Re: [LARTC] An example of prio qdisc please...
On Wed, Sep 25, 2002 at 01:02:03PM +0200, Soulfly wrote: > > "Soulfly" <[EMAIL PROTECTED]> thus wrote: > > > > > tc qdisc add dev eth0 root handle 1: prio bands 5 priomap 2 3 2 2 3 3 3 > 3 1 > > > 1 1 1 2 2 2 2 > > > tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10 > > > tc qdisc add dev eth0 parent 1:2 handle 20: sfq perturb 10 > > > tc qdisc add dev eth0 parent 1:3 handle 30: sfq perturb 10 > > > tc qdisc add dev eth0 parent 1:4 handle 40: sfq perturb 10 > > > tc filter add dev eth0 protocol ip parent 1: prio 10 u32 match ip > protocol > > > 0xXX 0xff flowid 1:1 > > > > I have a configuration which use 5 prio levels (2 above the standard > priolevels). I conerted it to 4 and forgot to alter the band parameter.. so > the correct line is.. > > tc qdisc add dev eth0 root handle 1: prio bands 4 priomap 2 3 2 2 3 3 3 3 1 > 1 1 1 2 2 2 2 > Here is my net config: LAN1->(eth1)ipsec_gw1(ppp0)---(ppp0)ipsec_gw2(eth1)<-LAN2 ^ | server Ok, so I tried this: tc qdisc del dev ppp0 root tc qdisc add dev ppp0 root handle 1: prio tc qdisc add dev ppp0 parent 1:1 handle 10: sfq perturb 10 tc qdisc add dev ppp0 parent 1:2 handle 20: sfq perturb 10 tc qdisc add dev ppp0 parent 1:3 handle 30: sfq perturb 10 tc filter add dev ppp0 protocol ip parent 1: prio 10 u32 match ip protocol 0x50 0xff flowid 1:1 I did it on my too ipsec-end gateway so if from I connect from LAN1 to LAN2 via ssh, all traffic go in 10:, and when I ftp from LAN1 to the server directly through internet (no tunnel), traffic go in 30: But this doesn't change anything, ssh is as slow as without prio when I do ftp Where is my probably qos conception error?? Thanks for any help. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] An example of prio qdisc please...
On Wed, Sep 25, 2002 at 09:28:28AM +0200, Soulfly wrote: > tc qdisc add dev eth0 root handle 1: prio bands 5 priomap 2 3 2 2 3 3 3 3 1 > 1 1 1 2 2 2 2 > tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10 > tc qdisc add dev eth0 parent 1:2 handle 20: sfq perturb 10 > tc qdisc add dev eth0 parent 1:3 handle 30: sfq perturb 10 > tc qdisc add dev eth0 parent 1:4 handle 40: sfq perturb 10 > tc filter add dev eth0 protocol ip parent 1: prio 10 u32 match ip protocol > 0xXX 0xff flowid 1:1 > > have you read the docs? If not, do so to understand how it works and what > the quirks are. http://www.lartc.org/ > > Of course, I did it already, the lartc howto is a really good doc, but all of this is not really easy so by giving me this example I will be able to understand more and do what I wan't. Thanks! -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] An example of prio qdisc please...
I simply wan't to give higher priority for esp protocol. Could someone give me an example (I think using prio qdisc and u32 filter???) -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Limit bandwidth for ipsec vpns
On Mon, Aug 19, 2002 at 02:28:34PM -0400, Michael T. Babcock wrote: > On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote: > > > Is there anyone having an idea on how to limit bandwidth on a linux gw > > > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on > > > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet > > > traffic (non vpn) to 512kbit. > > More info about shaping can be found on www.lartc.org. And I have some extra > > information on www.docum.org. > > > > You have to add a cbq or htb qdisc to your interfaces and create 2 classes. > > One for vpn traffic and one for non vpn traffic. I hope that you use fixed > > ports for the vpn traffic so you can use the dst/src port as a filter key. > > You can share the same 1mbit or you can limit each class to 512kbit. > > If FreeS/WAN is used, adding a pair of classes to the external interface > for 'normal' and 'VPN' traffic should suffice. VPN traffic is identifiable > as traffic over UDP port 500 and protocols 50 or 51, although you may wish > to give them their own class with high priority as they do key exchanges. Thanks, I tried with marking packet with netfilter, but here is one of my pbms, I can mark esp proto but not non-esp proto: # This works # Marking outgoing vpn packets iptables -t mangle -A OUTPUT -o $IFEXT -p esp -j MARK --set-mark 29 iptables -t mangle -A OUTPUT -o $IFEXT -p udp --dport 500 -j MARK --set-mark 29 # This doesn't works!! # Marking outgoing non-vpn packets iptables -t mangle -A OUTPUT -o $IFEXT -p ! esp -j MARK --set-mark 39 Any Idea?? > > If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and > work from there on it. > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > http://www.fibrespeed.net/~mbabcock/ > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Limit bandwidth for ipsec vpns
Hi everybody, Is there anyone having an idea on how to limit bandwidth on a linux gw doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on interface ppp0, limiting vpn traffic (esp) to 512kbit and internet traffic (non vpn) to 512kbit. Thanks in advance! Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/