Jose Celestino wrote:
>
> My previous mail passed unnoticed so I'm resending it (I know, I know,
> if it went unanswered is probably because noone knew, but possibly
> someone not as clueless as I will notice it this time and help me shed
> some light. Sorry anyway).
There is another possibility: Maybe wrong list. You should also try it
on the Linux 2.4 Advanced Routing & Traffic Shaping mailing list
(lartc@mailman.ds9a.nl). Have a look at http://ds9a.nl/
> Howdy,
>
> I'm facing the following problem.
>
> Our current routing/nat architecture is:
[fantastic ASCII art snipped]
> We have our LAN divided into 3 class C segments and all trafic gets
> routed throught our central LAN router.
>
> All traffic gets routed to the GW/NAT box (were we have the transparent
> proxy also) except traffic to 2 class C networks at our data center that
> we route to the VPN for encryption/tunneling.
>
> At our GW/NAT we do fascist-port-closure (tm), transparent proxying,
> masquerading and source nating (for some IPs that we need to get pass a
> foreign pix firewall).
>
> Traffic that goes through our VPN is ssh sessions, http sessions, etc,
> to servers at our data center.
>
> Our bandwith is 2Mbps (at A).
>
> Well, the problem is that for much that we do the traffic that goes
> through (B) always ends up "eating" most of the available bandwidth at (A).
>
> What we want to do is to limit all traffic going through (B) to 750Kbps
> so that all the remaing traffic can be used by traffic from (C), that's
> means legimit traffic, work stuff.
>
> What I'm doing is marking the packets:
>
> iptables -t mangle -A PREROUTING -j MARK --set-mark 2147581953 -m state --state RELATED,NEW,ESTABLISHED,INVALID
I don't know much about traffic shaping (yet) but why do you use "-m
state --state RELATED,NEW,ESTABLISHED,INVALID" here instead of just
"iptables -t mangle -A PREROUTING -j MARK --set-mark 2147581953"
IMO this should match all traffic, which seems to be what you want to
do.
> tc qdisc replace dev eth2 root cbq bandwidth 100Mbit avpkt 1000
> tc class add dev eth2 parent 8001:0 cbq bandwidth 100Mbit rate 1000Kbit allot 1514 weight 50Kbit prio 5 maxburst 20 avpkt 1000 bounded isolated
> tc filter replace dev eth2 protocol ip parent 8001: prio 1 handle 0x80018001 fw classid 8001:8001
> tc class replace dev eth2 classid 8001:8001 parent 8001:0 cbq bandwidth 750Kbit rate 1Kbit allot 1514b weight 50Kbit prio 5 maxburst 20 avpkt 1000b bounded isolated
Is eth2 your outgoing interface/ the interface connected to A? You
surely know that you only can control the outgoing traffic. So if your
clients do too much download you have to limit it on your internal
interface!
> This doesn't seem to work, I tried that same class but with bandwidth
> 1Kbit and I did't find it to work.
>
> Am I doing something wrong (most certainly)? By the way, what can I do
> to optimize/improve my masquerade script?
Juri
>
> My previous mail passed unnoticed so I'm resending it (I know, I know,
> if it went unanswered is probably because noone knew, but possibly
> someone not as clueless as I will notice it this time and help me shed
> some light. Sorry anyway).
There is another possibility: Maybe wrong list. You should also try it
on the Linux 2.4 Advanced Routing & Traffic Shaping mailing list
(lartc@mailman.ds9a.nl). Have a look at http://ds9a.nl/
> Howdy,
>
> I'm facing the following problem.
>
> Our current routing/nat architecture is:
[fantastic ASCII art snipped]
> We have our LAN divided into 3 class C segments and all trafic gets
> routed throught our central LAN router.
>
> All traffic gets routed to the GW/NAT box (were we have the transparent
> proxy also) except traffic to 2 class C networks at our data center that
> we route to the VPN for encryption/tunneling.
>
> At our GW/NAT we do fascist-port-closure (tm), transparent proxying,
> masquerading and source nating (for some IPs that we need to get pass a
> foreign pix firewall).
>
> Traffic that goes through our VPN is ssh sessions, http sessions, etc,
> to servers at our data center.
>
> Our bandwith is 2Mbps (at A).
>
> Well, the problem is that for much that we do the traffic that goes
> through (B) always ends up "eating" most of the available bandwidth at (A).
>
> What we want to do is to limit all traffic going through (B) to 750Kbps
> so that all the remaing traffic can be used by traffic from (C), that's
> means legimit traffic, work stuff.
>
> What I'm doing is marking the packets:
>
> iptables -t mangle -A PREROUTING -j MARK --set-mark 2147581953 -m state --state RELATED,NEW,ESTABLISHED,INVALID
I don't know much about traffic shaping (yet) but why do you use "-m
state --state RELATED,NEW,ESTABLISHED,INVALID" here instead of just
"iptables -t mangle -A PREROUTING -j MARK --set-mark 2147581953"
IMO this should match all traffic, which seems to be what you want to
do.
> tc qdisc replace dev eth2 root cbq bandwidth 100Mbit avpkt 1000
> tc class add dev eth2 parent 8001:0 cbq bandwidth 100Mbit rate 1000Kbit allot 1514 weight 50Kbit prio 5 maxburst 20 avpkt 1000 bounded isolated
> tc filter replace dev eth2 protocol ip parent 8001: prio 1 handle 0x80018001 fw classid 8001:8001
> tc class replace dev eth2 classid 8001:8001 parent 8001:0 cbq bandwidth 750Kbit rate 1Kbit allot 1514b weight 50Kbit prio 5 maxburst 20 avpkt 1000b bounded isolated
Is eth2 your outgoing interface/ the interface connected to A? You
surely know that you only can control the outgoing traffic. So if your
clients do too much download you have to limit it on your internal
interface!
> This doesn't seem to work, I tried that same class but with bandwidth
> 1Kbit and I did't find it to work.
>
> Am I doing something wrong (most certainly)? By the way, what can I do
> to optimize/improve my masquerade script?
Juri