I''m experiencing a problem with masquerade downloads saturating my internet connection. I''ve implemented an IFB and now am looking into flow keys. Although I''ve read the documentation, I''m not sure I have this right. Can someone help? /etc/shorewall/params: MID_IF=eth0 MID_IF_TC=1 INET1_IF=eth1 INET1_IF_TC=2 INET1_IFB_IF=ifb0 INET1_IFB_TC=3 Note: MID_IF is the LAN and INET1_IF is my internet connection. /etc/shorewall/tcdevices: #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE INTERFACES $MID_IF_TC:$MID_IF 0 1000mbit $INET1_IF_TC:$INET1_IF - 2mbit classify $INET1_IFB_TC:$INET1_IFB_IF - 12mbit - $INET1_IF /etc/shorewall/tcclasses: #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS # DMAX:UMAX $MID_IF:110 - 30*full/100 95*full/100 1 $MID_IF:120 - 20*full/100 95*full/100 2 tcp-ack $MID_IF:130 - 20*full/100 95*full/100 3 default $MID_IF:140 - 15*full/100 85*full/100 4 $MID_IF:150 - 10*full/100 85*full/100 5 $INET1_IF:110 - 30*full/100 95*full/100 1 flow=nfct-src $INET1_IF:120 - 20*full/100 85*full/100 2 flow=nfct-src,tcp-ack $INET1_IF:130 - 20*full/100 75*full/100 3 flow=nfct-src,default $INET1_IF:140 - 15*full/100 45*full/100 4 flow=nfct-src $INET1_IF:150 - 10*full/100 35*full/100 5 flow=nfct-src $INET1_IFB_IF:110 - 30*full/100 95*full/100 1 flow=dst $INET1_IFB_IF:120 - 20*full/100 95*full/100 2 flow=dst,tcp-ack $INET1_IFB_IF:130 - 20*full/100 95*full/100 3 flow=dst,default $INET1_IFB_IF:140 - 15*full/100 85*full/100 4 flow=dst $INET1_IFB_IF:150 - 10*full/100 85*full/100 5 flow=dst I''m looking at the flow=keys from here: http://www.shorewall.net/manpages/shorewall-tcclasses.html Is this right? Is it logical to put flow control on the IFB? Bill ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/27/2012 10:24 AM, Bill Shirley wrote:> I''m experiencing a problem with masquerade downloads saturating my > internet connection. I''ve implemented an IFB and now am looking into > flow keys. Although I''ve read the documentation, I''m not sure I have > this right. Can someone help? > > /etc/shorewall/params: > MID_IF=eth0 > MID_IF_TC=1 > INET1_IF=eth1 > INET1_IF_TC=2 > INET1_IFB_IF=ifb0 > INET1_IFB_TC=3 > > Note: MID_IF is the LAN and INET1_IF is my internet connection. > > /etc/shorewall/tcdevices: > #NUMBER: IN-BANDWITH OUT-BANDWIDTH > OPTIONS REDIRECTED > #INTERFACE INTERFACES > > $MID_IF_TC:$MID_IF 0 1000mbit > > $INET1_IF_TC:$INET1_IF - 2mbit > classify > $INET1_IFB_TC:$INET1_IFB_IF - 12mbit > - $INET1_IF > > /etc/shorewall/tcclasses: > #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS > # DMAX:UMAX > > $MID_IF:110 - 30*full/100 95*full/100 1...> $INET1_IFB_IF:140 - 15*full/100 85*full/100 4 flow=dst > $INET1_IFB_IF:150 - 10*full/100 85*full/100 5 flow=dst > > I''m looking at the flow=keys from here: > http://www.shorewall.net/manpages/shorewall-tcclasses.html > > Is this right? Is it logical to put flow control on the IFB?No. The problem with an IFB is that the packets passed through the IFB are "straight off the wire". So when you are masquerading, all incoming packets from masqueraded connections have DST=<external IP>. To get ''flow'' to work correctly in that environment, you need to shape outgoing traffic on your LAN interface where the destination address has been re-written to that of a LAN host. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/27/2012 2:03 PM, Tom Eastep wrote:> On 09/27/2012 10:24 AM, Bill Shirley wrote: >> I''m experiencing a problem with masquerade downloads saturating my >> internet connection. I''ve implemented an IFB and now am looking into >> flow keys. Although I''ve read the documentation, I''m not sure I have >> this right. Can someone help? >> >> /etc/shorewall/params: >> MID_IF=eth0 >> MID_IF_TC=1 >> INET1_IF=eth1 >> INET1_IF_TC=2 >> INET1_IFB_IF=ifb0 >> INET1_IFB_TC=3 >> >> Note: MID_IF is the LAN and INET1_IF is my internet connection. >> >> /etc/shorewall/tcdevices: >> #NUMBER: IN-BANDWITH OUT-BANDWIDTH >> OPTIONS REDIRECTED >> #INTERFACE INTERFACES >> >> $MID_IF_TC:$MID_IF 0 1000mbit >> >> $INET1_IF_TC:$INET1_IF - 2mbit >> classify >> $INET1_IFB_TC:$INET1_IFB_IF - 12mbit >> - $INET1_IF >> >> /etc/shorewall/tcclasses: >> #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS >> # DMAX:UMAX >> >> $MID_IF:110 - 30*full/100 95*full/100 1 > ... >> $INET1_IFB_IF:140 - 15*full/100 85*full/100 4 flow=dst >> $INET1_IFB_IF:150 - 10*full/100 85*full/100 5 flow=dst >> >> I''m looking at the flow=keys from here: >> http://www.shorewall.net/manpages/shorewall-tcclasses.html >> >> Is this right? Is it logical to put flow control on the IFB? > No. The problem with an IFB is that the packets passed through the IFB > are "straight off the wire". So when you are masquerading, all incoming > packets from masqueraded connections have DST=<external IP>. To get > ''flow'' to work correctly in that environment, you need to shape outgoing > traffic on your LAN interface where the destination address has been > re-written to that of a LAN host. > > -TomI heard what you said but I''m not understanding. My problem is my incoming internet connection gets saturated sometimes with downloads and I want to shape that traffic according to which PC it''s going to. The IFB is going to drop packets when the connection gets saturated. I just want it to be equally distributed. If one PC is downloading at 500 KB on one connection and another PC has two connections at 500 KB, the 2nd PC will get twice as much thru-put. Because my LAN is 1 Gb I don''t see how the incoming traffic on the internet is ever going to trigger traffic shaping on the LAN. Am I missing something? Thanks, Bill ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/27/2012 12:36 PM, Bill Shirley wrote:> > On 9/27/2012 2:03 PM, Tom Eastep wrote: >> On 09/27/2012 10:24 AM, Bill Shirley wrote: >>> I''m experiencing a problem with masquerade downloads saturating my >>> internet connection. I''ve implemented an IFB and now am looking into >>> flow keys. Although I''ve read the documentation, I''m not sure I have >>> this right. Can someone help? >>> >>> /etc/shorewall/params: >>> MID_IF=eth0 >>> MID_IF_TC=1 >>> INET1_IF=eth1 >>> INET1_IF_TC=2 >>> INET1_IFB_IF=ifb0 >>> INET1_IFB_TC=3 >>> >>> Note: MID_IF is the LAN and INET1_IF is my internet connection. >>> >>> /etc/shorewall/tcdevices: >>> #NUMBER: IN-BANDWITH OUT-BANDWIDTH >>> OPTIONS REDIRECTED >>> #INTERFACE INTERFACES >>> >>> $MID_IF_TC:$MID_IF 0 1000mbit >>> >>> $INET1_IF_TC:$INET1_IF - 2mbit >>> classify >>> $INET1_IFB_TC:$INET1_IFB_IF - 12mbit >>> - $INET1_IF >>> >>> /etc/shorewall/tcclasses: >>> #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS >>> # DMAX:UMAX >>> >>> $MID_IF:110 - 30*full/100 95*full/100 1 >> ... >>> $INET1_IFB_IF:140 - 15*full/100 85*full/100 4 flow=dst >>> $INET1_IFB_IF:150 - 10*full/100 85*full/100 5 flow=dst >>> >>> I''m looking at the flow=keys from here: >>> http://www.shorewall.net/manpages/shorewall-tcclasses.html >>> >>> Is this right? Is it logical to put flow control on the IFB? >> No. The problem with an IFB is that the packets passed through the IFB >> are "straight off the wire". So when you are masquerading, all incoming >> packets from masqueraded connections have DST=<external IP>. To get >> ''flow'' to work correctly in that environment, you need to shape outgoing >> traffic on your LAN interface where the destination address has been >> re-written to that of a LAN host. >> >> -Tom > I heard what you said but I''m not understanding. My problem is my > incoming internet connection gets saturated sometimes with downloads and > I want to shape that traffic according to which PC it''s going to. > > The IFB is going to drop packets when the connection gets saturated. I > just want it to be equally distributed. If one PC is downloading at 500 > KB on one connection and another PC has two connections at 500 KB, the > 2nd PC will get twice as much thru-put. > Because my LAN is 1 Gb I don''t see how the incoming traffic on the > internet is ever going to trigger traffic shaping on the LAN. > > Am I missing something?Yes -- you are missing the fact that, at the IFB, tc filters can''t distinguish one internal PC from another. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/27/2012 12:49 PM, Tom Eastep wrote:>> >> The IFB is going to drop packets when the connection gets saturated. I >> just want it to be equally distributed. If one PC is downloading at 500 >> KB on one connection and another PC has two connections at 500 KB, the >> 2nd PC will get twice as much thru-put. >> Because my LAN is 1 Gb I don''t see how the incoming traffic on the >> internet is ever going to trigger traffic shaping on the LAN. >> >> Am I missing something? > > Yes -- you are missing the fact that, at the IFB, tc filters can''t > distinguish one internal PC from another.And you are missing the point that you need to configure traffic shaping on your LAN interface and forget using an IFB. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Bill Shirley wrote:>Because my LAN is 1 Gb I don''t see how the incoming traffic on the >internet is ever going to trigger traffic shaping on the LAN.It''s not about what speed the interface is, it''s about what speeds you configure in traffic shaping. Put simply, if you configure traffic shaping on your LAN interface, you can control the rate at which packets leave that interface. Thus you can configure rules which will limit that egress traffic to (say) 1Mbps and that''s what your internal devices would be limited to - any more and the traffic shaping will kick in and restrict it - the other 999Mbps will go unused. Note that this is not truly traffic shaping your inbound link as the traffic has already passed down that link. it relies on a feature of TCP that detects dropped packets as indicating congestion and causes the sender to "back off" it''s transmission rate. If you wanted to do anything about your upload speed then you''d do that by applying traffic shaping to the WAN interface. You''d have the same problem Tom has pointed out - your traffic will already have modified to use your public IP so you won''t be able to apply any rules which rely on knowing what device the traffic came from. FWIW, I do exactly this at work - only without the NAT (we have a public IP block for our hosting etc). On our border routers I traffic shape egress traffic on the WAN and LAN sides. On my LAN side, the traffic shaping is such that traffic originating on the router is not shaped (well actually shaped to max 90Mbps), and everything else is. I have "quite extensive" rules for traffic control - multiple groups (either customers or groups of servers), with multiple priorities within each group. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html