ROUTE_MARKS option in shorewall.conf that allows you to use connection marks with traffic shaping (traffic shaping marks still may not be assigned in the PREROUTING chain). I''m interested in having people test that capability while 3.2 is still in the Beta stage. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
About 50-100 messages bellow you''ll see a few messages regarding this topic. Easy protocols you can shape ( not like ftp or p2p ). Ftp you can shape on incoming net->loc connections with a "hack" from your part ( ftp server and passive ports). You can not shape loc->net passive ftp connections ( because of netfilters mark used for connection tracking ). P2P I don''t think you can shape. Connection Mark is a must for multi ISP setup. So you have to compromise with only minimal shaping. Tom is working on it in the current beta version. If your setup is not used in a production env you can test it and the whole group can benefit from your input. Regards ... Harry>Quick Question- > > Is it possible to still use traffic shaping in combination with >multi-ISP setup in Shorewall? Since both make use of tcrules it seems >like there may be a possible collision. I''m getting ready to build a >linux router using a Sangoma 104 (4 T1''s) in concert with an internal >Ethernet card doing NAT / PNAT / DNAT. My current connection uses two >Ethernet cards and makes pretty extensive use of the traffic shaping >features of Shorewall for VOIP priority. > >Keith Mitchell >CTO >Productivity Associates, Inc. >5625 Ruffin Rd STE 220 >San Diego, CA 92123 >858-495-3528 (Direct) >858-495-3540 (Fax) > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
I''ll be very interested in testing the beta, as we currently shape in the forward chain. Track in the /etc/shorewall/providers would be huge for me, as we do have a few DNATS inside the network (yes I know this is bad). Currently I HTB shape on my WAN interface (for outbound), and DSMARK on my LAN interface to set DiffServ priorities for my Layer2 switches. Sounds like I''m gonna have to give *something* up in this new setup... -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Tuesday, April 11, 2006 12:06 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Multi-ISP *and* Traffic Shaping? On Tuesday 11 April 2006 11:19, Keith Mitchell wrote:> Quick Question- > > Is it possible to still use traffic shaping in combination with > multi-ISP setup in Shorewall? Since both make use of tcrules it seems> like there may be a possible collision. I''m getting ready to build a > linux router using a Sangoma 104 (4 T1''s) in concert with an internal > Ethernet card doing NAT / PNAT / DNAT. My current connection uses two> Ethernet cards and makes pretty extensive use of the traffic shaping > features of Shorewall for VOIP priority. >Keith, The answer with Shorewall 3.0 is "sort of". - If you don''t use ''track'' in /etc/shorewall/providers then it works. Otherwise: - Marks for traffic shaping may not be assigned in the PREROUTING chain -- they must be assigned in the FORWARD chain. - Traffic shaping may not use connection marks. In Shorewall 3.2, I just added a HIGH_ROUTE_MARKS option in shorewall.conf that allows you to use connection marks with traffic shaping (traffic shaping marks still may not be assigned in the PREROUTING chain). I''m interested in having people test that capability while 3.2 is still in the Beta stage. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Keith Mitchell escribió:> I''ll be very interested in testing the beta, as we currently shape in > the forward chain. >Well you can wait the next beta, or check out a copy from the SVN http://www.shorewall.net/download.htm#SVN be aware, SVN code can be broken for moments/hours , but usually it works fine.
On Tuesday 11 April 2006 14:03, Cristian Rodriguez wrote:> Keith Mitchell escribió: > > I''ll be very interested in testing the beta, as we currently shape in > > the forward chain. > > Well you can wait the next beta, or check out a copy from the SVN > > http://www.shorewall.net/download.htm#SVN > > > be aware, SVN code can be broken for moments/hours , but usually it > works fine.Support for HIGH_ROUTE_MARKS was released in Beta 4. -- There are just a couple of tweaks in that code in the current SVN. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hmm... A thought occurred to me. Could some of these issues be resolved by using Xen to virtually segment? Or am I digging myself deeper hole? -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Tuesday, April 11, 2006 2:09 PM To: shorewall-users@lists.sourceforge.net Cc: Cristian Rodriguez Subject: Re: [Shorewall-users] Multi-ISP *and* Traffic Shaping? On Tuesday 11 April 2006 14:03, Cristian Rodriguez wrote:> Keith Mitchell escribió: > > I''ll be very interested in testing the beta, as we currently shape > > in the forward chain. > > Well you can wait the next beta, or check out a copy from the SVN > > http://www.shorewall.net/download.htm#SVN > > > be aware, SVN code can be broken for moments/hours , but usually it > works fine.Support for HIGH_ROUTE_MARKS was released in Beta 4. -- There are just a couple of tweaks in that code in the current SVN. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642