Shorewall users - Jun 2009 - Traffic Shapping

I went thru the traffic-shaping document but could not make it happen,  
if anybody can help kindly guide me how can i achieve the following

I have 3 VLANs (VLAN1-172.16.0.0/16 , VLAN2-172.17.0.0/16,  
VLAN3-172.18.0.0/16)

what i want is

	1) PCs on VLAN1 should not get download bandwidth of more than  
128kbit per pc
	2) PCs on VLAN2 should not get download bandwidth of more than  
256kbit per pc
	3) traffic of Servers on VLAN3 should get highest priority

how can i define tcrules for each pc on this VLANs.


	

--------------------------------
Swapnil Jain
Indore
-----------------------------------------------
E-mail: swapnil@pisces.net.in
GTalk : swapnil@pisces.net.in
MSN: jswapnil@hotmail.com
Skype : sj1410
YIM   : sj1410
-----------------------------------------------
# DO everything over SSH
# ======================#	- SECURE pop3/imap ..... do NOT use pop3/imap
#	- use ssh  ............. do NOT use ftp/telnet


------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Swapnil Jain wrote:
> I went thru the traffic-shaping document but could not make it happen,  
> if anybody can help kindly guide me how can i achieve the following
> 
> I have 3 VLANs (VLAN1-172.16.0.0/16 , VLAN2-172.17.0.0/16,  
> VLAN3-172.18.0.0/16)
> 
> what i want is
> 
> 	1) PCs on VLAN1 should not get download bandwidth of more than  
> 128kbit per pc
> 	2) PCs on VLAN2 should not get download bandwidth of more than  
> 256kbit per pc
> 	3) traffic of Servers on VLAN3 should get highest priority
> 
> how can i define tcrules for each pc on this VLANs.
With the current stable version of Shorewall, there is no efficient way
to do what you are asking.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

i think iproute2 is capable of doing this, can anybody suggest me some  
toola or utility to configure this.



--------------------------------
Swapnil Jain
Indore

-----------------------------------------------
E-mail: swapnil@pisces.net.in
GTalk : swapnil@pisces.net.in
MSN: jswapnil@hotmail.com
Skype : sj1410
YIM   : sj1410
-----------------------------------------------
# DO everything over SSH
# ======================#	- SECURE pop3/imap ..... do NOT use pop3/imap
#	- use ssh  ............. do NOT use ftp/telnet

On 07-Jun-09, at 11:40 PM, Tom Eastep wrote:
> Swapnil Jain wrote:
>> I went thru the traffic-shaping document but could not make it  
>> happen,
>> if anybody can help kindly guide me how can i achieve the following
>>
>> I have 3 VLANs (VLAN1-172.16.0.0/16 , VLAN2-172.17.0.0/16,
>> VLAN3-172.18.0.0/16)
>>
>> what i want is
>>
>> 	1) PCs on VLAN1 should not get download bandwidth of more than
>> 128kbit per pc
>> 	2) PCs on VLAN2 should not get download bandwidth of more than
>> 256kbit per pc
>> 	3) traffic of Servers on VLAN3 should get highest priority
>>
>> how can i define tcrules for each pc on this VLANs.
>
> With the current stable version of Shorewall, there is no efficient  
> way
> to do what you are asking.
>
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> OpenSolaris 2009.06 is a cutting edge operating system for enterprises
> looking to deploy the next generation of Solaris that includes the  
> latest
> innovations from Sun and the OpenSource community. Download a copy and
> enjoy capabilities such as Networking, Storage and Virtualization.
> Go to:
http://p.sf.net/sfu/opensolaris-get_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Swapnil Jain wrote:
> i think iproute2 is capable of doing this, can anybody suggest me some  
> toola or utility to configure this.
> 
iproute2 + iptables + xtables-addons + recent Linux Kernel + lots of
knowledge about how all of those things work.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Tom Eastep wrote:
>  > i think iproute2 is capable of doing this, can anybody suggest me
some
>>  toola or utility to configure this.
>>
>
>iproute2 + iptables + xtables-addons + recent Linux Kernel + lots of
>knowledge about how all of those things work.
A situation for using an IFB ?

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Simon Hobson wrote:
> Tom Eastep wrote:
> 
>>  > i think iproute2 is capable of doing this, can anybody suggest me
some
>>>  toola or utility to configure this.
>>>
>> iproute2 + iptables + xtables-addons + recent Linux Kernel + lots of
>> knowledge about how all of those things work.
> 
> A situation for using an IFB ?
> 
I doubt it. Unless the OP has public IP addresses assigned to all
internal systems, an IFB doesn''t work for limiting traffic per-host.
The
reason is that the destination address of the traffic hasn''t been
''de-NATted'' yet when it goes through the IFB.

One really needs IPMARK applied to shaping on the internal interface.
This will be possible in Shorewall 4.4 but is not available in 4.2.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

so when is Shorewall 4.4 stable expected

--------------------------------
Swapnil Jain
Indore
-----------------------------------------------
E-mail: swapnil@pisces.net.in
GTalk : swapnil@pisces.net.in
MSN: jswapnil@hotmail.com
Skype : sj1410
YIM   : sj1410
-----------------------------------------------
# DO everything over SSH
# ======================#	- SECURE pop3/imap ..... do NOT use pop3/imap
#	- use ssh  ............. do NOT use ftp/telnet

On 08-Jun-09, at 6:32 PM, Tom Eastep wrote:
> Shorewall 4.4

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Swapnil Jain wrote:
> so when is Shorewall 4.4 stable expected
> 
> --------------------------------
> Swapnil Jain
> Indore
> -----------------------------------------------
> E-mail: swapnil@pisces.net.in
> GTalk : swapnil@pisces.net.in
> MSN: jswapnil@hotmail.com
> Skype : sj1410
> YIM   : sj1410
> -----------------------------------------------
> # DO everything over SSH
> # ======================> #	- SECURE pop3/imap ..... do NOT use
pop3/imap
> #	- use ssh  ............. do NOT use ftp/telnet
> 
> On 08-Jun-09, at 6:32 PM, Tom Eastep wrote:
> 
>> Shorewall 4.4
> 
Late October.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

On 08/06/2009 10:02, Tom Eastep wrote:
> Simon Hobson wrote:
>    
>> Tom Eastep wrote:
>>
>>      
>>>   >  i think iproute2 is capable of doing this, can anybody
suggest me some
>>>        
>>>>   toola or utility to configure this.
>>>>
>>>>          
>>> iproute2 + iptables + xtables-addons + recent Linux Kernel + lots
of
>>> knowledge about how all of those things work.
>>>        
>> A situation for using an IFB ?
>>
>>      
> I doubt it. Unless the OP has public IP addresses assigned to all
> internal systems, an IFB doesn''t work for limiting traffic
per-host. The
> reason is that the destination address of the traffic hasn''t been
> ''de-NATted'' yet when it goes through the IFB.
>
> One really needs IPMARK applied to shaping on the internal interface.
> This will be possible in Shorewall 4.4 but is not available in 4.2.
>
> -Tom
>    
You can use IMQ configured in AB configuration (you can shape on the 
external eth based on internal IP). I''m using it with shorewall just 
adding a few lines to the start script, redirecting traffic to IMQ.

Hope it helps.
Pablo.

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get

Tom Eastep wrote:
>  > A situation for using an IFB ?
>
>I doubt it. Unless the OP has public IP addresses assigned to all
>internal systems, an IFB doesn''t work for limiting traffic
per-host. The
>reason is that the destination address of the traffic hasn''t been
>''de-NATted'' yet when it goes through the IFB.
Ahh, I''d overlooked that subtlety - the joys of working with real 
addresses at work :-)

An alternative that comes to mind is to run multiple hosts (possibly 
virtual). One does the external firewall stuff (inc NAT), and another 
sits between that and the internal networks. Messy, but it would 
leave the de-natted traffic on one interface to be shaped.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Pablo Sebastián Greco wrote:
> On 08/06/2009 10:02, Tom Eastep wrote:
>> Simon Hobson wrote:
>>    
>>> Tom Eastep wrote:
>>>
>>>      
>>>>   >  i think iproute2 is capable of doing this, can anybody
suggest me some
>>>>        
>>>>>   toola or utility to configure this.
>>>>>
>>>>>          
>>>> iproute2 + iptables + xtables-addons + recent Linux Kernel +
lots of
>>>> knowledge about how all of those things work.
>>>>        
>>> A situation for using an IFB ?
>>>
>>>      
>> I doubt it. Unless the OP has public IP addresses assigned to all
>> internal systems, an IFB doesn''t work for limiting traffic
per-host. The
>> reason is that the destination address of the traffic hasn''t
been
>> ''de-NATted'' yet when it goes through the IFB.
>>
>> One really needs IPMARK applied to shaping on the internal interface.
>> This will be possible in Shorewall 4.4 but is not available in 4.2.
>>
>> -Tom
>>    
> You can use IMQ configured in AB configuration (you can shape on the 
> external eth based on internal IP). I''m using it with shorewall
just
> adding a few lines to the start script, redirecting traffic to IMQ.
> 
> Hope it helps.
Please elaborate -- what few lines did you add to the start script? I
assume that ''start script'' means /etc/shorewall/start?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

On 08/06/2009 13:53, Tom Eastep wrote:
> Pablo Sebastián Greco wrote:
>    
>> On 08/06/2009 10:02, Tom Eastep wrote:
>>      
>>> Simon Hobson wrote:
>>>
>>>        
>>>> Tom Eastep wrote:
>>>>
>>>>
>>>>          
>>>>>    >   i think iproute2 is capable of doing this, can
anybody suggest me some
>>>>>
>>>>>            
>>>>>>    toola or utility to configure this.
>>>>>>
>>>>>>
>>>>>>              
>>>>> iproute2 + iptables + xtables-addons + recent Linux Kernel
+ lots of
>>>>> knowledge about how all of those things work.
>>>>>
>>>>>            
>>>> A situation for using an IFB ?
>>>>
>>>>
>>>>          
>>> I doubt it. Unless the OP has public IP addresses assigned to all
>>> internal systems, an IFB doesn''t work for limiting traffic
per-host. The
>>> reason is that the destination address of the traffic
hasn''t been
>>> ''de-NATted'' yet when it goes through the IFB.
>>>
>>> One really needs IPMARK applied to shaping on the internal
interface.
>>> This will be possible in Shorewall 4.4 but is not available in 4.2.
>>>
>>> -Tom
>>>
>>>        
>> You can use IMQ configured in AB configuration (you can shape on the
>> external eth based on internal IP). I''m using it with
shorewall just
>> adding a few lines to the start script, redirecting traffic to IMQ.
>>
>> Hope it helps.
>>      
> Please elaborate -- what few lines did you add to the start script? I
> assume that ''start script'' means /etc/shorewall/start?
>
> -Tom
>    
>
Yes, I''m adding these lines:
/etc/shorewall/start
run_iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0
run_iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1

/etc/shorewall/init
modprobe imq
ip link set up imq0
ip link set up imq1

/etc/shorewall/stopped
ip link set down imq0
ip link set down imq1

This way you can shape outgoing traffic on IMQ0 and incoming traffic on 
IMQ1, both based on private ip address. I don''t use shorewall to mark 
packets, just plain tc filters.
This is the main reason I prefer IMQ over IFB. I don''t have an example 
script handy, but it should be trivial to port any tc script.

Pablo.

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Pablo Sebastián Greco wrote:
> On 08/06/2009 13:53, Tom Eastep wrote:
>> Pablo Sebastián Greco wrote:
>>    
>>> On 08/06/2009 10:02, Tom Eastep wrote:
>>>      
>>>> Simon Hobson wrote:
>>>>
>>>>        
>>>>> Tom Eastep wrote:
>>>>>
>>>>>
>>>>>          
>>>>>>    >   i think iproute2 is capable of doing this,
can anybody suggest me some
>>>>>>
>>>>>>            
>>>>>>>    toola or utility to configure this.
>>>>>>>
>>>>>>>
>>>>>>>              
>>>>>> iproute2 + iptables + xtables-addons + recent Linux
Kernel + lots of
>>>>>> knowledge about how all of those things work.
>>>>>>
>>>>>>            
>>>>> A situation for using an IFB ?
>>>>>
>>>>>
>>>>>          
>>>> I doubt it. Unless the OP has public IP addresses assigned to
all
>>>> internal systems, an IFB doesn''t work for limiting
traffic per-host. The
>>>> reason is that the destination address of the traffic
hasn''t been
>>>> ''de-NATted'' yet when it goes through the IFB.
>>>>
>>>> One really needs IPMARK applied to shaping on the internal
interface.
>>>> This will be possible in Shorewall 4.4 but is not available in
4.2.
>>>>
>>>> -Tom
>>>>
>>>>        
>>> You can use IMQ configured in AB configuration (you can shape on
the
>>> external eth based on internal IP). I''m using it with
shorewall just
>>> adding a few lines to the start script, redirecting traffic to IMQ.
>>>
>>> Hope it helps.
>>>      
>> Please elaborate -- what few lines did you add to the start script? I
>> assume that ''start script'' means
/etc/shorewall/start?
>>
>> -Tom
>>    
>>
> Yes, I''m adding these lines:
> /etc/shorewall/start
> run_iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0
> run_iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1
Unfortunately, IMQ target support isn''t available in either the
standard
iptables distribution or in xtables-addons.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

On 08/06/2009 15:05, Tom Eastep wrote:
> Pablo Sebastián Greco wrote:
>    
>> On 08/06/2009 13:53, Tom Eastep wrote:
>>      
>>> Pablo Sebastián Greco wrote:
>>>
>>>        
>>>> On 08/06/2009 10:02, Tom Eastep wrote:
>>>>
>>>>          
>>>>> Simon Hobson wrote:
>>>>>
>>>>>
>>>>>            
>>>>>> Tom Eastep wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>              
>>>>>>>     >    i think iproute2 is capable of doing
this, can anybody suggest me some
>>>>>>>
>>>>>>>
>>>>>>>                
>>>>>>>>     toola or utility to configure this.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                  
>>>>>>> iproute2 + iptables + xtables-addons + recent Linux
Kernel + lots of
>>>>>>> knowledge about how all of those things work.
>>>>>>>
>>>>>>>
>>>>>>>                
>>>>>> A situation for using an IFB ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>              
>>>>> I doubt it. Unless the OP has public IP addresses assigned
to all
>>>>> internal systems, an IFB doesn''t work for limiting
traffic per-host. The
>>>>> reason is that the destination address of the traffic
hasn''t been
>>>>> ''de-NATted'' yet when it goes through the
IFB.
>>>>>
>>>>> One really needs IPMARK applied to shaping on the internal
interface.
>>>>> This will be possible in Shorewall 4.4 but is not available
in 4.2.
>>>>>
>>>>> -Tom
>>>>>
>>>>>
>>>>>            
>>>> You can use IMQ configured in AB configuration (you can shape
on the
>>>> external eth based on internal IP). I''m using it with
shorewall just
>>>> adding a few lines to the start script, redirecting traffic to
IMQ.
>>>>
>>>> Hope it helps.
>>>>
>>>>          
>>> Please elaborate -- what few lines did you add to the start script?
I
>>> assume that ''start script'' means
/etc/shorewall/start?
>>>
>>> -Tom
>>>
>>>
>>>        
>> Yes, I''m adding these lines:
>> /etc/shorewall/start
>> run_iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0
>> run_iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1
>>      
> Unfortunately, IMQ target support isn''t available in either the
standard
> iptables distribution or in xtables-addons.
>
> -Tom
>    
I know, I really hate that :( , but it''s the only solution I can think
of.
Pablo.


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Pablo Sebastián Greco wrote:
> Tom Eastep wrote:
>>>      
>> Unfortunately, IMQ target support isn''t available in either
the standard
>> iptables distribution or in xtables-addons.
>>    
> I know, I really hate that :( , but it''s the only solution I can
think of.
> Pablo.
But it makes that solution pretty much a non-starter as far as I am
concerned. At least IFBs support is in the standard kernels.

Do you have any insight into why IMQ is not in the standard kernels? It
has certainly been around a long time so there must be something about
it that Dave Miller and friends don''t like about it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> anyone else had to use this?
Not I. I got it working back when I implemented the code and haven''t
touched it since.
> I see hardly any posts in shorewall on how to accomplish this? I have
> came up with what I
> think the open vpn configs below.
> 
Just use a conventional host-host VPN config. You then select a pair of
networks you plan to use for the surrogate on each end.

Let''s say that you want to use 10.10.10.0/24 on the client end and
10.10.11.0/24 on the server end.

What I would do is use a CCD (client config dir) on the server and in
the client''s ccd file, I would:

route 10.10.11.0 255.255.255.0
push route 10.10.10.0 255.255.255.0

As I understand both in the CCD would be as follows:

In the SERVER  file (in client directory though)
-------------------------------

dev tun0
proto udp

local      66.224.100.190  
remote 75.149.172.81

ifconfig 10.10.11.1 10.10.10.2-----------------------------------Note networks
different, the the last 2 is just
                                                                                
because this looks normall in openvpn

route 10.10.11.0 255.255.255.0                                           
push route 10.10.10.0 255.255.255.0

route host 10.10.10.2    .tun0                          Do I need this or does
the snat dnat take of of going trough the tunnel?

nobind

persist-key
persist-tun

certificate stuff <snipped for brevity>

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

comp-lzo
verb 4
------------------------------------
CLIENT

dev tun0
proto udp

local      75.149.172.81
remote  66.224.100.194

ifconfig 10.10.10.2 10.10.11.1-----------------------------------Note networks
different, the the last 2 is just
                                                                                
because this looks normall in openvpn

route 10.10.10.0 255.255.255.0                                           
push route 10.10.11.0 255.255.255.0                         notice the flip flop
from theserver file

route host 10.10.11.1    .tun0                          Do I need this or does
the snat dnat take of of going trough the tunnel?

nobind

persist-key
persist-tun

certificate stuff <snipped for brevity>

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

comp-lzo
verb 4

Thank you

Mike 

Note one other question: noticed open vpn config has no concept of either  of
the lan sides real network ip
Does netmap take care of that with this ?


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

as of now 4.4 is released, i hope this should be possible now. kindly guide
me to achieve this.
Regards

Swapnil Jain

On Sun, Jun 7, 2009 at 11:40 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Swapnil Jain wrote:
> > I went thru the traffic-shaping document but could not make it happen,
> > if anybody can help kindly guide me how can i achieve the following
> >
> > I have 3 VLANs (VLAN1-172.16.0.0/16 , VLAN2-172.17.0.0/16,
> > VLAN3-172.18.0.0/16)
> >
> > what i want is
> >
> >       1) PCs on VLAN1 should not get download bandwidth of more than
> > 128kbit per pc
> >       2) PCs on VLAN2 should not get download bandwidth of more than
> > 256kbit per pc
> >       3) traffic of Servers on VLAN3 should get highest priority
> >
> > how can i define tcrules for each pc on this VLANs.
>
> With the current stable version of Shorewall, there is no efficient way
> to do what you are asking.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> OpenSolaris 2009.06 is a cutting edge operating system for enterprises
> looking to deploy the next generation of Solaris that includes the latest
> innovations from Sun and the OpenSource community. Download a copy and
> enjoy capabilities such as Networking, Storage and Virtualization.
> Go to: http://p.sf.net/sfu/opensolaris-get
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register
now&#33;
http://p.sf.net/sfu/devconf

Swapnil Jain wrote:
> as of now 4.4 is released, i hope this should be possible now. kindly
> guide me to achieve this.
The feature is documented in the release notes; it is 15) under "New
Features in 4.4". Please at least try to follow the documentation before
asking for help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register
now!
http://p.sf.net/sfu/devconf