Hi! It''s me again bothering you guys, what I want to do is to give full bandwidth to VPN traffic and limit the rest to 30KB/s (kilobytespersecond), ok? Here''s what I have: tcclasses ################################## eth0 1 1kbps 70kbps 1 eth0 2 1kbps 30kbps 2 default eth1 3 15kbps 10000kbps 1 eth1 4 1kbps 30kbps 2 default ###################################### tcdevices #################################### eth0 70kbps 70kbps eth1 10000kbps 10000kbps #################################### tcrules: ################################################# 1 0.0.0.0/0 192.168.100.0/24 all 1 0.0.0.0/0 192.168.0.0/24 all 1 0.0.0.0/0 201.89.170.2 all 3 192.168.100.0/24 0.0.0.0/0 all 3 192.168.0.0/24 0.0.0.0/0 all 3 201.89.170.2 0.0.0.0/0 all 3 $FW 192.168.200.10 all ################################################## Here''s a connection to the VPN''s remote gateway: ###################################### [doctor@srvsisdia doctor]$ scp doctor@201.89.170.2:/home/doctor/teste.zip . Password: teste.zip 0% 268KB 53.6KB/s 09:15 ETA ##################################### Working like it should, no problem...the dump is dumpVPNGW.txt.bz2 attached. Now, here''s the issue, connection to the local station passing through the VPN: ########################################### [doctor@srvsisdia doctor]$ scp doctor@192.168.100.2:/home/doctor/marcia . doctor@192.168.100.2''s password: marcia 16% 1844KB 19.6KB/s 08:05 ETA ########################################### dump is: tmp/dumpVPNLOCAL.txt.bz2 I don''t know why it''s limiting the traffic to 20kbps (bytes) there. When all rules are disabled, all the bandwidth is used again. There are no rules applied on the other linux box responsible for the VPN (remote gateway). Thanks again! Ismael ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ismael Milach da Silveira wrote:> Hi! > > It''s me again bothering you guys, what I want to do is to give full > bandwidth to VPN traffic and limit the rest to 30KB/s > (kilobytespersecond), ok?I don''t see anywhere that you are "giving full bandwidth to VPN traffic". Hint: In IPSEC tunnel mode (and in most VPN situations), the actual VPN traffic is $FW-><remote gateway> and you have no marking rules with SOURCE $FW. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
###################################
I don''t see anywhere that you are "giving full bandwidth to VPN
traffic".
Hint: In IPSEC tunnel mode (and in most VPN situations), the actual VPN
traffic is $FW-><remote gateway> and you have no marking rules with
SOURCE $FW.
####################
the tunnel is IPSEC.
70kbps is my "full" :-)
eth0= wan
eth1 = lan
192.168.200.0/24 is LAN
192.168.100.0/24 is the "remote" LAN
201.89.170.2 is the remote GW
tcdevices:
###############
eth0 70kbps 70kbps
eth1 10000kbps 10000kbps
##################
tcrules
############
1 $FW 192.168.100.0/24 all
1 $FW 201.89.170.2 all
3 192.168.100.0/24 0.0.0.0/0 all
############
tcclasses:
########################################
eth0 1 10kbps 20kbps 1
eth0 2 30kbps 40kbps 2 default
eth1 3 10kbps 20kbps 1
eth1 4 30kbps 40kbps 2 default
########################################
the traffic floats between 10 and 20KB/s. ok, it seems normal, although only
the forwarded traffic is being classified.
from the dump (FW.txt.bz2):
############################################
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
648 888K MARK all -- * * 192.168.100.0/24
0.0.0.0/0 MARK set 0x3
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK all -- * * 0.0.0.0/0
192.168.100.0/24 MARK set 0x1
0 0 MARK all -- * * 0.0.0.0/0
201.89.170.2 MARK set 0x1
############################################
###################
Chain tcpost (1 references)
648 888K CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0
MARK match 0x3/0xff CLASSIFY set 2:13
####################
####################
class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 1500 rate 80000bit ceil
160000bit
rate 88464bit
#####################
around 11KB/s... ok.
then I change tcclasses to:
###################################
eth0 1 30kbps full 1
eth0 2 10kbps 20kbps 2 default
eth1 3 30kbps full 1
eth1 4 10kbps 20kbps 2 default
####################################
when "full" would be around 70kbps.
The traffic rate goes up, but far from what it should be, never going over
23 KB/s.
dump (FW2.txt.bz2)
######################################################################
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
2930 4126K MARK all -- * * 192.168.100.0/24
0.0.0.0/0 MARK set 0x3
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK all -- * * 0.0.0.0/0
192.168.100.0/24 MARK set 0x1
0 0 MARK all -- * * 0.0.0.0/0
201.89.170.2 MARK set 0x1
#####################################################################
#################################
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
2930 4126K CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 2:13
#########################################################################################
########################
class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 2880 rate 240000bit ceil
80000Kbit
rate 169344bit 14pps
#################################
And, when I disable every traffic shaping rule...
########################################################
[doctor@srvsisdia doctor]$ scp doctor@192.168.100.2:/home/doctor/marcia .
doctor@192.168.100.2''s password:
marcia 14% 1608KB 53.6KB/s 03:01
ETA
#########################################################
the moment I put some rule, no matter what rule, doing traffic shaping, the
rate goes down between VPN station (the rest stays correct).
tcclasses looking like this and no tcrules applied.
#######################################
eth0 1 30kbps full 1 default
eth1 2 30kbps full 1 default
########################################
VPN traffic
######################
[doctor@srvsisdia doctor]$ scp doctor@192.168.100.2:/home/doctor/marcia .
doctor@192.168.100.2''s password:
marcia 18% 2076KB 19.7KB/s 07:49
ETA
#####################
why?
Traffic to the remote Gateway is normal:
###############################
[doctor@srvsisdia doctor]$ scp doctor@201.89.170.2:/home/doctor/teste.zip .
Password:
Password:
teste.zip 11% 3340KB 54.7KB/s 08:07
ETAA
############################
FW3.txt.bz2
##############################
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 2:12
##############################
Again, what I wanna do is to give full bandwidth to VPN traffic and to limit
the rest to 30kbps or so.
Sorry for the way-too-long post :-)
Thanks!
see ya,
Ismael
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Thursday, January 04, 2007 1:58 PM
Subject: Re: [Shorewall-users] TC again - now working on VPN traffic
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
--------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Just to add to this mess :-) The upload traffic through the ipsec tunnel works as it should, the problem reported below only happens with incoming traffic 192.168.200.1 <--- 192.168.100.2. see ya! Ismael ----- Original Message ----- From: "Ismael Milach da Silveira" <ismael@doctornet.com.br> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Thursday, January 04, 2007 5:08 PM Subject: Re: [Shorewall-users] TC again - now working on VPN traffic> ################################### > I don''t see anywhere that you are "giving full bandwidth to VPN traffic". > > Hint: In IPSEC tunnel mode (and in most VPN situations), the actual VPN > traffic is $FW-><remote gateway> and you have no marking rules with SOURCE > > $FW. > #################### > > the tunnel is IPSEC. > > 70kbps is my "full" :-) > > eth0= wan > eth1 = lan > 192.168.200.0/24 is LAN > 192.168.100.0/24 is the "remote" LAN > 201.89.170.2 is the remote GW > > tcdevices: > ############### > eth0 70kbps 70kbps > eth1 10000kbps 10000kbps > ################## > > tcrules > ############ > 1 $FW 192.168.100.0/24 all > 1 $FW 201.89.170.2 all > 3 192.168.100.0/24 0.0.0.0/0 all > ############ > > tcclasses: > ######################################## > eth0 1 10kbps 20kbps 1 > eth0 2 30kbps 40kbps 2 default > eth1 3 10kbps 20kbps 1 > eth1 4 30kbps 40kbps 2 default > ######################################## > > the traffic floats between 10 and 20KB/s. ok, it seems normal, although > only > the forwarded traffic is being classified. > > from the dump (FW.txt.bz2): > ############################################ > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 648 888K MARK all -- * * 192.168.100.0/24 > 0.0.0.0/0 MARK set 0x3 > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 0 0 MARK all -- * * 0.0.0.0/0 > 192.168.100.0/24 MARK set 0x1 > 0 0 MARK all -- * * 0.0.0.0/0 > 201.89.170.2 MARK set 0x1 > ############################################ > > ################### > Chain tcpost (1 references) > 648 888K CLASSIFY all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 > MARK match 0x3/0xff CLASSIFY set 2:13 > #################### > > #################### > class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 1500 rate 80000bit ceil > 160000bit > rate 88464bit > ##################### > around 11KB/s... ok. > > then I change tcclasses to: > ################################### > eth0 1 30kbps full 1 > eth0 2 10kbps 20kbps 2 default > eth1 3 30kbps full 1 > eth1 4 10kbps 20kbps 2 default > #################################### > when "full" would be around 70kbps. > > The traffic rate goes up, but far from what it should be, never going over > 23 KB/s. > > dump (FW2.txt.bz2) > ###################################################################### > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 2930 4126K MARK all -- * * 192.168.100.0/24 > 0.0.0.0/0 MARK set 0x3 > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 0 0 MARK all -- * * 0.0.0.0/0 > 192.168.100.0/24 MARK set 0x1 > 0 0 MARK all -- * * 0.0.0.0/0 > 201.89.170.2 MARK set 0x1 > ##################################################################### > > ################################# > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 2930 4126K CLASSIFY all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 2:13 > ######################################################################################### > > ######################## > class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 2880 rate 240000bit ceil > 80000Kbit > rate 169344bit 14pps > ################################# > > And, when I disable every traffic shaping rule... > ######################################################## > [doctor@srvsisdia doctor]$ scp doctor@192.168.100.2:/home/doctor/marcia . > doctor@192.168.100.2''s password: > marcia 14% 1608KB 53.6KB/s > 03:01 > ETA > ######################################################### > > the moment I put some rule, no matter what rule, doing traffic shaping, > the > rate goes down between VPN station (the rest stays correct). > tcclasses looking like this and no tcrules applied. > ####################################### > eth0 1 30kbps full 1 default > eth1 2 30kbps full 1 default > ######################################## > > VPN traffic > > ###################### > [doctor@srvsisdia doctor]$ scp doctor@192.168.100.2:/home/doctor/marcia . > doctor@192.168.100.2''s password: > marcia 18% 2076KB 19.7KB/s > 07:49 > ETA > ##################### > why? > > > Traffic to the remote Gateway is normal: > ############################### > [doctor@srvsisdia doctor]$ scp doctor@201.89.170.2:/home/doctor/teste.zip > . > Password: > Password: > teste.zip 11% 3340KB 54.7KB/s 08:07 > ETAA > ############################ > > FW3.txt.bz2 > ############################## > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11 > 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 2:12 > ############################## > > Again, what I wanna do is to give full bandwidth to VPN traffic and to > limit > the rest to 30kbps or so. > > Sorry for the way-too-long post :-) > > Thanks! > > see ya, > Ismael > > > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> > Sent: Thursday, January 04, 2007 1:58 PM > Subject: Re: [Shorewall-users] TC again - now working on VPN traffic > > >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net''s Techsay panel and you''ll get the chance to share >> your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > -------------------------------------------------------------------------------- > > >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >--------------------------------------------------------------------------------> ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV