[LARTC] TC-ng questions/problems
Hi all, We have 2 class C networks that are connected by a Linux router with the internet. We want to apply traffic control (bandwidth control). For that we wrote the tcc script below. We have 2 problems: 1. To establish a 2 megagit download we must actually set the value to 2500kbps. Is there a possible reason for that? 2. If we enable the WAN device we get very hight ping times (they change from 21.1 ms to 2000 ms) and erratic upload values that partly suffer from the problem above (we want to allow for an upload of 512kb and have to specify a upload of 712 to get that) but most of the time we have a far worse actual upload. Anyone any ideas? We use Debian 2.6.3-1-386 (Sarge) with tcng 9m. Any help is greatly appreciated. Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: [EMAIL PROTECTED] web: www.askesis.nl /// #include fields.tc #include ports.tc #define WAN eth0 #define LAN83 eth1 #define LAN84 eth2 /* The WAN section is about upload to the internet */ dev WAN { egress { class ( $uploadRouter ) if ip_src == 192.168.83.1 || ip_src == 192.168.84.1; class ( $uploadGKS ) if ip_src == 192.168.83.22 ; class ( $upload83 ) if ip_src:24 == 192.168.83.0 ; class ( $upload84 ) if ip_src:24 == 192.168.84.0 ; class ( $others ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $uploadRouter = class ( rate 18Mbps, ceil 18Mbps ); $uploadGKS= class ( rate 10Mbps, ceil 10Mbps ) ; $upload83 = class ( rate 5Mbps,ceil 5Mbps ) ; $upload84 = class ( rate 712kbps, ceil 712kbps ) ; $others = class ( rate 18Mbps , ceil 18Mbps ) ; } } } } /* This section is about downloading to the 83 network */ dev LAN83 { egress { class ( $downloadRouter ) if ip_dst == 192.168.83.1; class ( $downloadGKS )if ip_dst == 192.168.83.22; class ( $download ) if ip_dst:24 == 192.168.83.0; class ( $others ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $downloadRouter = class ( rate 18Mbps, ceil 18Mbps ) ; $downloadGKS= class ( rate 10Mbps, ceil 10Mbps ) ; $download = class ( rate 5Mbps, ceil 5Mbps ) ; $others = class ( rate 18Mbps, ceil 18Mbps ) ; } } } } /* This section is about downloading to the 84 network */ dev LAN84 { egress { class ( $download ) if ip_dst:24 == 192.168.84.0; class ( $others ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $download = class ( rate 2500kbps,ceil 2500kbps ) ; $others= class ( rate 18Mbps, ceil 18Mbps ) ; } } } } ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] TC-ng questions/problems
Hi Chalres, Thanks for the answer. I have also been bitten by the byte/bit bug in the past but in this case it must be something different. All my values are in in the correct amount of bits. The most important problem is actually problem 2: why does the tc toward internet (dev WAN) do what it does? Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: [EMAIL PROTECTED] web: www.askesis.nl ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] TC-ng questions/problems
Hi Joost, I think that maybe you have run across an issue that I too had trouble with. A snip from a message from Martin BROWN explains: You have not actually found a bug, but rather a historical strangeness about the Linux traffic control system. For reasons of which I'm ignorant, the syntax for the tc command uses bps for bytes/second. So, 64000 bytes/second is actually 512 kilobits/second (512 kbps in common usage), but is 512 kbit to the tc tool. Here's a brief chart: tc syntax tcng syntax +++ bytes/second | bps | Bps | bits/second | bit | bps | kilobytes/second | kbps | kBps | kilobits/second | kbit | kbps | +++ Note that the tcng syntax is exactly the same sort of syntax we use in general when discussing speed of WAN links. It's a 512 kbps line means it's 512 kilobits per second, but this would be 64000 bytes per second if we were writing a tc command line. Hope this helps! Cheers Chalres On Thu, 2004-08-05 at 09:53, Joost Kraaijeveld wrote: Hi all, We have 2 class C networks that are connected by a Linux router with the internet. We want to apply traffic control (bandwidth control). For that we wrote the tcc script below. We have 2 problems: 1. To establish a 2 megagit download we must actually set the value to 2500kbps. Is there a possible reason for that? 2. If we enable the WAN device we get very hight ping times (they change from 21.1 ms to 2000 ms) and erratic upload values that partly suffer from the problem above (we want to allow for an upload of 512kb and have to specify a upload of 712 to get that) but most of the time we have a far worse actual upload. Anyone any ideas? We use Debian 2.6.3-1-386 (Sarge) with tcng 9m. Any help is greatly appreciated. Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: [EMAIL PROTECTED] web: www.askesis.nl /// #include fields.tc #include ports.tc #define WAN eth0 #define LAN83 eth1 #define LAN84 eth2 /* The WAN section is about upload to the internet */ dev WAN { egress { class ( $uploadRouter ) if ip_src == 192.168.83.1 || ip_src == 192.168.84.1; class ( $uploadGKS ) if ip_src == 192.168.83.22 ; class ( $upload83 ) if ip_src:24 == 192.168.83.0 ; class ( $upload84 ) if ip_src:24 == 192.168.84.0 ; class ( $others ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $uploadRouter = class ( rate 18Mbps, ceil 18Mbps ); $uploadGKS= class ( rate 10Mbps, ceil 10Mbps ) ; $upload83 = class ( rate 5Mbps,ceil 5Mbps ) ; $upload84 = class ( rate 712kbps, ceil 712kbps ) ; $others = class ( rate 18Mbps , ceil 18Mbps ) ; } } } } /* This section is about downloading to the 83 network */ dev LAN83 { egress { class ( $downloadRouter ) if ip_dst == 192.168.83.1; class ( $downloadGKS )if ip_dst == 192.168.83.22; class ( $download ) if ip_dst:24 == 192.168.83.0; class ( $others ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $downloadRouter = class ( rate 18Mbps, ceil 18Mbps ) ; $downloadGKS= class ( rate 10Mbps, ceil 10Mbps ) ; $download = class ( rate 5Mbps, ceil 5Mbps ) ; $others = class ( rate 18Mbps, ceil 18Mbps ) ; } } } } /* This section is about downloading to the 84 network */ dev LAN84 { egress { class ( $download ) if ip_dst:24 == 192.168.84.0; class ( $others ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $download = class ( rate 2500kbps,ceil 2500kbps ) ; $others= class ( rate 18Mbps, ceil 18Mbps ) ; } } } } ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iptables mark + openvpn will the mark survive ?
Hello, I want to setup bandwidth restrictions for a few clients that use openvpn to connect to my server. I'm using iptables to mark the packets in the mangle table (PRE/POSTROUTING) on eth0 before they get sent via the tunnel. Will the mark survive even if the packets then get routed via an openvpn tunnel (tunX) out the box or does openvpn change it removing the mark ? openVPN is just a userspace process that - depending on configuration - doesn't even need root access to run. (provided the device nodes are set up accordingly). Depending on what you do, the mark should survive (never tested this), or not. If you are just forwarding to a tun/tap, the mark should survive like usual. There is no difference between a tun/tap device and another ethernet device with regard to this point. However, once a packet reaches the tun/tap, it gets transfered to openVPN which encrypts it and sends it out using udp (or tcp, depending on configuration) of a real interface. These outgoing packets are not having the mark on them, primarily because they are completely different packets that were generated by openVPN and not really directly related to what went into the tun/tap device. I suspect that is however what you'd like to achieve. Note that openVPN does has its own shaping directive (--shaper n) which may help you in this case. -- C U - -- - -/\/ René Gallati \/\ - --- -- - ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] should I shape tun[N] or eth0 ?
Hello, If I have a few vpn tunnels with different tun interfaces. And all this tunnel traffic is coming in on my eth0 interface, it also leave via eth0 again. I would like to share the available bandwidth evenly with tunnel clients. Would applying the bandwidth rule on eth0 with htb sfq work for sharing the bandwidth or will bandwidth rules only affect tunnel traffic if I apply it to the actual tun[n] intefaces ? I'm not sure if it works on tun devices, but on tap's it should work since those actually look like normal ethernet devices. However if you shape on the virtual interfaces you only shape the incoming traffic (ie traffic going out a tun/tap is decrypted VPN traffic that is coming *in*) So if you want to manage outgoing traffic, shape on eth0. Since openVPN per default requires a single port for each VPN, you can easily mark and classify the outgoing traffic with tc. For example: VPN1 udp 5000 udp 5000 VPN2 udp 5001 udp 5001 ... tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5000 dport 5000 flowid 1:2 tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5001 dport 5001 flowid 1:2 etc. to put all VPN traffic into class 1:2 Note that I didn't test this, so there might be an error in the lines above but the outlined way should work. -- C U - -- - -/\/ René Gallati \/\ - --- -- - ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] should I shape tun[N] or eth0 ?
On 05 August 2004 pm 16:51, Rene Gallati wrote: Hello, If I have a few vpn tunnels with different tun interfaces. And all this tunnel traffic is coming in on my eth0 interface, it also leave via eth0 again. I would like to share the available bandwidth evenly with tunnel clients. Would applying the bandwidth rule on eth0 with htb sfq work for sharing the bandwidth or will bandwidth rules only affect tunnel traffic if I apply it to the actual tun[n] intefaces ? For example: VPN1 udp 5000 udp 5000 VPN2 udp 5001 udp 5001 tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5000 dport 5000 flowid 1:2 tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5001 dport 5001 flowid 1:2 etc. to put all VPN traffic into class 1:2 Note that I didn't test this, so there might be an error in the lines above but the outlined way should work. On device tun, tc worked perfectly, just as you do with real interface eth0..n Tested under 256Kbps link using Slackware-9.1 and Slackware-10 as distro. Also tested and worked perfectly with IMQ. So cheer up .. :)) Regards, Rio Martin. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] TC-ng questions/problems
Hi Joost, OK -- on the units of measure -- you may to double check that your upstream provider is 2.000.000 bits/s and not 2 * 1024^1024. I think that your r2q is probably off -- please see: http://www.docum.org/stef.coene/qos/faq/cache/31.html Check your system log as well -- you may see an indication of the problem. You can try #define MYR2Q 20 and then in your htb declaration try htb ( r2q MYR2Q ) Also consider specifying a burst of 6kB and try someother values. Cheers Charles On Thu, 2004-08-05 at 10:26, Joost Kraaijeveld wrote: Hi Chalres, Thanks for the answer. I have also been bitten by the byte/bit bug in the past but in this case it must be something different. All my values are in in the correct amount of bits. The most important problem is actually problem 2: why does the tc toward internet (dev WAN) do what it does? Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: [EMAIL PROTECTED] web: www.askesis.nl ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] TC-ng questions/problems
Hi Charles, [EMAIL PROTECTED] schreef: I think that your r2q is probably off -- please see: http://www.docum.org/stef.coene/qos/faq/cache/31.html This link does not work. All other numbers are there but one is not. But it's true: in the logfiles I see r2q mentioned (jumping with joy in my office, hope at last). Thanks. Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: [EMAIL PROTECTED] web: www.askesis.nl ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] NAT tc filter addresses
Is there a flow diagram as to where tc actions take place with respect to NAT and other iptables functions on a multihomed box (private public NICs) ? Are tc filter rules consulted before or after NATing? My real interest is in basic understanding first, and then solving a real problem second. Example: Firewall Public NIC 123.123.123.1 Firewall Private NIC 192.168.168.1 Dedicated Video Conferencing equipment @ 192.168.168.100 I'd like to write a rule that says any traffic emanating from the private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit as the traffic heads out on to the Internet to find the other end of the Video Conference. The shaping occurs on the Public NIC, but the only address I have to work with is a private address. By time the traffic hits the public NIC and tc rules are applied, I suspect the packet no longer has a source IP of private .100, but has been NAT'd to the public NIC address. There's no way to distinguish private .100's traffic via IP address. by time the tc filters are queried. Is that correct? What methods are available to do this? I can think of marking all the packets on the private side then looking for the marks on the public side. Or, NAT private.100 to a specific Public IP and then write rules for that new Public IP. What other options are there? -- Bill Gradwohl [EMAIL PROTECTED] http://www.ycc.com SPAMstomper Protected email ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB mpu and overhead settings for PPPoE ADSL?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm using HTB to shape my outgoing traffic over a ADSL-link with PPPoE with a nominal bandwidth of 128kbit/s. My goal is to favour small packets like ACKs and interactive services like ssh; in other words, I want to achieve low lantency. If there are some big packets going over the wire, everything works fine. But if there are many small packets saturating my uplink, I get pings of 1000ms and above. To minimize this effect I've set the HTB qdisc rate to 100kbit/s. But even now, throttling my uplink to lower than 80% of physical bandwidth, pings go up to 800ms in some cases. Today I've noticed, that two additional parameters have been added recently to the HTB-shaper: mpu and overhead. Are this new parameters suitable for solving my problem? Which are smart values for this two settings? I'm shaping the ppp-device directly, not the ethernet-device on which the dsl-modem is connected and I'm using the kernel pppoe driver (if this is important for you to know). Thanks Stefan - -- In a free world nobody needs Windows and Gates. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBEmkKFdd7dooRJzsRAi/3AJ9KZYVoJVSZSYTGsUAtC3xLLyZrBQCeOZ34 byc+vxTFy5pYTEhZXejYGmk= =Ovk/ -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] TC-ng questions/problems
On Thursday 05 August 2004 12:36, Joost Kraaijeveld wrote: Hi Charles, [EMAIL PROTECTED] schreef: I think that your r2q is probably off -- please see: http://www.docum.org/stef.coene/qos/faq/cache/31.html This link does not work. Correct link (I rehosted the site and the main path is changed): http://www.docum.org/docum.org/faq/cache/31.html Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] URGENT HELP needed!! Problem with second route dual ISP
Title: URGENT HELP needed!! Problem with second route dual ISP Below is a snippet from my firewall script isp1_ip=xx.0.5.20 isp1_gw=xx.0.5.1 isp1_net=xx.0.5.0/28 isp1_if=eth2 isp2_ip=xx.182.19.88 isp2_gw=xx.182.19.1 isp2_net=xx.182.19.0/28 isp2_if=eth3 lo_ip=127.0.0.1 lo_if=lo lo_net=127.0.0.1/8 ip rule delete from $isp1_ip ip rule delete from $isp2_ip ip route delete table 5 # isp 1 ip route delete table 7 # isp 2 ip route del default via $isp2_gw dev $isp2_if ip route flush cache #ip route default nexthop via $isp2_gw nexthop $isp1_gw #ip route add default nexthop via $isp2_gw dev $isp2_if weight 2\ # nexthop via $isp1_gw dev $isp1_if weight 1 echo Adding routes ... ip route add $isp1_net dev $isp1_if src $isp1_ip table 5 ip route add default via $isp1_gw table 5 #ip route add $lan_net dev $lan_if table 5 #ip route add $isp2_net dev $isp2_if table 5 #ip route add $lo_net dev $lo_if table 5 ip route add $isp1_net dev $isp1_if src $isp1_ip ip route add $isp2_net dev $isp2_if src $isp2_ip ip rule add from $isp1_ip table 5 ip rule add from $isp2_ip table 7 ip route add $isp2_net dev $isp2_if src $isp2_ip table 7 ip route add default via $isp2_gw table 7 ip route add $lan_net dev $lan_if table 7 ip route add $isp1_net dev $isp1_if table 7 ip route add $lo_net dev $lo_if table 7 ip route add default scope global nexthop via $isp2_gw dev $isp2_if \ weight 200 nexthop via $isp1_gw dev $isp1_if weight 1 ip route flush cache echo Starting firewall ... mail/http connections to $isp1_ip fails. Why is this? I want to be able to connect to both ISP and fail over to ISP1 when ISP2 is down. Thanks Gareth Segree mailto:[EMAIL PROTECTED] Technical Support Analyst The Gleaner Company Ltd. 7 North Street Kingston Tel: 922-3400
Re: [LARTC] NAT tc filter addresses
On Thursday 05 August 2004 18:47, Bill Gradwohl wrote: Is there a flow diagram as to where tc actions take place with respect to NAT and other iptables functions on a multihomed box (private public NICs) ? Are tc filter rules consulted before or after NATing? See kptd on www.docum.org. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] marking passive ftp and shaping
I am trying to mark outbound passive ftp traffic with iptables and shape it to 35KBytes. I am using the following script on the computer that runs the ftp server. It is not working correctly, it seems to limit ALL traffic. Cant file share or anything. Anyone might know what is wrong? #!/bin/bash #shaping passive ftp traffic # mark the outbound passive ftp packets on ports 5-51000 iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2 /dev/null /dev/null iptables -t mangle -F MYSHAPER-OUT 2 /dev/null /dev/null iptables -t mangle -X MYSHAPER-OUT 2 /dev/null /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5:51000 -j MARK --set-mark 1 # shape the traffic to 35Kbytes tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 35kbps tc filter add dev eth0 parent 1: prio 0 protocol ip handle 1 fw flowid 1:1 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] NAT tc filter addresses
Bill, : Is there a flow diagram as to where tc actions take place with : respect to NAT and other iptables functions on a multihomed box : (private public NICs) ? Are tc filter rules consulted before or : after NATing? For simplicity's sake, let's just talk about packets leaving the box (transmit only). All iptables functions have taken place by the time the traffic control functions are called. There are a number of different diagrams which cover this in different ways. The KPTD [0], which Stef has already mentioned, the Packet Flow diagram [1], which deal with the bridging, brouting stuff as well, an older 2.4 packet traversal diagram [2], and my recent diagram of just the netfilter system [3]. : My real interest is in basic understanding first, and then : solving a real problem second. Well...further on the self-promotion front--if understanding is what you seek, then maybe also my Traffic Control HOWTO would be handy. It's available at TLDP [4]. : Example: : Firewall Public NIC 123.123.123.1 : Firewall Private NIC 192.168.168.1 : Dedicated Video Conferencing equipment @ 192.168.168.100 : : I'd like to write a rule that says any traffic emanating from the : private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit : as the traffic heads out on to the Internet to find the other end of the : Video Conference. : : The shaping occurs on the Public NIC, but the only address I have to : work with is a private address. By time the traffic hits the public NIC : and tc rules are applied, I suspect the packet no longer has a source IP : of private .100, but has been NAT'd to the public NIC address. There's : no way to distinguish private .100's traffic via IP address. by time the : tc filters are queried. Is that correct? That is correct, but you can always use the fwmark. : What methods are available to do this? I can think of marking all : the packets on the private side then looking for the marks on the : public side. Or, NAT private.100 to a specific Public IP and then : write rules for that new Public IP. What other options are there? As far as I know, these are the two best options. If you don't wish to mess around with marking, the NAT option seems a very good and sensible way to go. If you haven't used tc much, I'd recommend tcng [5]. It's far simpler to use (and more intuitive) once you have it installed. Though I haven't tested the below, I could see something like this as a starting point for your experimentation. If you wished to cap the video bandwidth at 128k, you could simply use the same parameter for the rate and ceil (videobw). #define private eth0 #define publiceth1 /* assume that the NAT for the video server is separate from the source IP of the remainder of the traffic */ #define videobox 192.168.168.100 #define videopub 123.123.123.100 #define videobw128000 bps #define halft1 772000 bps #define fullt11544000 bps /* this should take care of shaping download traffic */ dev private { egress { class ( $video ) if ip_src == videobox ; class ( $other ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { /* guarantee videobw to $video, allow full usage */ $video = class ( rate videobw, ceil fullt1 ) ; /* guarantee half the t1 to other traffic */ $other = class ( rate halft1, ceil fullt1 ) ; } } } } /* this should take care of shaping upload traffic */ dev public { egress { class ( $video ) if ip_src == videopub ; class ( $other ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { $video = class ( rate videobw, ceil fullt1 ) ; $other = class ( rate halft1, ceil fullt1 ) ; } } } } Good luck! -Martin [0] http://www.docum.org/docum.org/kptd/ [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png [2] http://open-source.arkoon.net/kernel/kernel_net.png [3] http://linux-ip.net/nf/nfk-traversal.png [4] http://tldp.org/HOWTO/Traffic-Control-HOWTO/ [5] http://tcng.sourceforge.net/ -- Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/