Shorewall users - Jan 2012 - Dynamic traffic shaping for multiple IP's

I use Shorewall for a 20-person office and want to do the following on a (say)
1000kbit line:

- If only one person is downloading data, give him the full 1000kbit.
- If two are downloading, give each 500kbit
- If three then 333kbit each etc.
- However, if two are downloading and one is only using 100kbit, give the other
one 900kbit.

I know the above is oversimplified but it explains the main idea.  I''ve
looked at Per IP traffic shaping but I''m not sure if it will do the
above.  The idea is that no-one can ever monopolize the bandwidth but if there
is nothing happening on the line then one person can get (almost) all the
bandwidth.

The same should be done for uploads too.

Any suggestions or pointers in the right direction will be highly appreciated. 

Thanks!
Daniel
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

On 01/18/2012 05:20 AM, Danie Marais wrote:
> I use Shorewall for a 20-person office and want to do the following on a
(say) 1000kbit line:
> 
> - If only one person is downloading data, give him the full 1000kbit.
> - If two are downloading, give each 500kbit
> - If three then 333kbit each etc.
> - However, if two are downloading and one is only using 100kbit, give the
other one 900kbit.
> 
> I know the above is oversimplified but it explains the main idea. 
I''ve looked at Per IP traffic shaping but I''m not sure if it
will do the above.  The idea is that no-one can ever monopolize the bandwidth
but if there is nothing happening on the line then one person can get (almost)
all the bandwidth.
> 
> The same should be done for uploads too.
> 
> Any suggestions or pointers in the right direction will be highly
appreciated.
> 
Just configure simple traffic shaping as described at
http://www.shorewall.net/simple_traffic_shaping.html.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

That''s exactly what I have at the moment so that''s great.  One
last question - is it possible to use simple traffic shaping in conjunction with
a transparent proxy on the firewall or will you lose per ip traffic shaping
since all web traffic is (re)generated by the proxy server?  I do simple shaping
on the web-side interface.

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: 18 January 2012 06:40 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Dynamic traffic shaping for multiple
IP''s

On 01/18/2012 05:20 AM, Danie Marais wrote:
> I use Shorewall for a 20-person office and want to do the following on a
(say) 1000kbit line:
> 
> - If only one person is downloading data, give him the full 1000kbit.
> - If two are downloading, give each 500kbit
> - If three then 333kbit each etc.
> - However, if two are downloading and one is only using 100kbit, give the
other one 900kbit.
> 
> I know the above is oversimplified but it explains the main idea. 
I''ve looked at Per IP traffic shaping but I''m not sure if it
will do the above.  The idea is that no-one can ever monopolize the bandwidth
but if there is nothing happening on the line then one person can get (almost)
all the bandwidth.
> 
> The same should be done for uploads too.
> 
> Any suggestions or pointers in the right direction will be highly
appreciated.
> 
Just configure simple traffic shaping as described at
http://www.shorewall.net/simple_traffic_shaping.html.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

On 01/18/2012 12:02 PM, Danie Marais wrote:
> That''s exactly what I have at the moment so that''s great.
One last
> question - is it possible to use simple traffic shaping in
> conjunction with a transparent proxy on the firewall or will you lose
> per ip traffic shaping since all web traffic is (re)generated by the
> proxy server?  I do simple shaping on the web-side interface.
> 
Then add simple shaping on the LAN side and set the interface type to
''Internal''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Seems to work well, thanks.  Will keep an eye on it.

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: 18 January 2012 10:37 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Dynamic traffic shaping for multiple
IP''s

On 01/18/2012 12:02 PM, Danie Marais wrote:
> That''s exactly what I have at the moment so that''s great.
One last
> question - is it possible to use simple traffic shaping in conjunction 
> with a transparent proxy on the firewall or will you lose per ip 
> traffic shaping since all web traffic is (re)generated by the proxy 
> server?  I do simple shaping on the web-side interface.
> 
Then add simple shaping on the LAN side and set the interface type to
''Internal''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Tom,

I''ve done some experiments with simple traffic shaping that you
suggested. It seems to shape per connection and not necessarily per source IP
address.

For instance if I have a machine doing 4 simultaneous downloads and another
doing just one download the second machine does not get 50% of the bandwidth but
only about 20-30%.  Ideally I''d like both machines to have 50%


-----Original Message-----
From: Danie Marais [mailto:danie.marais@attix5.com] 
Sent: 20 January 2012 04:09 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] Dynamic traffic shaping for multiple
IP''s

Seems to work well, thanks.  Will keep an eye on it.

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: 18 January 2012 10:37 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Dynamic traffic shaping for multiple
IP''s

On 01/18/2012 12:02 PM, Danie Marais wrote:
> That''s exactly what I have at the moment so that''s great.
One last
> question - is it possible to use simple traffic shaping in conjunction 
> with a transparent proxy on the firewall or will you lose per ip 
> traffic shaping since all web traffic is (re)generated by the proxy 
> server?  I do simple shaping on the web-side interface.
> 
Then add simple shaping on the LAN side and set the interface type to
''Internal''.

-Tom

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 01/23/2012 04:09 AM, Danie Marais wrote:
> Tom,
> 
> I''ve done some experiments with simple traffic shaping that you
> suggested. It seems to shape per connection and not necessarily per
> source IP address.
> 
> For instance if I have a machine doing 4 simultaneous downloads and
> another doing just one download the second machine does not get 50%
> of the bandwidth but only about 20-30%.  Ideally I''d like both
> machines to have 50%
Please don''t top post. Do you have the interface type set to
''Internal''?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

> Please don''t top post. Do you have the interface type set to
''Internal''?
Yes it is.  eth0 is lan-side:

tcinterfaces:
#INTERFACE      TYPE            IN-BANDWIDTH
eth0            Internal	  420kbit       3600kbit		

We have a 4Mbit line with 512kbit upload speed.  I''ve tried it without
specifying any speeds for what it''s worth as well, but same result.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

On Tue, 2012-01-24 at 09:51 +0200, Danie Marais wrote:
> > Please don''t top post. Do you have the interface type set to
''Internal''?
> 
> Yes it is.  eth0 is lan-side:
> 
> tcinterfaces:
> #INTERFACE      TYPE            IN-BANDWIDTH
> eth0            Internal	  420kbit       3600kbit		
> 
> We have a 4Mbit line with 512kbit upload speed.  I''ve tried it
without specifying any speeds for what it''s worth as well, but same
result.
Does ''shorewall show capabilities'' show that ''FLOW
Classifier'' is
available?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

> Does ''shorewall show capabilities'' show that
''FLOW Classifier'' is available?
Hi, yes it does (runs on Centos 6.2):

FLOW Classifier: Available

By the way, the LAN IP''s fall in 192.168.20.0/22, not the typical
192.168.20.0/24 (not sure if is relevant).

Regards,
Danie
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On Mon, 2012-01-30 at 11:41 +0200, Danie Marais wrote:
> > Does ''shorewall show capabilities'' show that
''FLOW Classifier'' is available?
> 
> Hi, yes it does (runs on Centos 6.2):
> 
> FLOW Classifier: Available
> 
> By the way, the LAN IP''s fall in 192.168.20.0/22, not the typical
192.168.20.0/24 (not sure if is relevant).
Have you set the internal interface OUT-BANDWIDTH to a value less than
the IN-BANDWIDTH rate on the external interface? If you don''t do that,
then there will be no queuing on the internal interface and packets will
be sent as soon as they arrive and no balancing will occur.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

> Have you set the internal interface OUT-BANDWIDTH to a value less than the
IN-BANDWIDTH rate on the
> external interface? If you don''t do that, then there will be no
queuing on the internal interface and
> packets will be sent as soon as they arrive and no balancing will occur.
It was not but now it is.  Same result. 

tcinterfaces:
eth1    External  3900kbit   350kbit
eth0    Internal   350kbit  3700kbit
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

On Tue, 2012-01-31 at 16:19 +0200, Danie Marais wrote:
> > Have you set the internal interface OUT-BANDWIDTH to a value less than
the IN-BANDWIDTH rate on the
> > external interface? If you don''t do that, then there will be
no queuing on the internal interface and
> > packets will be sent as soon as they arrive and no balancing will
occur.
> 
> It was not but now it is.  Same result. 
> 
> tcinterfaces:
> eth1    External  3900kbit   350kbit
> eth0    Internal   350kbit  3700kbit
During your tests, are you seeing queuing on the internal interface
classes? 

Hint: ''shorewall show tc eth0'' and look at the
''backlog''s.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d