Hi Guys, I have a problem marking traffic in the system descriped in the attached png file. I have a Gentoo-box running Shorewall(3.4.6), sharing our internet connection in a small building. To distribute internet to the rooms, I use an old Allied Telesyn router w. a builtin DHCP server. This router supports private VLANS, which basically mean that clients cant communicate between rooms. I have split the clients in two groups, VLAN1 (10.0.1.x) and VLAN2 (10.0.2.x). I use the groups to control who is connected and who is not, simply by routing all VLAN2 traffic to the router, containing a webpage explaining how to get connected. This saves me a trip to the basement every time i need to connect/disconnect a room. My problem is that bandwidth is limited so I need to do some scheduling. I used to do this using ipp2p in a crude setup, but I cant seem to make it work on my reinstalled Gentoo box. It was lagging behind anyway so I decided to try to do somthing new. My new approach is to sort traffic by host IP address instead of traffic type. My guess is that this will give a more fair use of the bandwidth. Even though rooms with multiple clients will get double bandwith. This will be my little secret. The problem is when I start shorewall the traffic slows down to almost complete standstill, indicating that my tcrules dont mark the traffic correctly. What am I doing wrong? I have attached a diagram of the setup, my "shorewall dump" file, and my config files are at the end of this mail. The system is "on air", so i dumped the data after just a few minutes of uptime on this setup. I dont know if this is reflected in the dump. Thanx in advance Jesper Taxbøl /etc/conf.d/local.start: route add -net 10.0.0.0/15 gw 10.0.64.2 eth1 tcdevices: #INTERFACE IN-BANDWITH OUT-BANDWIDTH eth0 1555kbit 425kbit eth1 375kbit 1655kbit tcrules: 102 0.0.0.0/0 0.0.0.0/0 tcp 22 102 0.0.0.0/0 0.0.0.0/0 tcp 22 1 10.0.1.2 0.0.0.0/0 all 1 0.0.0.0/0 10.0.1.2 all 2 10.0.1.3 0.0.0.0/0 all 2 0.0.0.0/0 10.0.1.3 all 3 10.0.1.4 0.0.0.0/0 all 3 0.0.0.0/0 10.0.1.4 all 4 10.0.1.5 0.0.0.0/0 all 4 0.0.0.0/0 10.0.1.5 all ... tcclasses: eth0 1 full*1/20 full*1/2 2 eth1 1 full*1/20 full*1/2 2 eth0 2 full*1/20 full*1/2 2 eth1 2 full*1/20 full*1/2 2 eth0 3 full*1/20 full*1/2 2 eth1 3 full*1/20 full*1/2 2 eth0 4 full*1/20 full*1/2 2 eth1 4 full*1/20 full*1/2 2 ... eth0 101 full*1/30 full*1/20 3 default eth1 101 full*1/30 full*1/20 3 default eth0 102 full*1/30 full*1/30 1 eth1 102 full*1/30 full*1/30 1 ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Jesper Taxbøl wrote:> > The problem is when I start shorewall the traffic slows down to almost > complete standstill, indicating that my tcrules dont mark the traffic > correctly.Have you looked at the CPU utilization of the box when Shorewall is started? I suspect that it is high. What am I doing wrong? To start with, you are subjecting _every_ packet going through your firewall to 150 rules in the mangle table! Every forwarded packet goes through all 100+ marking rules and 50 CLASSIFY rules (neither the MARK target nor the CLASSIFY target is terminating). The class-per-host approach to traffic shaping scales poorly. Another thing that I notice is that the sum of RATEs appears to exceed the bandwidth (you didn''t show us the entire tcclasses file and I''m not going to sit here with a calculator and your dump, adding up the raw rates). If that is the case, then with more than 20-30 users on-line, traffic shaping will cease to function at all. Finally, I suspect that trying to share a line of this speed between 50 hosts is going to yield miserable performance during peak usage times no matter what you do. Your line is about the same speed as the one that I have here; mine supports two users and a low-volume server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Hi Tom, First of all, thank you for the reply. :) I am aware that the sum exceeds the total bandwidth by far, but the number of hosts is under normal circumstances below 20. I just want to make sure that My plan was to decrease the bandwidth per host if/when that number increase. I know the line is limited but that''s the resource I have available at this time. I have tried upgrading to 20MBit, but without luck so far. Do you think the matching rules are OK, and that the problem is the number of them? I have been using ipp2p before, but I have been having trouble making it work with 2.6.22-gentoo-r9. I cant seem to enable it in the kernel. What approach would you recommend to deal with P2P traffic overload? Thanks in advance Jesper 2007/12/6, Tom Eastep <teastep@shorewall.net>:> Jesper Taxbøl wrote: > > > > > The problem is when I start shorewall the traffic slows down to almost > > complete standstill, indicating that my tcrules dont mark the traffic > > correctly. > > Have you looked at the CPU utilization of the box when Shorewall is started? > I suspect that it is high. > > What am I doing wrong? > > To start with, you are subjecting _every_ packet going through your firewall > to 150 rules in the mangle table! Every forwarded packet goes through all > 100+ marking rules and 50 CLASSIFY rules (neither the MARK target nor the > CLASSIFY target is terminating). The class-per-host approach to traffic > shaping scales poorly. > > Another thing that I notice is that the sum of RATEs appears to exceed the > bandwidth (you didn''t show us the entire tcclasses file and I''m not going to > sit here with a calculator and your dump, adding up the raw rates). If that > is the case, then with more than 20-30 users on-line, traffic shaping will > cease to function at all. > > Finally, I suspect that trying to share a line of this speed between 50 > hosts is going to yield miserable performance during peak usage times no > matter what you do. Your line is about the same speed as the one that I have > here; mine supports two users and a low-volume server. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: The Future of Linux Business White Paper > from Novell. From the desktop to the data center, Linux is going > mainstream. Let it simplify your IT future. > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Jesper Taxbøl wrote:> > Do you think the matching rules are OK, and that the problem is the > number of them?The marking rules are Okay. You can see what the CPU utilization is with Shorewall started -- I can''t.> > I have been using ipp2p before, but I have been having trouble making > it work with 2.6.22-gentoo-r9. I cant seem to enable it in the kernel. > > What approach would you recommend to deal with P2P traffic overload?I have no experience with P2P control -- neither my wife nor my dog are big P2P users. But I believe that P2P is a better approach than class-per-host. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> > I have no experience with P2P control -- neither my wife nor my dog are > big P2P users. But I believe that P2P is a better approach than > class-per-host.Make that ...IPP2P is a better approach ----- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php