Shorewall users - Apr 2008 - Per VLAN Bandwidth allocation by Shorewall

Hi,
1. We have 20+ VLANs behind shorewall firewall. We would like to distribute
the Internet bandwidth to different VLANs having minimumm, typical and
maximum values based on IP ranges after NAT e.g., 172.17.4.0/24. What rules
need to be created to do so?
2. We also would like to time the access of internet of some of the VLANs,
i.e., 172.17.4.0/24 should be allowed to access the internet only during
6:00am - 9:00am and 5:00pm-12:00am and so on. This is to make sure that the
hostel students come to the classes. How can it be implemented?
Any pointers shall be appreciated.
Rgds

-Karmath


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Manoj S Gaur wrote:
>1. We have 20+ VLANs behind shorewall firewall. We would like to 
>distribute the Internet bandwidth to different VLANs having 
>minimumm, typical and maximum values based on IP ranges after NAT 
>e.g., <http://172.17.4.0/24>172.17.4.0/24. What rules need to be 
>created to do so?
If you simply want certain subnets or VLANs to have a certain max 
bandwidth, then that can be done by applying traffic shaping to each 
outbound interface as required.

However, what you cannot do is ''borrow'' bandwidth from another
class
on a different interface. What I mean is, with a single interface, 
you can have a class that is guaranteed x bps, but can use up to y 
bps if nothing else is using the extra.

it should, in principal, be possible to use an IFB, which is in 
effect a virtual interface that all traffic is routed through, to 
allow you to setup such a configuration before the traffic is routed 
out of the physical interfaces. There has been some discussion on the 
list over the past few weeks, so try a search ofor IFB.
>2. We also would like to time the access of internet of some of the 
>VLANs, i.e., <http://172.17.4.0/24>172.17.4.0/24 should be allowed 
>to access the internet only during 6:00am - 9:00am and 
>5:00pm-12:00am and so on. This is to make sure that the hostel 
>students come to the classes. How can it be implemented?
Just have two (or more) different configurations, and a cron job 
which will restart shorewall at the appropriate times to lead the 
different configs. You can pass a config directory to the invocation 
to have shorewall use a non-standard config. if the only difference 
is a few rules, then you can use include files and links to get the 
rest of the config to be common across different setups.

Getting the right config to be started at system boot time is a bit 
more involved !

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone