Shorewall users - Oct 2007 - Multi-ISP with traffic shaping

I have a firewall that routes between seven separate zones including  
two ISPs, and two VPN tunnels.  Everything was working flawlessly,  
until I went to add traffic shaping.  I would like start prioritizing  
the outbound traffic on the two ISPs, and I have all the rules in  
place, but it doesn''t seem to be working correctly.

Let me start with the layout of the firewall:

eth0 - ISP#1
eth1 - ISP#2
eth2 - Internal network
eth3 - DMZ
eth4 - WiFi
tun0 - VPN #1
tun1 - VPN #2

ISP #1 happens to be very sticky about traffic, but it is where our  
servers need to be hosted off, so the DMZ is the only source of  
traffic that goes in/out on ISP #1 (unless ISP #2 breaks).   
Everything else uses ISP #2, including the traffic for both VPNs.  I  
would like to sort traffic into four classes:

Highest priority - TCP/IP handshaking + other low latency
High priority - VPN traffic
Normal priority - Everything else
Low priority - P2P traffic

 From various tests and watching the stats coming from tc, I know  
that the High/Low priority is hardly being used (I sent a 10M file  
over the VPN to another office, and barely 2k was recorded on that  
qdisc), and I have no idea why.  Shorewall runs fine, and traffic is  
flowing with no problems, but the traffic just isn''t being classified  
correctly.  The important info/configs:

shorewall version 3.4.6
iptables v1.3.8
ip utility, iproute2-ss070710

providers:
######################################################################## 
####################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE        
GATEWAY         OPTIONS         COPY
ISPS    2       0x0200  main            eth1             
68.144.64.1     track,balance   eth2,eth3,eth4
ISPN    1       0x0100  main            eth0             
66.18.203.65    track,balance   eth2,eth3,eth4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

route_rules:
######################################################################## 
######
#SOURCE                 DEST                    PROVIDER        PRIORITY

## For VPNs
-                       192.168.0.0/16          main            1000

## For firewall
lo                      68.144.64.0/22          ISPS            1000
lo                      66.18.203.64/27         ISPN            1000
lo                      -                       ISPS            1000

## For local
eth2                    68.144.64.0/22          ISPS            1000
eth2                    66.18.203.64/27         ISPN            1000
eth2                    -                       ISPS            1000

## For wifi
eth3                    68.144.64.0/22          ISPS            1000
eth3                    66.18.203.64/27         ISPN            1000
eth3                    -                       ISPS            1000

## For DMZ
eth4                    -                       ISPN            1000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


tcdevices:
######################################################################## 
#######
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth0            4000kbit        512kbit
eth1            4000kbit        512kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tcclasses:
######################################################################## 
#######
#INTERFACE      MARK    RATE    CEIL    PRIORITY        OPTIONS
eth0            1       full/4  full    1               tcp-ack,tos- 
minimize-delay
eth0            2       full/4  full    2
eth0            3       full/4  full    3               default
eth0            4       full/4  full    4

eth1            1       full/4  full    1               tcp-ack,tos- 
minimize-delay
eth1            2       full/4  full    2
eth1            3       full/4  full    3               default
eth1            4       full/4  full    4
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tcrules:
######################################################################## 
#######
#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT   
USER    TEST    LENGTH  TOS
#                                                       PORT(S)

RESTORE         0.0.0.0/0       0.0.0.0/0       all     -        
-       -       0
CONTINUE        0.0.0.0/0       0.0.0.0/0       all     -        
-       -       !0

## Mark Pings as highest priority
1       0.0.0.0/0       0.0.0.0/0       icmp    echo-request
1       0.0.0.0/0       0.0.0.0/0       icmp    echo-reply

## Mark SSH as highest priority
1       0.0.0.0/0       0.0.0.0/0       tcp     ssh

## For the inter-office tunnel
2       0.0.0.0/0        production      all
2       0.0.0.0/0        downtown      all

## By default everything ends up in regular (3) class

## For torrents, cargo class
4       0.0.0.0/0       0.0.0.0/0       ipp2p:all

SAVE    0.0.0.0/0       0.0.0.0/0       all     -       -        
-       !0

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

(As a note, production/downtown are names that can be resolved to an  
IP, and I have verified that they are correctly being used, They are  
to route the VPN traffic over class 2)

The main one that I am concerned about is the traffic to "production"
or "downtown", and why it isn''t being classified into class
2.
 From there I''ll worry about the P2P after.  If anyone needs more  
information, let me know, and I''ll gladly post whatever is  
requested.  At this point, any help is greatly appreciated, even if  
it is just a suggestion of where I might start to look.

--
James McTavish



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

James McTavish wrote:
> If anyone needs more  
> information, let me know, and I''ll gladly post whatever is  
> requested. 
Please see http://www.shorewall.net/support.htm#Guidelines for instructions
regarding the reporting of traffic shaping problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

James McTavish wrote:
> 
> ## For the inter-office tunnel
> 2       0.0.0.0/0        production      all
> 2       0.0.0.0/0        downtown      all
> 
If it the OpenVPN Encapsulating UDP packets that you are trying to mark with
class 2, then these rules need to be:

2       $FW        production      all
2       $FW        downtown        all

Remember that 0.0.0.0/0 DOES NOT INCLUDE TRAFFIC ORIGINATING ON THE FIREWALL.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/