[LARTC] (no subject)
Hey guys and gals, Sorry for the 'newbie' question, but I would like to get some help on configuring my HTB qdiscs form my network. My network setup: LAN -- Firewall -- Router --Internet | | -- DMZ So much for the Ascii artist in me. :) The firewall has 3 interfaces: Eth0 = LAN -- 100Mbps NIC Eth1 = DMZ -- 100Mbps NIC Eth2 = Internet -- 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) I notice that users download A LOT of data at high transfer rates from a servers in DMZ zone. WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! How do I make the firewall Eth0 become the bottleneck Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit My objectives: 1.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? I would like to limit the max amount of bandwidth on Eth0 to 10MB I would like to limit the max amount of bandwidth on Eth0 to 3840kbps I would like to limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? Any help in anyway is appreciated! Regards edmund ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Basic Traffic Control
Hey guys and gals, Sorry for the 'newbie' question, but I would like to get some help on configuring my HTB qdiscs for my network. My network setup: LAN -- Firewall -- Router --Internet | | -- DMZ So much for the Ascii artist in me. :) The firewall has 3 interfaces: Eth0 = LAN -- 100Mbps NIC Eth1 = DMZ -- 100Mbps NIC Eth2 = Internet -- 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! 1.)How do I make the firewall Eth0 become the bottleneck Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit 2.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? What I would like to accomplish : I would like to limit the max amount of bandwidth on Eth0 to 10MB I would like to limit the max amount of bandwidth on Eth0 to 3840kbps I would like to limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? Any help in anyway is appreciated! Regards edmund ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HELP!!! Conflicting HTB rates
Hey everyone, Im trying to configure my HTB qdiscs for my network. My network setup: LAN -- Firewall -- Router --Internet | | -- DMZ The firewall has 3 interfaces: Eth0 = LAN -- 100Mbps NIC Eth1 = DMZ -- 100Mbps NIC Eth2 = Internet -- 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! 1.)How do I make the firewall Eth0 become the bottleneck Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit 2.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? What I would like to accomplish : I would like to limit the max amount of bandwidth on Eth0 to 10MB, limit the max amount of bandwidth on Eth1 to 3840kbps and limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? I executed a tc -s class show dev eth$ and noticed that the default values were wrong for both eth1 and eth2! [EMAIL PROTECTED] root]# tc -s class show dev eth0 class htb 1:1 root rate 10Mbit ceil 10Mbit burst 14704b cburst 14704b Sent 114648626 bytes 157670 pkts (dropped 0, overlimits 0) rate 133156bps 221pps lended: 43368 borrowed: 0 giants: 0 tokens: 7303 ctokens: 7303 class htb 1:10 parent 1:1 prio 7 rate 1Mbit ceil 2Mbit burst 2909b cburst 4220b Sent 114617144 bytes 157600 pkts (dropped 0, overlimits 0) rate 133156bps 221pps backlog 5p lended: 114302 borrowed: 43368 giants: 0 tokens: -13123 ctokens: -13466 [EMAIL PROTECTED] root]# tc -s class show dev eth1 class htb 2:1 root rate 16Mbit ceil 16Mbit burst 22567b cburst 22567b Sent 27918685 bytes 53295 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 0 borrowed: 0 giants: 0 tokens: 8780 ctokens: 8780 class htb 2:10 parent 2:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 27905157 bytes 53263 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 53295 borrowed: 0 giants: 0 tokens: 17589 ctokens: 17589 [EMAIL PROTECTED] root]# tc -s class show dev eth2 class htb 3:1 root rate 30Mbit ceil 30Mbit burst 40914b cburst 40914b Sent 17969859 bytes 119438 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 0 borrowed: 0 giants: 0 tokens: 8515 ctokens: 8515 class htb 3:10 parent 3:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 17965779 bytes 119398 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 119438 borrowed: 0 giants: 0 tokens: 17888 ctokens: 17888 [EMAIL PROTECTED] root]# Any help in anyway is appreciated! Regards edmund ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] RE: HELP!!! Conflicting HTB rates
Hey everyone, Im trying to configure my HTB qdiscs for my network. My network setup: LAN -- Firewall -- Router --Internet | | -- DMZ The firewall has 3 interfaces: Eth0 = LAN -- 100Mbps NIC Eth1 = DMZ -- 100Mbps NIC Eth2 = Internet -- 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! 1.)How do I make the firewall Eth0 become the bottleneck Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit 2.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? What I would like to accomplish : I would like to limit the max amount of bandwidth on Eth0 to 10MB, limit the max amount of bandwidth on Eth1 to 3840kbps and limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? I executed a tc -s class show dev eth$ and noticed that the default values were wrong for both eth1 and eth2! [EMAIL PROTECTED] root]# tc -s class show dev eth0 class htb 1:1 root rate 10Mbit ceil 10Mbit burst 14704b cburst 14704b Sent 114648626 bytes 157670 pkts (dropped 0, overlimits 0) rate 133156bps 221pps lended: 43368 borrowed: 0 giants: 0 tokens: 7303 ctokens: 7303 class htb 1:10 parent 1:1 prio 7 rate 1Mbit ceil 2Mbit burst 2909b cburst 4220b Sent 114617144 bytes 157600 pkts (dropped 0, overlimits 0) rate 133156bps 221pps backlog 5p lended: 114302 borrowed: 43368 giants: 0 tokens: -13123 ctokens: -13466 [EMAIL PROTECTED] root]# tc -s class show dev eth1 class htb 2:1 root rate 16Mbit ceil 16Mbit burst 22567b cburst 22567b Sent 27918685 bytes 53295 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 0 borrowed: 0 giants: 0 tokens: 8780 ctokens: 8780 class htb 2:10 parent 2:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 27905157 bytes 53263 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 53295 borrowed: 0 giants: 0 tokens: 17589 ctokens: 17589 [EMAIL PROTECTED] root]# tc -s class show dev eth2 class htb 3:1 root rate 30Mbit ceil 30Mbit burst 40914b cburst 40914b Sent 17969859 bytes 119438 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 0 borrowed: 0 giants: 0 tokens: 8515 ctokens: 8515 class htb 3:10 parent 3:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 17965779 bytes 119398 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 119438 borrowed: 0 giants: 0 tokens: 17888 ctokens: 17888 [EMAIL PROTECTED] root]# Any help in anyway is appreciated! Regards edmund ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Pakets marked but no shapeing is done
In the last mail I only put the results of listing chains and classes. This it is how the chains are made: echo 0 /proc/sys/net/ipv4/conf/all/rp_filter echo 0 /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 /proc/sys/net/ipv4/conf/all/log_martians # Reduce DoS'ing ability by reducing timeouts echo 30 /proc/sys/net/ipv4/tcp_fin_timeout echo 0 /proc/sys/net/ipv4/tcp_window_scaling echo 0 /proc/sys/net/ipv4/tcp_timestamps echo 0 /proc/sys/net/ipv4/tcp_sack echo 1024 /proc/sys/net/ipv4/tcp_max_syn_backlog # Flush all rules and delete all custom chains /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X # Set up policies /sbin/iptables -P INPUT DROP #Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT # This chain will log, then DROPs Xmas and Null packets which might # indicate a port-scan attempt /sbin/iptables -N PSCAN /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix TCP Scan? /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix UDP Scan? /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix ICMP Scan? /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix FRAG Scan? /sbin/iptables -A PSCAN -j DROP # Disallow packets frequently used by port-scanners, XMas and Null /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN # Limit Packets- helps reduce dos/syn attacks /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark
Re: [LARTC] Explanation reqd. for few (more than few!) concepts in TC long
Hi, --- Stef Coene [EMAIL PROTECTED] wrote: You have 2 types of qdiscs. The root qdisc is attached to the device it self and all packets are queued in this qdisc. If this is a class-full qdisc (like htb or cbq) you can add class. A class can contain some packets. You can stack the classes so you can add a class to a class. So a packet enters the root qdisc and is redirected to a class by a filter. You need to create your filters in such way that the packets are placed in a class that contains no other classes. This class is named a leaf class. all this is agreed ... But the leaf class only contains the traffic and can not send them. To do so, you need to add a qdisc to that class. It's the qdisc that will send the packets. This can be a class-full qdisc so you can now, if you are saying a class differs from a qdisc in that it cannot send out packets and qdisc can ... i think that is not perfectly true, in that, if a fifo qdisc was attached as a child to a classful qdisc (say cbq) the fifo qdisc will not be able to send packets out directly, it has to dequeue to the parent and only the root can dequeue-out. add classes, and restart the setup. But that will be a waste of CPU cycles. It's better to add a sfq qdisc or a fifo. So, you have 1 root qdisc, some classes, some special classes : leaf-classes and an other set of qdiscs. Pfifo holds packet, so the total bytes depends on the size of your packets : which (size of the packet) could vary, right? this would then lead to a dynamically sized queue, is this how it works? 3) 'HTB is suited for fixed bandwidth' ... by fixed what exactly is meant ... meaning can it be used ... Fixed means that you always have the same bandwidth available on the link. So no burst. This is needed because you have to make sure YOU are the bottleneck so if you have a 1000kbit/s link, you have to make sure you never send more then 996kbit/s. 4) Can somebody suggest which qdisc is most ideal (for shaping and scheduling) in a n/w where the ISP provies a (512Kbit) pipe, which is shared by multiple (4) clients but, an average of 45bytes can be expected at any point in time (although, it might exceed this)? That's a difficult one, because YOU have to be the bottleneck to get some good shaping results. You can try the htb or the cbq qdisc and take a higher ceil then your link. You will not be the bottleneck and loose some control. okey, so can you please tell me, if I fail to be the bottleneck, what maximum would happen ... IMO, I could carry on shaping but not for that extra few bytes, now available, right? 5) The lartc howto speaks about 'mpu' with reference to TBF, and states for ethernet, no packet uses ... Also, I am unable to see such a parameter when I do a tc...help, for TBF. Sorry, no idea. :) 6) Could you please define the 'cell' parameter in a CBQ? If you have a bounded class, the ceil is the rate. If it's not bounded, the ceil will be the rate of a bounded parent class. 'ceil' IMHO, is a little different from 'cell', that the lartc howto talks about. Also, I am unable to see maxburst, minburst, minidle, mpu, rate parameter options when I do a ... for ex. : 'tc qdisc add dev eth0 handle 1 root cbq help' Just take some example tc commands and copy the parameters you don't know. The only parameters you have to change is rate and weight. yeah, but the lartc howto talks about more ... so was wondering! 7) How do I set WRR, link sharing and borrowing parameters using TC? Do you mean the wrr qdisc? See the homepage of the wrr qdisc. oops, I am sorry I meant according to the lartc howto, there are few WRR parameters that need to be set for CBQ!? 8) Also, please pardon my ignorance but, do I need a filter for a classless qdisc, cause if I were to attach a classless qdisc to the root qdisc then by default all packets enter this qdisc and I believe I wouldn't have the scope to classify ... right/wrong? Do you mean adding a class qdisc as the root qdisc or adding a class qdisc to a root qdisc? If you replace the root qdisc with a class less qdisc, you don't need a filter. If you add the class root qdisc to a root qdisc, you need a root qdisc with classes and add the class qdisc to a class. So you need some filters to put the packets from the root qdisc to the class where the class qdisc is attached to. More information on the subject can be found on http://www.docum.org. IMHO, the root qdisc (by default) is a pfifo_fast (classless) qdisc ... which means if want a classful qdisc you would need to replace the default qdisc. By replace, I mean attach it to root ... which then follows all packets 'enter here' ... which then gets me back to my original Q! have been to your site ... went back today ... but couldn't find pointers to my confusion. Kindly, correct my understanding, if required. Thank you, for all
[LARTC] New in the list
Hi people! ;-) I'm new in the list. Name: Vicent Roca Country: Spain see you. bye. Adeu ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Explanation reqd. for few (more than few!) concepts in TC long
On Wednesday 29 October 2003 16:02, Suraj Shankar wrote: But the leaf class only contains the traffic and can not send them. To do so, you need to add a qdisc to that class. It's the qdisc that will send the packets. This can be a class-full qdisc so you can now, if you are saying a class differs from a qdisc in that it cannot send out packets and qdisc can ... i think that is not perfectly true, in that, if a fifo qdisc was attached as a child to a classful qdisc (say cbq) the fifo qdisc will not be able to send packets out directly, it has to dequeue to the parent and only the root can dequeue-out. That's even confusing for me. I just ignore that part :( which (size of the packet) could vary, right? this would then lead to a dynamically sized queue, is this how it works? Yes, you can stor a a number of packets in a pfifo. So the total queue length (in bytes) can vary. That's a difficult one, because YOU have to be the bottleneck to get some good shaping results. You can try the htb or the cbq qdisc and take a higher ceil then your link. You will not be the bottleneck and loose some control. okey, so can you please tell me, if I fail to be the bottleneck, what maximum would happen ... IMO, I could carry on shaping but not for that extra few bytes, now available, right? Most modems have a hugh queue to speed up downloads. But that queue can kill the shaping you did. So you have to be sure the queue is never full. And the only thing to do so is to never send more data then the modem can handle. So you have to make sure YOU are the bottleneck. If you have a bounded class, the ceil is the rate. If it's not bounded, the ceil will be the rate of a bounded parent class. 'ceil' IMHO, is a little different from 'cell', that the lartc howto talks about. What part of the lartc howto ? Just take some example tc commands and copy the parameters you don't know. The only parameters you have to change is rate and weight. yeah, but the lartc howto talks about more ... so was wondering! One of the reasons why I like htb is you don't need these confusing options. And htb don't rely on the nic hardware to calculate the actual rate. Do you mean the wrr qdisc? See the homepage of the wrr qdisc. oops, I am sorry I meant according to the lartc howto, there are few WRR parameters that need to be set for CBQ!? Ah the WRR schedule. I think one of these parameters is the weight. Just take weight = rate / 10. IMHO, the root qdisc (by default) is a pfifo_fast (classless) qdisc ... which means if want a classful qdisc you would need to replace the default qdisc. By replace, I mean attach it to root ... which then follows all packets 'enter here' ... which then gets me back to my original Q! have been to your site ... went back today ... but couldn't find pointers to my confusion. If you add a class qdisc as the root qdisc, all packets are queued in the class less qdisc and processed. So you don't need a filter. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] dead onlink
Hello people: I'm new in the forum. I've implemented the script for load balancing of Linux Advanced Routing Traffic Control HowTo and I've a question: When I run the next command : ip route I get the folowing information: -- 192.168.0.32/27 dev eth0 proto kernel scope link src 192.168.0.33 192.168.0.96/27 dev eth2 proto kernel scope link src 192.168.0.97 192.168.0.64/27 dev eth1 proto kernel scope link src 192.168.0.65 192.168.0.128/27 dev eth3 proto kernel scope link src 192.168.0.129 127.0.0.0/8 dev lo scope link default nexthop via 192.168.0.126 dev eth2 weight 1 dead onlink nexthop via 192.168.0.61 dev eth0 weight 1 - Is normal the part of dead onlink ? Is it balancing the load between both internet providers? Sorry for my English. I'm from Argentine. Thanks in advance. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Data rate accuracy started failing.
Dear all, I am an experienced unix administrator and a long time ago (1+ year) I made traffic-shaping system for an ISP (~400 clients). Each ip address requires 4 classes - 2 for incoming (internet-client), one for international traffic, the other for local-country and border-country traffic. and 2 for outgoing (client-internet), for the same purposes. Everything worked ok until last week, when more clients were added. The data rate (rate NNkbit) is no longer stable - sometimes it exceeds the rate specified and sometimes there is starvation. And no, there is still planty of traffic left, so its not a problem of bandwidth capacity. The technique used is htb + sfq for traffic exceeding 0.8mbit/s, for traffics up to 0.8mbit/s as it is not cpu-intensive (but depends on HZ for calculations) Are there any limits I am not aware of? It seems that everything works ok again if I remove some addresses (single address /32 or larger networks). I am not sure which part fails, filtering or actual shaping. And, it is vanilla Linux 2.4.20 with qos services coming with it. Also, i never came up with the other question: there has always been problem with tbf. For example, rate 256kbit is specified but the actual rate never exceeds 230 - 250kbit, so I add 30kbit for each rate (so 256 becoms 286kbit) so client got exactly his 256kbit. thanks, P.Krumins ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bandwidth shaping help
It seems I have quite a difficult (for me) bandwidth shaping problem. What I want is this; Port 80 and port 21 will share 30 kilobytes of the 50kilobytes upstream my ISP gives me, bittorrent will get 10 maximum (ports 6881-6890), and all other ports get the full 100 mbits. I want any of the other ports to be able to steal the bandwidth of the port 21 and port 80 as well as the bittorrent ports if they are not in use, however bittorrent, or port 21 or 80 cannot exceed thier bandwidth limitations. This is because I use my server as a samba server as well as a vnc server from within my network so I want as high a bandwidth as possible on those, however my HTTP server and FTP server and Bittorrent can't kill my internet connection for everyone else. My current configuration looks like tc qdisk add dev eth0 root handle 1: htb default 30 tc class add dev eth0 parent 1: classid 1:1 htb rate 95mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 320kbit burst 15k tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit ceil 90mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 90mbit burst 15k tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10\ U32=tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 $U32 match ip sport 80 0x flowid 1:10 $U32 match ip sport 21 0x flowid 1:20 I sort of fiddled with one of the configurations in the book to get this, also this does not include the bittorrent ports which is a requirement I thought of just recently. I need, first a way to implement the bandwidth restrictions described above, and second a way to remove my old configuration (if I can't just overwrite it) Thanks alot :) -- Ryan Vilim [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] dead gateway
Hi there, I am currently doing testing of a kernel with multiple patches in it (julians dgd, multiple gw for netfilter, sch_null, layer7, and xfs fs) so I can tell you the results if you'd like, once I get the system into a full-scale environment. On Tuesday 30 September 2003 10:34 pm, vadiraj c s wrote: Hi all, Has any one used dead gateway detection patch. Any one worked on it. What do you feel about it regards vadiraj ___ Television meets Accounts; Jyoti Weds Rajaram. Rediff Matchmaker strikes another interesting match !! Visit http://matchmaker.rediff.com?1 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- --- Derek Fedel Network Administrator Ext. 238 Traffic-Power.com Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] (no subject)
Hey everyone, I tried to mark traffic based on per subnet as to the usual per ip. Example: Tc class add dev eth0 parent 1:11 htb rate 400kbit ceil 500kbit prio4 Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 dst 192.168.0.0/24 classid 1:11 After I enter this command, I did not get any errors. Does this mean that EACH IP belonging to that subnet will have a maximum rate of 400kbit? Or does it mean that ALL the IPs in that subnet have a total of 400kbit? Thanks in advance. Regards edmund ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Explanation reqd. for few (more than few!) concepts in TC long
Hi, --- Stef Coene [EMAIL PROTECTED] wrote: A qdisc is a queueing discipline : it's a queue for packets. A class is something virtual that hold some packets from that queue. okey, I must say I have a better understanding of the differences now. Thank you. okey, so ideally for a bandwidth that varies (by few bytes) cbq is the best available? No, you will have the same problem with cbq :( so which kind of qdisc will be best for varing bandwidths? Thank you, Stef. Regards, suraj. __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Explanation reqd. for few (more than few!) concepts in TC long
Hi, --- Stef Coene [EMAIL PROTECTED] wrote: which (size of the packet) could vary, right? this would then lead to a dynamically sized queue, is this how it works? Yes, you can stor a a number of packets in a pfifo. So the total queue length (in bytes) can vary. yes! I understood something :) Thank you. okey, so can you please tell me, if I fail to be the bottleneck, what maximum would happen ... IMO, I could carry on shaping but not for that extra few bytes, now available, right? Most modems have a hugh queue to speed up downloads. But that queue can kill the shaping you did. So you have to be sure the queue is never full. And the only thing to do so is to never send more data then the modem can handle. So you have to make sure YOU are the bottleneck. yes, I have a proof-of-concept! ... meaning wrote a script that works but, waiting to take it 'live'. 'ceil' IMHO, is a little different from 'cell', that the lartc howto talks about. What part of the lartc howto ? http://lartc.org/lartc.html#AEN939 ; the part that lists parameters in CBQ ... was wondering how 'cell' can be defined. yeah, but the lartc howto talks about more ... so was wondering! One of the reasons why I like htb is you don't need these confusing options. And htb don't rely on the nic hardware to calculate the actual rate. hmm, that's true. oops, I am sorry I meant according to the lartc howto, there are few WRR parameters that need to be set for CBQ!? Ah the WRR schedule. I think one of these parameters is the weight. Just take weight = rate / 10. okey, but how do I set it ... Usage: ... cbq bandwidth BPS avpkt BYTES [ mpu BYTES ] [ cell BYTES ] [ ewma LOG ] ...this is what tc...help says, there isn't a weight parameter :( If you add a class qdisc as the root qdisc, all packets are queued in the class less qdisc and processed. So you don't need a filter. :) Stef, I do really appreciate the time spent in trying to help me. Thank you. Warm Regards, suraj. __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/