[LARTC] wondershaper and dmzs
I have a pretty simple setup. I've got a linux nat box, with some internal hosts. I've also got some servers in a dmz. It looks something like this: Internet | (external network) | | | | linuxdmz nathosts | | (office network) | | office hosts I'd like to shape the office traffic that's going out to the internet, while leaving the office traffic to the dmz alone. After all, the network link the dmz fast. I've been using wondershaper, since it's easy and works well, but I'm not sure how to add in an exception for the dmz hosts. Can I do this with tc, or is the entire interface shaped? It seems like I might be able to create a more explicate filter, but I'm having trouble getting it to work. seph ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] wondershaper and dmzs
On Thu, Mar 29, 2007 at 12:16:20 -0400, seph [EMAIL PROTECTED] wrote: Can I do this with tc, or is the entire interface shaped? It seems like I might be able to create a more explicate filter, but I'm having trouble getting it to work. You can filter on the destination ip address. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Wondershaper Errors
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!
when I activate wondershaper on my dsl connection (pppoa vc mux), i get
three errors:
# sh -x /usr/sbin/wshaper ppp0
+ /usr/sbin/xmlstarter setenv tc_downlink
+ DOWNLINK=
+ /usr/sbin/xmlstarter setenv tc_uplink
+ UPLINK=
+ [ -z ]
+ cat /proc/avalanche/avsar_modem_stats
+ grep Connection Rate
+ awk {printf(%d, $8)}
+ DOWNLINK=1504
+ [ -z ]
+ cat /proc/avalanche/avsar_modem_stats
+ grep Connection Rate
+ awk {printf(%d, $4)}
+ UPLINK=320
+ DEV=ppp0
+ /usr/sbin/xmlstarter setenv tc_hipriohostsrc
+ HIPRIOHOSTSRC=
+ /usr/sbin/xmlstarter setenv tc_hipriohostdst
+ HIPRIOHOSTDST=
+ /usr/sbin/xmlstarter setenv tc_hiprioportsrc
+ HIPRIOPORTSRC=
+ /usr/sbin/xmlstarter setenv tc_hiprioportdst
+ HIPRIOPORTDST=
+ /usr/sbin/xmlstarter setenv tc_nopriohostsrc
+ NOPRIOHOSTSRC=
+ /usr/sbin/xmlstarter setenv tc_nopriohostdst
+ NOPRIOHOSTDST=
+ /usr/sbin/xmlstarter setenv tc_noprioportsrc
+ NOPRIOPORTSRC=
+ /usr/sbin/xmlstarter setenv tc_noprioportdst
+ NOPRIOPORTDST=
+ [ ppp0 = status ]
+ [ ppp0 = stop ]
+ tc qdisc del dev ppp0 root
+ tc qdisc del dev ppp0 ingress
+ tc qdisc add dev ppp0 root handle 1: htb default 20
+ tc class add dev ppp0 parent 1: classid 1:1 htb rate 320kbit burst 6k
+ tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 320kbit burst
6k prio 1+ tc class add dev ppp0 parent 1:1 classid 1:20 htb rate
288kbit burst 6k prio 2+ tc class add dev ppp0 parent 1:1 classid 1:30
htb rate 256kbit burst 6k prio 2+ tc qdisc add dev ppp0 parent 1:10
handle 10: sfq perturb 10
RTNETLINK answers: Invalid argument - 1'st error --
+ tc qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10
RTNETLINK answers: Invalid argument - 2'nd error --
+ tc qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10
RTNETLINK answers: Invalid argument - 3'rd error --
+ tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 match ip tos
0x10 0xff flowid 1:10
+ tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
+ tc filter add dev ppp0 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x 0xffc0 at 2
match u8 0x10 0xff at 33 flowid 1:10
+ tc filter add dev ppp0 parent 1: protocol ip prio 18 u32 match ip dst
0.0.0.0/0 flowid 1:20
+ tc qdisc add dev ppp0 handle : ingress
+ tc filter add dev ppp0 parent : protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate 1504kbit burst 10k drop flowid :1
why?
thanks in advance
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFDGVPGiBkJr7gM94RAhcMAJ91kpFDlj8vGYtIauglJSoNDSq7YACfUGJ5
A82gL7g8xWxroSI2ohne4+g=
=J9nc
-END PGP SIGNATURE-
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Wondershaper Errors
Gianluca \acid_burn\ D'Andrea wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!
when I activate wondershaper on my dsl connection (pppoa vc mux), i get
three errors:
# sh -x /usr/sbin/wshaper ppp0
+ /usr/sbin/xmlstarter setenv tc_downlink
+ DOWNLINK=
+ /usr/sbin/xmlstarter setenv tc_uplink
+ UPLINK=
+ [ -z ]
+ cat /proc/avalanche/avsar_modem_stats
+ grep Connection Rate
+ awk {printf(%d, $8)}
+ DOWNLINK=1504
+ [ -z ]
+ cat /proc/avalanche/avsar_modem_stats
+ grep Connection Rate
+ awk {printf(%d, $4)}
+ UPLINK=320
+ DEV=ppp0
+ /usr/sbin/xmlstarter setenv tc_hipriohostsrc
+ HIPRIOHOSTSRC=
+ /usr/sbin/xmlstarter setenv tc_hipriohostdst
+ HIPRIOHOSTDST=
+ /usr/sbin/xmlstarter setenv tc_hiprioportsrc
+ HIPRIOPORTSRC=
+ /usr/sbin/xmlstarter setenv tc_hiprioportdst
+ HIPRIOPORTDST=
+ /usr/sbin/xmlstarter setenv tc_nopriohostsrc
+ NOPRIOHOSTSRC=
+ /usr/sbin/xmlstarter setenv tc_nopriohostdst
+ NOPRIOHOSTDST=
+ /usr/sbin/xmlstarter setenv tc_noprioportsrc
+ NOPRIOPORTSRC=
+ /usr/sbin/xmlstarter setenv tc_noprioportdst
+ NOPRIOPORTDST=
+ [ ppp0 = status ]
+ [ ppp0 = stop ]
+ tc qdisc del dev ppp0 root
+ tc qdisc del dev ppp0 ingress
+ tc qdisc add dev ppp0 root handle 1: htb default 20
+ tc class add dev ppp0 parent 1: classid 1:1 htb rate 320kbit burst 6k
+ tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 320kbit burst
6k prio 1+ tc class add dev ppp0 parent 1:1 classid 1:20 htb rate
288kbit burst 6k prio 2+ tc class add dev ppp0 parent 1:1 classid 1:30
htb rate 256kbit burst 6k prio 2+ tc qdisc add dev ppp0 parent 1:10
handle 10: sfq perturb 10
RTNETLINK answers: Invalid argument - 1'st error --
+ tc qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10
RTNETLINK answers: Invalid argument - 2'nd error --
+ tc qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10
RTNETLINK answers: Invalid argument - 3'rd error --
It looks like you don't have sfq. Check your kernel config and
/lib/modules/$VERSION/net/sched/sch_sfq.o since sfq is normally built as
a module.
tc needs sfq too.
--
gypsy
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Wondershaper and DSCP
Keith Mitchell wrote: Did anyone ever answer this one? THIS is what I am trying to do: [LARTC] cbq+sfq and DSCP marking I haven't used dscp but it looks like you need to add cbq below dsmark and then filter with tcindex see http://lartc.org/howto/lartc.adv-qdisc.dsmark.html Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Wondershaper and DSCP
Did anyone ever answer this one? THIS is what I am trying to do:
[LARTC] cbq+sfq and DSCP marking
Maria Joana Urbano [EMAIL PROTECTED]
Thu, 13 Feb 2003 19:29:42 +
* Previous message: [LARTC] Monitoring
* Next message: [LARTC] two routes 1 network card
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--===7DB32766===
Content-Type: text/plain; x-avg-checked=avg-ok-427B3C31;
charset=us-ascii; format=flowed
Content-Transfer-Encoding: 8bit
Hi,
I am a little confused about traffic control at egress + DSCP marking.
Suppose I have a home router and set three different traffic classes at
the
egress interface in a similar way to what wondershaper (cbq version)
does:
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit
allot
1500 prio 5 bounded isolated
tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit
allot
1600 prio 1 avpkt 1000
tc class add dev $DEV parent 1:1 classid 1:20 cbq rate
$[9*$UPLINK/10]kbit
allot 1600 prio 2 avpkt 1000
tc class add dev $DEV parent 1:1 classid 1:30 cbq rate
$[8*$UPLINK/10]kbit
allot 1600 prio 2 avpkt 1000
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
Then, I would like to DSCP mark the packets that leave the router based
on
their class. Ex., packets from class 1:10 would be marked with 0xb8 and
packets from class 1:30 would have a 0x0 DSCP mark.
However, after some reading, the only DS marking examples i found was
like
this (i.e., no chance to
add cbq and sfq filters):
tc qdisc add $DEV handle 1:0 root dsmark indices 64
tc class change $DEV classid 1:10 dsmark mask 0x3 value 0xb8
tc class change $DEV classid 1:20 dsmark mask 0x3 value 0x90
tc class change $DEV classid 1:30 dsmark mask 0x3 value 0x0
I am not sure if I understood the dsmark and DSCP marking model. It is
not
posible to add the DSCP marking to the cbq+sfq example above?
Any help would be appreciate. Tnx!
J.
--===7DB32766===
Content-Type: text/plain; charset=us-ascii; x-avg=cert;
x-avg-checked=avg-ok-427B3C31
Content-Disposition: inline
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 27-01-2003
--===7DB32766===--
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Wondershaper....
Hi, I am doing LARTC style policy based routing to allocate traffic between two different T-1 based ISPs via a single egress NIC card (two different default routes depending on source address). I would like to try out Wondershaper on this NIC. I have initially set: DOWNLINK=2500 UPLINK=2500 DEV=eth1 with the idea being that the aggregate maximum rate out this NIC is 2 x 1544 (i.e., 2 T-1s) or about 3.1 Mb/s Is that an appropriate setting?? What's the best way to tell if this traffic shaping is having the desired effect?? Is there a way to independently apply this shaper to each of the flows? Dave ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] wondershaper....
Hi, I am new to the Linux Advance Routing Project and to Policy Based Routing as implemented in Linux but I have been using Linux for 10 years so not _really_ a newbie Looking at the lartc.org website I came across the reference implementation of a traffic shaper... I also have Matt Marsh's book on 'Policy Based Routing using Linux' which covers traffic shaping a bit in the later chapters but I am not crystal clear on it I have a linux box doing simple policy based routing for a fairly substantial private network and routing the resulting traffic in a policy based way to two different ISPs via T-1 (1.544 Mb/s) pipes... Sort of arbitrary poor-boy load balancing resulting in two distinct QOSes (i.e., heavily loaded and lightly loaded ;)... I would like to also experiment with traffic shaping and would welcome any thoughts that you might have regarding implementation in such a setup... Basically the PBR Linux box has two NICs Eth0 is facing the private network and is the default gateway for all private traffic... while eth1 is facing a DMZ LAN where the various ISPs and other private network services live My first thought was to run wondershaper as is and set the parameters to 3 Mb up and 3 Mb down (i.e., 2 x t-1) But then I had a flash of common sense and decided to ask first if there might not be a better way ;) If anyone has any thoughts about traffic shaping in this environment or on the setup in general I would love to hear them... TIA. Any and all instruction gratefully received. Dave Sims Houston, Texas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] wondershaper....
Title: RE: [LARTC] wondershaper Well, the way I see it, if you are trying to load balance over two T1 lines in your own network, using multipath routing or something similar is not an issue. However, when you are trying to load balance over two T1 lines provided by seperate ISPs, you run into the global address problem. That is, your packets going through 1 T1 go out to the world with a source IP from ISP 1 and your packets going through the other T1 go out to the world with a source IP from ISP 2. Now, on the sending end, you don't really care. But, the receiving end does care. If you are just doing a packet-per-packet load balancing, JOE webserver on the Internet is going to see half your packets coming from one IP and half coming from the other. It is not going to reassemble them into a full stream and decode them. And if you try to force your packets going out one T1 to have the IP of the other T1, the ingress filter on your ISP's network (that would be ingress from you to them, egress from them to the world) will likely filter out your packets as spoofed packets. So, the only real load balancing you can do on two T1 lines from two different ISPs is flow-based load balancing. A single connection goes through a single T1 and you load balance the seperate connections across the T1 lines. By doing it this way, you make the sacrifice that you are not receiving equal load balancing. Specifically, your upload speed on any given connection will never exceed the maximum speed of a single T1 line. BGP comes in handy when that's not what you want to do. With BGP, you can advertise a route to your network block through both providers. Then, you can send packets out either provider with a single IP address and the packets will return via the best route from the server you are connecting to and your network. You can alter that load balancing on a network block basis by advertising some network blocks out one T1 and other network blocks out the other T1 with smaller subnet masks than your entire network block. This takes advantage of the fact that routers always route to the route with the smallest subnet mask. For instance, if you have a /20 network block, you can advertise the /20 out both providers, then advertise 8 /24's out one provider and 8 /24's out the other (or 4 /23's, or whatever you want). If you combine BGP with equal-cost multipath routing and force the costs of the T1 lines to the same cost, you can send one packet out one T1 and one out the other giving you a maximum upload speed of 3 Mbps. This is the only way I know of to load balance across two connections to seperate ISPs. If you have another way that solves the above listed problem, please let me know. Now, if your T1 lines are from the same ISP, you should look into bonding them or using equal-cost multipath routing on both ends, either of which would give you 3 Mbps in both directions. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -Original Message- From: David Sims [mailto:[EMAIL PROTECTED]] Sent: Thu 10/13/2005 11:38 AM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Subject: RE: [LARTC] wondershaper Hi Eliot, Of course, BGP would be the traditional solution for Policy Based Routing but I like doing things in new and different ways to learn about them and to see if they are actually better or worse than the traditional way (it's through that process that computer science moves ahead ;)... It would seem at first blush that Policy Based Routing under Linux is head and shoulders above the traditional methodologies and I think the functionality is far better than even Cisco's I would agree that fault tolerance is not as good as with one of the more traditional mechanisms, but think of my environment as a 'lab'... It's easy enough to swing all the traffic to one T-1 or another in the event of a failure... even though the volume would kill the working T-1 due to the amount of traffic... A more optimal situation would be to use ethernet over fiber where one could just get 4 Mb/s without regard to electical interfaces rather than load balancing two T-1s but then there's no backup at all in that situation... it would either be working or not working Any other thoughts?? Dave ** On Thu, 13 Oct 2005, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: I would recommend that you investigate the possible use of BGP over those T1s from other providers. That would be your best solution. You can use BGP to shape the loading on the T1 lines and it would offer you better fault tolerance in the event that one of the T1 lines went down. Of course, you would still benefit from QoS
Re: [LARTC] wondershaper query
On Thu, 2005-07-28 at 15:00 -0400, Payal Rathod wrote: Hello, I am trying wondershaper-1.1a on a friend's pppoe connection on her Linux box. There are a few things I don't understand. 1. She has pppoe connection so should DEV=eth0 or DEV=ppp0 ? Frankly I can't remember. My home box is not with me right now. Why don't you give each a shot? My bet is it's ppp0. (90% sure) 2. Her ISP just says on her payment bill that the speed is 128kbps, but doesn't mention any downlink/uplink speed, so in that case what should be, DOWNLINK= and UPLINK= ? You can try some online bandwith tests. I like the ones at nyc.speakeasy.net bear in mind that 128 may mean both up and dn speed (symmetrical) You may have to play with the numbers a bit to get it right. 3. She uses the net in her small office and people mostly to browse the net, send emails sometimes ftp data out and sometimes ssh to other servers to trouble shoot their programs. In such a case is wondershaper helpful? Or is it not required at all? Of course it is useful. This is definitely useful to make non-interactive activity such as FTP slower then interactive (SSH) activities so not to feel the lag. -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 12:16:40 up 8 days, 18:28, 5 users, load average: 0.42, 0.30, 0.26 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] wondershaper query
Hello, I am trying wondershaper-1.1a on a friend's pppoe connection on her Linux box. There are a few things I don't understand. 1. She has pppoe connection so should DEV=eth0 or DEV=ppp0 ? 2. Her ISP just says on her payment bill that the speed is 128kbps, but doesn't mention any downlink/uplink speed, so in that case what should be, DOWNLINK= and UPLINK= ? 3. She uses the net in her small office and people mostly to browse the net, send emails sometimes ftp data out and sometimes ssh to other servers to trouble shoot their programs. In such a case is wondershaper helpful? Or is it not required at all? Thanks in advance. With warm regards, Payal ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] wondershaper tweaking
Hi all, ive got wondershaper working well with the highest download while maintaing minimal latency but the problem is this: ive got 2 nics in the linux router eth0 and eth1. eth1= internet interface but this is connected to a router say 10.0.0.190, now off that router there are other servers, mail server, domino server etc now if i shape on eth1 ingress and egress using the wondershaper script then i only get internet speeds to my local servers, when i could be getting 100mbit :) Hope you can see my dilemma, what i want to do basically is within use some tc commands to say do not shape traffic at all if it is coming to or going to these ips: 10.0.0.2 10.0.0.3 10.0.0.4 etc Im still reading the howtos on how to write my own rules but since the wondershaper script is doing exactly what i want i had hoped that someone would know the commands to implement this now :) my diagram lan clients - linux router - eth1 - 100mbit router/switch - PPPOa eth1- 100mbit/switch - server1,2,3 Cheers Anthony ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] wondershaper tweaking
Well as near as I can tell you have at least a few options. 1) You could take a look at the shaping how to that I think is somewhere linked off the gentoo.org documentation. That way you could create/modify a script that would handle it. 2) Change your topology so all your equipment is connected to one ethernet card with the other dedicated for internet access. I really recommend this, if its possible since its the easiest way to firewall things. 3) Install a third card for your internet access and do the shaping on that. That is about the simplest. You could try something like ipconfig eth0:1 192.168.55.75 netmask 255.255.255.0 to create a fake interface, but I haven't had much luck shaping on them. Do also note that shaping your download rate is _not_ free. Afaik it drops packets to coerce that rate which gets TCP/IP to slow down. Good luck. On Mon, 2005-05-09 at 09:29 +0100, Anthony Letchet wrote: Hi all, ive got wondershaper working well with the highest download while maintaing minimal latency but the problem is this: ive got 2 nics in the linux router eth0 and eth1. eth1= internet interface but this is connected to a router say 10.0.0.190, now off that router there are other servers, mail server, domino server etc now if i shape on eth1 ingress and egress using the wondershaper script then i only get internet speeds to my local servers, when i could be getting 100mbit :) Hope you can see my dilemma, what i want to do basically is within use some tc commands to say do not shape traffic at all if it is coming to or going to these ips: 10.0.0.2 10.0.0.3 10.0.0.4 etc Im still reading the howtos on how to write my own rules but since the wondershaper script is doing exactly what i want i had hoped that someone would know the commands to implement this now :) my diagram lan clients - linux router - eth1 - 100mbit router/switch - PPPOa eth1- 100mbit/switch - server1,2,3 Cheers Anthony ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Robert Denier ([EMAIL PROTECTED]) PhD Electrical Engineering (May 2005) University of Missouri-Rolla http://www.finiteinfinity.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] wondershaper tweaking
On Monday 09 May 2005 10:29, Anthony Letchet wrote: Im still reading the howtos on how to write my own rules but since the wondershaper script is doing exactly what i want i had hoped that someone would know the commands to implement this now :) I did such a modification to wondershaper once for somebody on this list. The file is still there: http://www.metamorpher.de/files/wshaper-over-lan.htb And an image of the class tree: http://www.metamorpher.de/files/wshaper-over-lan.png I don't use this myself, and never tested it myself, so there is no guarantee that it will actually work. My basic idea how to solve this was to create one fat class which can use the NIC at full speed, and two child classes, one for internet traffic which limits to internet speed, and one for LAN traffic, which limits to full speed minus internet speed. I use pretty much the same concept in my FairNAT shaping script (which is designed for routers) and it works for me. HTH Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Wondershaper 1.1a bandwidth speed test gives me uplink speed instead of downlink
I have been testing wondershaper 1.1a with htb. DOWNLINK=2304 UPLINK=1024 DEV=wlan0 No other changes have been made, except to comment out the 2 lines to allow the script to run. When I do a speed test from sites like www.toast.net/performance, I only get speeds equal to my UPLINK speed. I expected a speed closer to the DOWNLINK. Am I missing something here? TIA, -- -Wes Hegge Technical Engineer SignalBlast.Com, Inc. P: (815) 397-1700 E: [EMAIL PROTECTED] F: (815) 397-2271 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] wondershaper with ssh on a non-standard port
mornin' all, i still haven't found the right solution for my situation, but after some digging, i realized that the free PuTTY SSH client (commonly used to access remote systems from under Windows) does NOT set the TOS bit in a way that would let the default wondershaper script identify its packets as high-priority. this means that -- as suggested by Ed -- prioritizing SSH packets in the uplink stream would have to be done on the basis of the port number used by these packets. also, because PuTTY does not set the TOS bit as wondershaper expects, PuTTY users will have to use *port-based* prioritization in wondershaper EVEN IF THEIR SSH SERVER RUNS ON THE DEFAULT PORT (22). i will post up my solution as soon as i get it working. in the meantime, please feel free to correct me if i'm wrong / suggest other solutions. peace -p -- Until lions have their historians, tales of the hunt shall always glorify the hunters. - African Proverb On Mon, 10-Jan-2005 at 22:16:02 +, Ed Wildgoose wrote: Hi, having read the docs and the wondershaper script itself, it occurred to me that the documentation promises an immediate drop in interactive app latency, specifically mentioning SSH as a big winner. however, looking through the script i can't really tell just *how* wondershaper figures out which port my SSH daemon is running on. so what i'd like to know is, if i'm running my sshd on, say, port 222, do i need to make any changes to the wondershaper script, or will it figure out the right number automagically (e.g. from /etc/services, where SSH is already correctly assigned to port 222) ? (conversely, does it 'need' to figure out this port number at all?) It's been a while since I looked through wondershaper, but the relevant lines are apparently these: # TOS Minimum Delay (ssh, NOT scp) in 1:10: tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 So it seems to be matching based on the type of service bits in the IP packet. I seem to remember that SSH actually sets the IP tos bits correctly? So it *should* work when ssh is on another port. I guess you need to either tweak the script (if you want a quick fix then just mark anything to/from port 222 as high priority), or else figure out why your packets aren't matching the required rule Good luck Ed W signature.asc Description: Digital signature
[LARTC] wondershaper with ssh on a non-standard port
greetings all,
i've searched high and low for this, but can't seem to find an answer
anywhere..
having read the docs and the wondershaper script itself, it occurred to
me that the documentation promises an immediate drop in interactive app
latency, specifically mentioning SSH as a big winner.
however, looking through the script i can't really tell just *how*
wondershaper figures out which port my SSH daemon is running on.
so what i'd like to know is, if i'm running my sshd on, say, port 222,
do i need to make any changes to the wondershaper script, or will it
figure out the right number automagically (e.g. from /etc/services,
where SSH is already correctly assigned to port 222) ?
(conversely, does it 'need' to figure out this port number at all?)
i ask because while ping time latency has indeed fallen for me since
wondershaper was installed, my custom-port SSH connections are as slow
as ever, especially during large file uploads..
my setup in a nutshell:
- current Debian GNU/Linux 'testing' distribution ('sarge', updated daily)
- kernel 2.4.27 (Debian 'testing' default, not customized)
- wondershaper (v. 1.1a) (from current Debian 'testing')
- Shorewall (v. 2.0.13) also from 'testing'
- 4 Mbit ADSL link via 'modem' on eth0
thank you in advance!
-p
--
If economists were doctors, they would today be mired in malpractice suits.
- John Ralston Saul
signature.asc
Description: Digital signature
Re: [LARTC] wondershaper with ssh on a non-standard port
Hi, having read the docs and the wondershaper script itself, it occurred to me that the documentation promises an immediate drop in interactive app latency, specifically mentioning SSH as a big winner. however, looking through the script i can't really tell just *how* wondershaper figures out which port my SSH daemon is running on. so what i'd like to know is, if i'm running my sshd on, say, port 222, do i need to make any changes to the wondershaper script, or will it figure out the right number automagically (e.g. from /etc/services, where SSH is already correctly assigned to port 222) ? (conversely, does it 'need' to figure out this port number at all?) It's been a while since I looked through wondershaper, but the relevant lines are apparently these: # TOS Minimum Delay (ssh, NOT scp) in 1:10: tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 So it seems to be matching based on the type of service bits in the IP packet. I seem to remember that SSH actually sets the IP tos bits correctly? So it *should* work when ssh is on another port. I guess you need to either tweak the script (if you want a quick fix then just mark anything to/from port 222 as high priority), or else figure out why your packets aren't matching the required rule Good luck Ed W ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper in internal network
gypsy wrote: Johan Lindqvist wrote: I've gotten wondershaper to work in my linux box, which is part of a 3 computer network that shares the same dsl connection. The linuxbox handles most bulk down and uploading, and the other 2 are mainly for surfing and such. What I need from wiondershaper is that it should perform it's tasks with all of the traffic to the dsl modem, but do nothing with the internal traffic (traffic to 192.168.). This is important since I do a lot of remote x'ing to the linuxbox, and when that traffic to is shaped, it's to slow to work. /johan You must tell us a lot more about your setup than above if you expect help. Does the linux box have more than one NIC? Are you DNATting? If not, HOW is the DSL shared? What makes you say that the wonder script is interfering with internal traffic? In a normal setup, the linux box will have 2 NICs, one connected to a switch/hub serving the internal network and the other directly connected to the DSL. Wonder then is configured to shape on the internet (external) interface (only). That means it does not touch anything on the internal NW. You might be able to set up a modified Wonder such that the default / bulk does 100Mbit (assuming your internal NW is 100) by setting RATE = CEIL = 100Mb and then shape everything where the IP matches your DSL IP so that internet stuff never gets into the bulk queue. Sort of reverse logic, but that is the way I dealt with an FTP server. In the absence of a firewall mark in FTP packets, there is no good way to identify them, so instead handle the stuff you CAN identify and let the rest go into bulk. gypsy Sorry I wasn't clear. This is my setup: DSL modem 4 port internet router 1. Winxp computer 2. Linux computer 3. Linux computer (thin client to computer no 2) Every computer has one NIC. I know that the internal traffic is interfered because the remote x environment get extremely slow after running wondershaper. I have been thinking of putting a second nic into computer no 2, since it is obvious that would eliminate the problem, but if it is possible to solve this in another way, that would be preferable, since it would save some money on a long cable and a new nic ;) .. Would it not be an easy thing just putting into wondershaper another qdisc that shapes and police say 90 mbit, and a filter that catches all 192.168. traffic that leads to that queue? I just don't know how to do this myself... /Johan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper in internal network
Johan Lindqvist wrote: This is my setup: DSL modem 4 port internet router 1. Winxp computer 2. Linux computer 3. Linux computer (thin client to computer no 2) Every computer has one NIC. I know that the internal traffic is interfered because the remote x environment get extremely slow after running wondershaper. I have been thinking of putting a second nic into computer no 2, since it is obvious that would eliminate the problem, but if it is possible to solve this in another way, that would be preferable, since it would save some money on a long cable and a new nic ;) .. Would it not be an easy thing just putting into wondershaper another qdisc that shapes and police say 90 mbit, and a filter that catches all 192.168. traffic that leads to that queue? I just don't know how to do this myself... Might be an easy thing, but I don't know how! Perhaps the following will help. http://andthatsjazz.org/lartc/ultimate.html shows a 4-queue Wonder script. http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/index.html http://digriz.org.uk/ Jim diGriz's URL is not working right now; traceroute dies at 213.162.127.69. But it is a don't miss, so keep trying! What I'm not finding but expect might be possible is a second root: tc qdisc add dev eth0 root handle 1: htb default 30 tc qdisc add dev eth0 root handle #: htb default ## will this work? Dunno, but I do know that you'll get bad results if the DSL and the internal network are in the same class. Wonder forces EVERYTHING not otherwise filtered into the default / bulk class. You might want NOT to do that so that unmatched stuff is totally ignored by HTB. Rather than match ip dst 0.0.0.0/0 flowid 1:30 you add a bunch of filters that match internet but not internal NW...??? gypsy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper in internal network
I've gotten wondershaper to work in my linux box, which is part of a 3 computer network that shares the same dsl connection. The linuxbox handles most bulk down and uploading, and the other 2 are mainly for surfing and such. What I need from wiondershaper is that it should perform it's tasks with all of the traffic to the dsl modem, but do nothing with the internal traffic (traffic to 192.168.). This is important since I do a lot of remote x'ing to the linuxbox, and when that traffic to is shaped, it's to slow to work. I think this should be easy for anyone who knows about these things. But I can't seem to get enough knowledge about this just reading the lartc howto. Perhaps someone can help me? /johan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper in internal network
Johan Lindqvist wrote: I've gotten wondershaper to work in my linux box, which is part of a 3 computer network that shares the same dsl connection. The linuxbox handles most bulk down and uploading, and the other 2 are mainly for surfing and such. What I need from wiondershaper is that it should perform it's tasks with all of the traffic to the dsl modem, but do nothing with the internal traffic (traffic to 192.168.). This is important since I do a lot of remote x'ing to the linuxbox, and when that traffic to is shaped, it's to slow to work. /johan You must tell us a lot more about your setup than above if you expect help. Does the linux box have more than one NIC? Are you DNATting? If not, HOW is the DSL shared? What makes you say that the wonder script is interfering with internal traffic? In a normal setup, the linux box will have 2 NICs, one connected to a switch/hub serving the internal network and the other directly connected to the DSL. Wonder then is configured to shape on the internet (external) interface (only). That means it does not touch anything on the internal NW. You might be able to set up a modified Wonder such that the default / bulk does 100Mbit (assuming your internal NW is 100) by setting RATE = CEIL = 100Mb and then shape everything where the IP matches your DSL IP so that internet stuff never gets into the bulk queue. Sort of reverse logic, but that is the way I dealt with an FTP server. In the absence of a firewall mark in FTP packets, there is no good way to identify them, so instead handle the stuff you CAN identify and let the rest go into bulk. gypsy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper in internal network
gypsy wrote: Johan Lindqvist wrote: I've gotten wondershaper to work in my linux box, which is part of a 3 computer network that shares the same dsl connection. The linuxbox handles most bulk down and uploading, and the other 2 are mainly for surfing and such. What I need from wiondershaper is that it should perform it's tasks with all of the traffic to the dsl modem, but do nothing with the internal traffic (traffic to 192.168.). This is important since I do a lot of remote x'ing to the linuxbox, and when that traffic to is shaped, it's to slow to work. /johan You must tell us a lot more about your setup than above if you expect help. Does the linux box have more than one NIC? Are you DNATting? If not, HOW is the DSL shared? What makes you say that the wonder script is interfering with internal traffic? In a normal setup, the linux box will have 2 NICs, one connected to a switch/hub serving the internal network and the other directly connected to the DSL. Wonder then is configured to shape on the internet (external) interface (only). That means it does not touch anything on the internal NW. You might be able to set up a modified Wonder such that the default / bulk does 100Mbit (assuming your internal NW is 100) by setting RATE = CEIL = 100Mb and then shape everything where the IP matches your DSL IP so that internet stuff never gets into the bulk queue. Sort of reverse logic, but that is the way I dealt with an FTP server. In the absence of a firewall mark in FTP packets, there is no good way to identify them, so instead handle the stuff you CAN identify and let the rest go into bulk. gypsy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ Well, there is a better way. I was able to mark ftp outgoing traffic using iptables. I shape all outgoing packets on a port range and throw the rest in a 100mbit bulk. Works like a champ. i have the outbound ftp passive ports and the active port marked. Let me know if you want to see my script. Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper under Debian
tks a lot for the help. I am brazilian and my wrote spanish is even worst than my english... but i understand you completely. This is the only place where i could find help.. i am trying to fix the problem for myself...soon or later i will find a solution. i hope so! muchas gracias hermano! :) Fernando Favero - Original Message - From: Sebastian A. Aresca To: Fernando Favero Sent: Tuesday, June 08, 2004 1:45 AM Subject: Re: [LARTC] wondershaper under Debian Fernando: mira la verdad ni idea de lo que puede llegar a ser. Yo estoy usando un debian 3.0r1 con un kernel 2.4.26 compilado por mi (este ya trae htb3 ya patcheado) Pero el tema aca es que no creo que te vallan a responder en la lista ya que tu mail no es para nada explicativo. No se si serás nuevo en la lista, pero dudo a que te respondan. Más bien intentá juntar más información y talvez llegues a tu respuesta. Saludos Sebastián A. Aresca NTA - Area Redes UTN Rosario- Argentina http://www.frro.utn.edu.ar - Original Message - From: Fernando Favero To: [EMAIL PROTECTED] Sent: Monday, June 07, 2004 9:45 PM Subject: [LARTC] wondershaper under Debian Hi everybody! I know this discussion list isn´t just about wondershaper, but i think someone can help me. I used to have a linux box running red hat 8, as firewallon my lan. I upgraded to debian 3.0 and tried to use the same wondershaper files under debian, but, when i run wondershaper on ppp0 device, it just stops transfering. Remember: its the same files i used with success under red hat 8. The only difference in the connection between red hat 8 and debian 3 is that under rh8 i used rp-pppoe and under debian i use the default pppoe dialer. I don´t get any error message. What can be wrong? I am using: P166Mhz 32MB Ram debian 3.0 (only console) kernel 2.4.18 iptables v1.2.6a Tks in advance and sorry my english. Fernando Favero
[LARTC] wondershaper under Debian
Hi everybody! I know this discussion list isn´t just about wondershaper, but i think someone can help me. I used to have a linux box running red hat 8, as firewallon my lan. I upgraded to debian 3.0 and tried to use the same wondershaper files under debian, but, when i run wondershaper on ppp0 device, it just stops transfering. Remember: its the same files i used with success under red hat 8. The only difference in the connection between red hat 8 and debian 3 is that under rh8 i used rp-pppoe and under debian i use the default pppoe dialer. I don´t get any error message. What can be wrong? I am using: P166Mhz 32MB Ram debian 3.0 (only console) kernel 2.4.18 iptables v1.2.6a Tks in advance and sorry my english. Fernando Favero
[LARTC] Wondershaper - question
Hi, I have a question conercing wondershaper. I'm using the Clarkconnect linux distribution for my linux router and I tried to use wondershaper. On start up of wshaper, there are no errors or any other problems but I'm not sure if it's running correctly. Only one qdisc / one class is used and when I start an uplink ftp transfer, my ping time is growing up to 1700ms - I don't think that there is anything shaped oder scheduled. In the wshaper file I set the up- and downlink values and for the p2p I set this: # low priority source ports NOPRIOPORTSRC=4662 # low priority destination ports NOPRIOPORTDST=4662 Then i start it: [EMAIL PROTECTED] bin]# wshaper start [EMAIL PROTECTED] bin]# One or two minutes later (with p2p traffic and some pings) i got this: [EMAIL PROTECTED] bin]# wshaper status qdisc ingress : Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 30: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 10: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit Sent 1116535 bytes 6148 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit Sent 1117031 bytes 6154 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:10 parent 1:1 leaf 10: rate 120Kbit prio 1 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:1 parent 1: rate 120Kbit (bounded,isolated) prio 5 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:20 parent 1:1 leaf 20: rate 108Kbit prio 2 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:30 parent 1:1 leaf 30: rate 96Kbit prio 2 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 [EMAIL PROTECTED] bin]# As you can see, just qdisc 1: is used. The same behavior after hours of running wshaper; only this one qdisc is used. Has anyone an idea why this happens? Thanks, Matthias Lendholt (Berlin, Germany) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper - question
Matthias Lendholt wrote: Those are port lists, not the line speed. They should be more like NOPRIOPORTDST=53 21 22 or similar. Check the docs for more help on it. Hi, I have a question conercing wondershaper. I'm using the Clarkconnect linux distribution for my linux router and I tried to use wondershaper. On start up of wshaper, there are no errors or any other problems but I'm not sure if it's running correctly. Only one qdisc / one class is used and when I start an uplink ftp transfer, my ping time is growing up to 1700ms - I don't think that there is anything shaped oder scheduled. In the wshaper file I set the up- and downlink values and for the p2p I set this: # low priority source ports NOPRIOPORTSRC=4662 # low priority destination ports NOPRIOPORTDST=4662 -- http://www.ivanhawkes.com | ICQ: 173-392-038 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper stops limiting outbound traffic
Richard wrote: I have wondershaper to limit my upload at 400kilobits (my line is 600kbps). I do a lot of torrent seeding and I dont want my pings killed when I'm uploading so I set low prority source ports as follows (by the way, I have bittornet to only use ports 6881-6910): That means BT will listen on those ports. Even if you just seed, it will still connect to others - so the src port will be different. The dst port will usually be a standard BT one - but only as long as the peer didn't tell BT to listen on different ports. To mark BT properly you need something that looks at the data like ipp2p - this needs a netfilter extra POM patch (connmark) to work. http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html Andy. NOPRIOPORTSRC=6881 6882 6883 6884 6885 6886 6887 6888 6889 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899 6900 6901 6902 6903 6904 6905 6906 6907 6908 6909 6910 Problem is, sometimes my upload will be limited to 50kb/s and others it'll be maxed. This is with wondershaper running too! (verified by ./wshaper status). If I stop wondershaper (./wshaper stop) my outbound bandwith does nothing (as it's already maxed) but if I try to start it again, nothing happens again (yet ./wshaper status shows that wondershaper is installed). If I comment out all the SRC ports that I want no priority for, and re-run wshaper, my outbound is once again limited to 50kb/s, but my pings are horrible because all bandwith has the same priority. Some will ask why not use the torrents bandwith limitationthe answer to that is because it sucks. I have it set to 50kb/s and instead of it sataying at 50, it fluctuates up and down and AVERAGES 50kb/s. What could be causing this problem when NOPRIOPORTSRC is set to de-prioritize torrents? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper stops limiting outbound traffic
I have wondershaper to limit my upload at 400kilobits (my line is 600kbps). I do a lot of torrent seeding and I dont want my pings killed when I'm uploading so I set low prority source ports as follows (by the way, I have bittornet to only use ports 6881-6910): NOPRIOPORTSRC=6881 6882 6883 6884 6885 6886 6887 6888 6889 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899 6900 6901 6902 6903 6904 6905 6906 6907 6908 6909 6910 Problem is, sometimes my upload will be limited to 50kb/s and others it'll be maxed. This is with wondershaper running too! (verified by ./wshaper status). If I stop wondershaper (./wshaper stop) my outbound bandwith does nothing (as it's already maxed) but if I try to start it again, nothing happens again (yet ./wshaper status shows that wondershaper is installed). If I comment out all the SRC ports that I want no priority for, and re-run wshaper, my outbound is once again limited to 50kb/s, but my pings are horrible because all bandwith has the same priority. Some will ask why not use the torrents bandwith limitationthe answer to that is because it sucks. I have it set to 50kb/s and instead of it sataying at 50, it fluctuates up and down and AVERAGES 50kb/s. What could be causing this problem when NOPRIOPORTSRC is set to de-prioritize torrents? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper question
gypsy wrote: Also remember YOU DO NOT SHAPE DOWNLOADS! HTB can only police D/L, not shape. You must use iptables or IMQ to shape D/L; I use iptables -m limit --limit ##/second -j ACCEPT iptables -j DROP and make sure that these 2 lines preceed any RELATED, ESTABLISHED accepts. Note that the real iptables rules include either --dport ## or --sport ##, depending on what the rule accomplishes. Note further that downloads are on INPUT so I specify -A INPUT to throttle D/L. If you use htb or other shaping qdiscs on a router, you can set it up so that it sees packets that are leaving both interfaces and can therefore shape traffic in both directions. Sure, you can't shape traffic destined for the router itself, but that's rarely an issue. -Corey ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper question
Hi I am very unclear about the wonder shaper and a bit of a novice with Unix all together I have a question for you and I hope you can answer Basically my office is getting a couple of people slowing down the network so ive been looking around and found wondershaper What I want to know is that can I rather than having low priority ports have it with high priority ports And the same with high priority hosts... Can I have it so that say for example 192.168.1.2 192.168.1.3 are high priority and port 20 22 80 443 110 25 etc are high priority? Also how do I clear the rules I have made with the script?? If I want it to return to the default for example?? Thanks Chris
Re: [LARTC] wondershaper question
On Thursday 01 April 2004 21:03, Chris Winfield-Blum wrote: Hi I am very unclear about the wonder shaper and a bit of a novice with Unix all together I have a question for you and I hope you can answer Basically my office is getting a couple of people slowing down the I would seriously suggest you attempt the social engineering route first if at all possible. network so ive been looking around and found wondershaper What I want to know is that can I rather than having low priority ports have it with high priority ports And the same with high priority hosts... Wondershaper seems to essentially allow you to put traffic you don't like in the dog house. It doesn't seem to offer a facility to let you pick which ports or hosts constitute high priority traffic. Can I have it so that say for example 192.168.1.2 192.168.1.3 are high priority and port 20 22 80 443 110 25 etc are high priority? Not as it is written. Also how do I clear the rules I have made with the script?? Try calling it with the keyword 'stop': bash wshaper.sh stop Which will perform: # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev $DEV root2 /dev/null /dev/null tc qdisc del dev $DEV ingress 2 /dev/null /dev/null If I want it to return to the default for example?? Thanks Chris -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] wondershaper question
Maybe there is another solution to this problem? The problem is that I have had a couple of users on the network hogging the bandwidth and while we do have a policy implemented sometimes the downloads are genuinely work related (eg downloaded a new version of an application we use for development) Sooo what I NEED is A script that will ensure that ports 80, 25, 110, 443, etc are priority Then that these are then are then shaped to not allow one person to hog it all. In an IDEAL situation I would like to break it up into classes Server Class: that has access to ALL ports and are priority for any traffic (maybe I can set them a guaranteed 100Kb/s) User Class: that has priority access (that doesn't override the server class) to ports 80, 25, 110 etc. Perhaps the remaining 156Kb/s is divided evenly? Any suggestions? Im really NEW to this and would love some example scripts (preferably commently highly :P hehe) This was the address of the other script that I found: http://www.surestorm.com/qos/ I am not set on using wondershaper.. Thanks for all your help Chris ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper question
Chris Winfield-Blum wrote: Maybe there is another solution to this problem? The problem is that I have had a couple of users on the network hogging the bandwidth and while we do have a policy implemented sometimes the downloads are genuinely work related (eg downloaded a new version of an application we use for development) Sooo what I NEED is A script that will ensure that ports 80, 25, 110, 443, etc are priority Then that these are then are then shaped to not allow one person to hog it all. In an IDEAL situation I would like to break it up into classes Server Class: that has access to ALL ports and are priority for any traffic (maybe I can set them a guaranteed 100Kb/s) User Class: that has priority access (that doesn't override the server class) to ports 80, 25, 110 etc. Perhaps the remaining 156Kb/s is divided evenly? Any suggestions? Im really NEW to this and would love some example scripts (preferably commently highly :P hehe) This was the address of the other script that I found: http://www.surestorm.com/qos/ I am not set on using wondershaper.. Thanks for all your help Chris Wondershaper and other such scripts are good examples, but if you want very fine-grained control of your traffic shaping, you'll probably want to write your own script (or at least tweak one). Don't be intimidated by the apparent complexity of the examples you see -- although the commands for shaping traffic are probably unlike anything you've seen before, they're not hard to understand after reading the available documentation. Of course, www.lartc.org is a good place to start. Look through chapter 9, but don't worry if you don't understand everything the first time. The qdisc you want to use is htb (as you can see, that's the heart of wondershaper), and there's a good in-depth description at: http://luxik.cdi.cz/~devik/qos/htb/ (follow the link for user guide). -Corey ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper breaks IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Damion de Soto wrote: | Hi Jason, | | Am I silently being told that this is the wrong question to ask of this | list? :) | | | Probably. I'll reply but I think it'll only be of statistic interest. First of all, thanks for replying. | | I now have a situation where I get to use traffic shaping for a client. | | ~ We implemented the WonderShaper script on our own firewall and | | experienced no problems. I made some modifications to it to add IPSec | | protocol packets into the 1:10 high priority class using the u32 | filter. | | ~ So far on our network, it's worked flawlessly, and we've received | much | | benefit from it. Interactive SSH and VNC sessions are now much, much | | smoother when, for example, we do an apt-get update/upgrade/install at | | the same time or any downloading, e-mailing, etc. | | Yeah, I've done the same thing. | | | | However, yesterday, I installed it for a client using the same | | modifications we have been using, and at first, I only added the | | modifications to the client's external interface (eth1). Within an | | hour, the FreeS/WAN VPN connections could no longer negotiate new | | tunnels when rekeying. In his scenario, he has two DSL connections | | (eth1, eth2) coming into the firewall with a single internal interface | | (eth0). It appears that something broke the VPN negotiation when I | | installed the WonderShaper. As long as the tunnels are up when I start | | WonderShaper, they work fine, until they need to rekey. Then they | throw | | errors saying things like max number of retransmissions reached, and | | Possible authentication failure: no acceptable response to our first | | encrypted message, etc. The moment I 'stop' the WonderShaper, the VPN | | tunnels can be reestablished successfully. | | | | I was wondering if anyone else has experienced these kinds of problems | | with the WonderShaper and IPSec tunnels? | | Nope, never seen traffic shaping cause problems like that. | | | Also, I'm attempting to prioritize RDP packets on the ipsec0 interface. | | ~ Is this as simple as copying every line in the script except changing | | $DEV to $DEV2 which is assigned to ipsec0 and adding a u32 match for | | sport 3389? That's currently what I've done. | | I believe so. | | | I just can't get over the fact that it works (in almost the exact same | | scenario, except for the 2 DSL circuits) on our firewall, but not our | | client's. | | | | These are the changes that I made to match IPSec traffic and place it | | into the high priority class (where DEV = eth1 -- the Internet): | | I've put my IPSec traffic in the middle class. But isn't that where it would be if I did nothing to it? Only the really bad traffic gets put in 1:30, right? BTW, the middle class is 1:20, correct? | The only thing I can think of, is that the particular client has | saturated one of the lower priority leaf classes, and delayed the | traffic in the high-priority class for too long for a valid key exchange. | | Unless you've changed it, the wondershaper doesn't specify ceil values, Nope. Haven't changed those values. Do I want to? I basically want any traffic of lower priority to be able to take all the bandwidth as long as there is no traffic of a higher priority around, but have it give way to higher priority traffic when present. | which means they get set to the rate value, and unless you've changed | the way it calculates it's percentage rate values, the sum of the leaf | rates can exceed the parent. | which i believe can lead to weird and/or bad behaviour. Hmm. Guess I'll have to look into this more. Thank you very much. - -- Jason A. Pattie [EMAIL PROTECTED] Xperience, Inc. (http://www.xperienceinc.com) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD0DBQFAUd1buYsUrHkpYtARAs7nAI996t9hXqbx2Kuc+41e0Kq+ffcAn0tUX1nD OBvCVe9hMQ6PABSsx9lc =HxR0 -END PGP SIGNATURE- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper breaks IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am I silently being told that this is the wrong question to ask of this list? :) Jason A. Pattie wrote: | Hello, been awhile since I've written. | | I now have a situation where I get to use traffic shaping for a client. | ~ We implemented the WonderShaper script on our own firewall and | experienced no problems. I made some modifications to it to add IPSec | protocol packets into the 1:10 high priority class using the u32 filter. | ~ So far on our network, it's worked flawlessly, and we've received much | benefit from it. Interactive SSH and VNC sessions are now much, much | smoother when, for example, we do an apt-get update/upgrade/install at | the same time or any downloading, e-mailing, etc. | | However, yesterday, I installed it for a client using the same | modifications we have been using, and at first, I only added the | modifications to the client's external interface (eth1). Within an | hour, the FreeS/WAN VPN connections could no longer negotiate new | tunnels when rekeying. In his scenario, he has two DSL connections | (eth1, eth2) coming into the firewall with a single internal interface | (eth0). It appears that something broke the VPN negotiation when I | installed the WonderShaper. As long as the tunnels are up when I start | WonderShaper, they work fine, until they need to rekey. Then they throw | errors saying things like max number of retransmissions reached, and | Possible authentication failure: no acceptable response to our first | encrypted message, etc. The moment I 'stop' the WonderShaper, the VPN | tunnels can be reestablished successfully. | | I was wondering if anyone else has experienced these kinds of problems | with the WonderShaper and IPSec tunnels? | | Also, I'm attempting to prioritize RDP packets on the ipsec0 interface. | ~ Is this as simple as copying every line in the script except changing | $DEV to $DEV2 which is assigned to ipsec0 and adding a u32 match for | sport 3389? That's currently what I've done. | | I just can't get over the fact that it works (in almost the exact same | scenario, except for the 2 DSL circuits) on our firewall, but not our | client's. | | These are the changes that I made to match IPSec traffic and place it | into the high priority class (where DEV = eth1 -- the Internet): | -- | # IPSec traffic in 1:10 | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | ~ match ip protocol 0x32 0xff \ | ~ flowid 1:10 | | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | ~ match ip protocol 0x33 0xff \ | ~ flowid 1:10 | | | These are the changes to match RDP on the IPSec interface (where DEV2 = | ipsec0): | -- | # RDP (Remote Desktop Protocol) in interactive class 1:10 on ipsecN | interfaces | tc filter add dev $DEV2 parent 1: protocol ip prio 10 u32 \ | ~ match ip sport 3389 0x \ | ~ flowid 1:10 | | | Are these even valid? | | Thank you for your time. | - -- Jason A. Pattie [EMAIL PROTECTED] Xperience, Inc. (http://www.xperienceinc.com) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFAUH7luYsUrHkpYtARAtrwAJ0VMDLsj3OkSC8y9q2ATpn1atZsQQCfSXwb qJ8gocIXuwXk04MWvF/tKBY= =07VU -END PGP SIGNATURE- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper breaks IPSec tunnels
Hi Jason, Am I silently being told that this is the wrong question to ask of this list? :) Probably. I'll reply but I think it'll only be of statistic interest. | I now have a situation where I get to use traffic shaping for a client. | ~ We implemented the WonderShaper script on our own firewall and | experienced no problems. I made some modifications to it to add IPSec | protocol packets into the 1:10 high priority class using the u32 filter. | ~ So far on our network, it's worked flawlessly, and we've received much | benefit from it. Interactive SSH and VNC sessions are now much, much | smoother when, for example, we do an apt-get update/upgrade/install at | the same time or any downloading, e-mailing, etc. Yeah, I've done the same thing. | However, yesterday, I installed it for a client using the same | modifications we have been using, and at first, I only added the | modifications to the client's external interface (eth1). Within an | hour, the FreeS/WAN VPN connections could no longer negotiate new | tunnels when rekeying. In his scenario, he has two DSL connections | (eth1, eth2) coming into the firewall with a single internal interface | (eth0). It appears that something broke the VPN negotiation when I | installed the WonderShaper. As long as the tunnels are up when I start | WonderShaper, they work fine, until they need to rekey. Then they throw | errors saying things like max number of retransmissions reached, and | Possible authentication failure: no acceptable response to our first | encrypted message, etc. The moment I 'stop' the WonderShaper, the VPN | tunnels can be reestablished successfully. | | I was wondering if anyone else has experienced these kinds of problems | with the WonderShaper and IPSec tunnels? Nope, never seen traffic shaping cause problems like that. | Also, I'm attempting to prioritize RDP packets on the ipsec0 interface. | ~ Is this as simple as copying every line in the script except changing | $DEV to $DEV2 which is assigned to ipsec0 and adding a u32 match for | sport 3389? That's currently what I've done. I believe so. | I just can't get over the fact that it works (in almost the exact same | scenario, except for the 2 DSL circuits) on our firewall, but not our | client's. | These are the changes that I made to match IPSec traffic and place it | into the high priority class (where DEV = eth1 -- the Internet): I've put my IPSec traffic in the middle class. The only thing I can think of, is that the particular client has saturated one of the lower priority leaf classes, and delayed the traffic in the high-priority class for too long for a valid key exchange. Unless you've changed it, the wondershaper doesn't specify ceil values, which means they get set to the rate value, and unless you've changed the way it calculates it's percentage rate values, the sum of the leaf rates can exceed the parent. which i believe can lead to weird and/or bad behaviour. -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper breaks IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, been awhile since I've written. I now have a situation where I get to use traffic shaping for a client. ~ We implemented the WonderShaper script on our own firewall and experienced no problems. I made some modifications to it to add IPSec protocol packets into the 1:10 high priority class using the u32 filter. ~ So far on our network, it's worked flawlessly, and we've received much benefit from it. Interactive SSH and VNC sessions are now much, much smoother when, for example, we do an apt-get update/upgrade/install at the same time or any downloading, e-mailing, etc. However, yesterday, I installed it for a client using the same modifications we have been using, and at first, I only added the modifications to the client's external interface (eth1). Within an hour, the FreeS/WAN VPN connections could no longer negotiate new tunnels when rekeying. In his scenario, he has two DSL connections (eth1, eth2) coming into the firewall with a single internal interface (eth0). It appears that something broke the VPN negotiation when I installed the WonderShaper. As long as the tunnels are up when I start WonderShaper, they work fine, until they need to rekey. Then they throw errors saying things like max number of retransmissions reached, and Possible authentication failure: no acceptable response to our first encrypted message, etc. The moment I 'stop' the WonderShaper, the VPN tunnels can be reestablished successfully. I was wondering if anyone else has experienced these kinds of problems with the WonderShaper and IPSec tunnels? Also, I'm attempting to prioritize RDP packets on the ipsec0 interface. ~ Is this as simple as copying every line in the script except changing $DEV to $DEV2 which is assigned to ipsec0 and adding a u32 match for sport 3389? That's currently what I've done. I just can't get over the fact that it works (in almost the exact same scenario, except for the 2 DSL circuits) on our firewall, but not our client's. These are the changes that I made to match IPSec traffic and place it into the high priority class (where DEV = eth1 -- the Internet): - -- # IPSec traffic in 1:10 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ ~ match ip protocol 0x32 0xff \ ~ flowid 1:10 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ ~ match ip protocol 0x33 0xff \ ~ flowid 1:10 These are the changes to match RDP on the IPSec interface (where DEV2 = ipsec0): - -- # RDP (Remote Desktop Protocol) in interactive class 1:10 on ipsecN interfaces tc filter add dev $DEV2 parent 1: protocol ip prio 10 u32 \ ~ match ip sport 3389 0x \ ~ flowid 1:10 Are these even valid? Thank you for your time. - -- Jason A. Pattie [EMAIL PROTECTED] Xperience, Inc. (http://www.xperienceinc.com) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFASL3YuYsUrHkpYtARApa3AJ4mTCkmMwC3FYziUeQyUE5FuouUhACaA+ym GtrHZ3dZNC9WF9AP6Z80qP0= =H5D4 -END PGP SIGNATURE- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper htb + multiple ports
mark ryan wrote: If i use the following tc command, where do i set the speed limit for the outbound ftp traffic? Mark On Sun, 2004-02-08 at 02:35, Corey Hickey wrote: mark ryan wrote: Is there a way to apply wondershaper w/ htb to a port range? I have a ftp server on port 65432 and passive ports 5-6. Is there a way to set a range? or do they have to be individually listed? The following doesnt seem to work: # low priority source ports NOPRIOPORTSRC=65432, 5:6 # low priority destination ports NOPRIOPORTDST= Mark I don't know about wondershaper specifically, but you can use iptables. I think this will work: iptables -t mangle -A FORWARD -m tcp -p tcp -s your.ftp.server.ip \ --sport 65432 -j MARK --set-mark 0x02 iptables -t mangle -A FORWARD -m tcp -p tcp -s your.ftp.server.ip \ --sport 5:6 -j MARK --set-mark 0x02 Then, you need to add a tc filter: tc filter add dev your-outgoing-interface parent 1: protocol ip \ prio 1 handle 0x02 fw flowid 1:30 Try it out... -Corey [Sorry, I wasn't paying attention and sent my original reply to the poster instead of the list] The filter I sent ought to direct traffic into wondershaper's bulk class, on line 71, which is: tc class add $DEV parent 1:1 classid 1:30 htb rate $[8*$UPLINK/10]kbit \ burst 6k prio 2 As you can see, the rate is eight tenths the speed of $UPLINK. Since there is no ceiling specified, however, it is allowed to borrow bandwidth up to the speed of its parent, which is $UPLINK. If you want to change the behavior of this class, read how here: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm -Corey ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper + htb limiting ftp sends
This is still not working correctly. Wondershaper + htb by itself limits everything to the speed specified in the config. I only want to limit my ftp upload speed. I tried the suggestion below, but either I am not doing it right or it doesnt work correctly. I only want to limit ports 5-6 since they are my passive ftp port range. Or, ideally, I would like to limit proftpd itself...howeve there doesn't seem to be a way to do that with linux. Windows can but I guess Linux cant. Is there a way to limit just ftp sends and leave everything else alone? Mark mark ryan wrote: If i use the following tc command, where do i set the speed limit for the outbound ftp traffic? Mark On Sun, 2004-02-08 at 02:35, Corey Hickey wrote: mark ryan wrote: Is there a way to apply wondershaper w/ htb to a port range? I have a ftp server on port 65432 and passive ports 5-6. Is there a way to set a range? or do they have to be individually listed? The following doesnt seem to work: # low priority source ports NOPRIOPORTSRC=65432, 5:6 # low priority destination ports NOPRIOPORTDST= Mark I don't know about wondershaper specifically, but you can use iptables. I think this will work: iptables -t mangle -A FORWARD -m tcp -p tcp -s your.ftp.server.ip \ --sport 65432 -j MARK --set-mark 0x02 iptables -t mangle -A FORWARD -m tcp -p tcp -s your.ftp.server.ip \ --sport 5:6 -j MARK --set-mark 0x02 Then, you need to add a tc filter: tc filter add dev your-outgoing-interface parent 1: protocol ip \ prio 1 handle 0x02 fw flowid 1:30 Try it out... -Corey [Sorry, I wasn't paying attention and sent my original reply to the poster instead of the list] The filter I sent ought to direct traffic into wondershaper's bulk class, on line 71, which is: tc class add $DEV parent 1:1 classid 1:30 htb rate $[8*$UPLINK/10]kbit \ burst 6k prio 2 As you can see, the rate is eight tenths the speed of $UPLINK. Since there is no ceiling specified, however, it is allowed to borrow bandwidth up to the speed of its parent, which is $UPLINK. If you want to change the behavior of this class, read how here: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm -Corey ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper htb + multiple ports
Is there a way to apply wondershaper w/ htb to a port range? I have a ftp server on port 65432 and passive ports 5-6. Is there a way to set a range? or do they have to be individually listed? The following doesnt seem to work: # low priority source ports NOPRIOPORTSRC=65432, 5:6 # low priority destination ports NOPRIOPORTDST= Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper
I am using wondershaper with htb to shape my network. I want to limit only outbound ftp traffic (me uploading) from 192.168.1.101. I am using port 21 for ftp with passive ports 50,000-60,000. What else do I need to put in the config to do this? Here is my config. DOWNLINK=3000 UPLINK=340 DEV=eth1 # low priority OUTGOING traffic - you can leave this blank if you want # low priority source netmasks NOPRIOHOSTSRC=192.168.1.101 # low priority destination netmasks NOPRIOHOSTDST= # low priority source ports NOPRIOPORTSRC= # low priority destination ports NOPRIOPORTDST= Thanks, Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper
Mark, I am using wondershaper with htb to shape my network. I want to limit only outbound ftp traffic (me uploading) from 192.168.1.101. I am using port 21 for ftp with passive ports 50,000-60,000. That's a large range of ports to shape, and other programs might be using them - that's a problem with passive ftp you can't easily avoid. What else do I need to put in the config to do this? Here is my config. You can't match IP and port with the normal wondershaper script. You also can't match NATed source IP addresses on your egress qdisc, which means any rule you setup for ports 21, 5-6 will apply to all machines on your LAN. What you should probabaly do, is use iptables to mark all outbound traffic from src 192.168.1.101 on port 21, 5-6 with TOS 0x08 (Maximum Throughput) and then add another u32 filter into wondershaper tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip tos 0x08 0xff flowid 1:30 regards -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper
Hi, I have wondershaper running on my firewall/router. It has 2 ethernet cards (eth0 and eth1). Eth1 connects to a cablemodem (2mbit down, 384kbit up) and eth0 connects to a switch. I run a ftp server on a machine connected to the swicth. I want to be able to keep my ftp server from affecting my browsing speed. Problem: I don't see any difference with wondershaper running. I have tried all different speeds and both eth0 and eth1 in wondershaper. Am I doing something wrong? I am testing by pinging yahoo.com. Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper htb
I got wshaper.htb working.however I have 1 question. How can i limit just ftp server traffic? I have ftp server on port 21 with passive ports of 5-6. I currently have wondershaper with htb working on my routerbut im afraid that it is also affecting all of my send trafficnot just the ftp server. I want to be able to limit the ftp server traffic only. Thanks, Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper
Hi Mark, I have wondershaper running on my firewall/router. It has 2 ethernet cards (eth0 and eth1). Eth1 connects to a cablemodem (2mbit down, 384kbit up) and eth0 connects to a switch. I run a ftp server on a machine connected to the swicth. I want to be able to keep my ftp server from affecting my browsing speed. Problem: I don't see any difference with wondershaper running. I have tried all different speeds and both eth0 and eth1 in wondershaper. You will want to run the wondershaper on eth1. If you run it on eth0 it will be backwards. You should be able to drop the speeds down to something like DOWNLINK=1800 UPLINK=300 and see some difference. Are you using the htb wondershaper or the old cbq one? Am I doing something wrong? I am testing by pinging yahoo.com. That's probabaly not the best test, you should probably check with real HTTP requests. Are you trying to throttle people uploading TO your ftp server (same as you downloads) or downloading FROM your ftp server ? (you uploading) Regards, -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper
Hi, I just installed wondershapper 1.1a on my ipcop firewall box. I have roadrunner cable with a ftp server setup. My download speed is 2mbit (I get 225 KBytes) and my upload is 384kbit (I send at 43 KBytes). What should the settings in wshaper? I can ping yahoo.com at 90msec with little traffic.and at around 220msec with full upload traffic. Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] WonderShaper and NNTP traffic.
Hi! I'm testing out the wshaper script using both CBQ and HTB, with: DOWNLINK=1152 UPLINK=312 DEV=eth3 It works great for simultaneous uploads/downloads, and FTP traffic, but when I enable wshaper and am doing an NNTP download, it slows NNTP downloads to 50kB/s. When I do a 'wshaper stop', NNTP downloads creep back up to about 150kB/s. FTP downloads, as mentioned go full speed at around ~130-140kB/s as well. Any ideas on why this might be happening, or what I can try to tweak? -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.genosha.enfusion-group.com] 5:10pm up 18 days, 1:17, 5 users ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper modifications
Hep Dear Listmembers and Stef! Setup Internet eth0 | | - |||| eth1 eth2 eth3 eth4 --- Lan .10/24 .11/24 etc All Lans are natted to eth0 Now i use wondershaper (1.1a) on eth0 to shap interactive traffic (work allready thanks!) But i have a special requirments for priorities samba traffic from eth1 to internet. Ive done this with the following lines in iptables and wondershaper : iptables : $IPTABLES -A PREROUTING -t mangle -p tcp --dport 137:139 -i eth1 -j MARK --set-mark 2 $IPTABLES -A PREROUTING -t mangle -p udp --dport 137:139 -i eth1 -j MARK --set-mark 2 wondershaper : tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 2 fw classid 1:10 This setup seems to work partly. When i browser network on anohter host over internet i get no lag and fast response (low latency). But when i try to edit file (3kb) it takes around 10 seconds to save the file? Since my connection is 2048/512 and ive set my UPLINK=450 it should take no more than 1-2 secs to update a file over internet? What am i overlooking here? -- Venlig hilsen/Kind regards Thomas Kirk ARKENA tlf/phone +4570233456 thomas(at)arkena(dot)com Http://www.arkena.com It's naive to think you can change a person--except maybe that boy who works in the library. -- Lisa Simpson ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper 2.0, QoS gui, presentation
Hi Everybody, Tomorrow the 5th of September I'll be presenting my new QoS gui which will eventually include the wondershaper 2.0 as its configuration. Configuration will also be loadable using a non-X tool, and the gui will be able to configure remote machines as well using netlink-over-tcp. If you are interested and live near Switzerland, visit http://www.sucon.ch/sucon/03/register.html Other presentations: http://www.sucon.ch/sucon/03/sessions.html If you are there, I'll be happy to meet with you. I'll attempt to setup a LARTC BOF or WIP or whatever. Thanks! -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing Traffic Control HOWTO ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] WonderShaper on spesific ports?
On Thursday 24 July 2003 14:54, Wizzcat wrote: Hi! I've just tried out this program and it works amazingly, throttling uploads at whatever speed I like it to. It works great for what I want it for, throttling emule which has a tendency to hose the entire network and grinding everything to a halt, but it also limits all other uploads, so vnc is now impossible. This is of course very unfortunate, so I was wondering if there is a way to limit uploads speeds on only certain ports so I could limit only p2p programs from going overboard and let the rest of the computer continue uploading at full bandwith. Yes it can done. But I don't know the WonderShaper configuration. But it's not so difficult to adapt the wondershaper if you read the docs on lartc.org and docum.org. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] WonderShaper on spesific ports?
Wizzcat wrote: --snip--- wondering if there is a way to limit uploads speeds on only certain ports so I could limit only p2p programs from going overboard and let the rest of the computer continue uploading at full bandwith. it should be fairly simple the emule ports are listed here: http://www.emule-project.net/faq/ports.htm and in the top of the wondershaper script, it allows you to enter # low priority source ports NOPRIOPORTSRC= # low priority destination ports NOPRIOPORTDST= -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper only shaping one connection?
Hello, LARTC-List I still try to get my traffic-shaping done with Wondershaper 1.1a, but it does not work as expected. When I run the script, the verbose output looks good (using a SuSE-8.2-SMP-box with iproute2-2.4.7-473): + DOWNLINK=1800 + UPLINK=150 + DEV=ppp0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' '' = status ']' + tc qdisc del dev ppp0 root + tc qdisc del dev ppp0 ingress + '[' '' = stop ']' + tc qdisc add dev ppp0 root handle 1: cbq avpkt 1000 bandwidth 10mbit + tc class add dev ppp0 parent 1: classid 1:1 cbq rate 150kbit allot 1500 prio 5 bounded isolated + tc class add dev ppp0 parent 1:1 classid 1:10 cbq rate 150kbit allot 1600 prio 1 avpkt 1000 + tc class add dev ppp0 parent 1:1 classid 1:20 cbq rate 135kbit allot 1600 prio 2 avpkt 1000 + tc class add dev ppp0 parent 1:1 classid 1:30 cbq rate 120kbit allot 1600 prio 2 avpkt 1000 + tc qdisc add dev ppp0 parent 1:10 handle 10: sfq perturb 10 + tc qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10 + tc qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10 + tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 + tc filter add dev ppp0 parent 1:0 protocol ip prio 11 u32 match ip protocol 1 0xff flowid 1:10 + tc filter add dev ppp0 parent 1: protocol ip prio 12 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x 0xffc0 at 2 flowid 1:10 + tc filter add dev ppp0 parent 1: protocol ip prio 18 u32 match ip dst 0.0.0.0/0 flowid 1:20 + tc qdisc add dev ppp0 handle : ingress + tc filter add dev ppp0 parent : protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1800kbit burst 10k drop flowid :1 My ADSL-Line performs 2MBit down and 192kbit upstream, so I guess the values are allright. I then start an upload and am pleased to see that the upload-rate stays at 150kBit, as set. Pings then are fine. But that upload limit is somehow not really enforced. When starting a second upload, the total rate (checked with iptraf) exceeds the set 150kBit and is only restricted by the line limit - pings of well over 3 seconds are the result. What did I do wrong? -- Sincerely, Michael ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper working, but not quite as expected
Hallo, Trevor Maybe we can help you out much better if you could space out the sentences below. They seem to be a jigsaw puzzle. Sorry, you are right - I think my word-wrapping is messing this up. I'll post it again, disregarding line lengths. This is the verbose output when the script starts: + DOWNLINK=1800 + UPLINK=150 + DEV=ppp0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' '' = status ']' + tc qdisc del dev ppp0 root + tc qdisc del dev ppp0 ingress + '[' '' = stop ']' + tc qdisc add dev ppp0 root handle 1: cbq avpkt 1000 bandwidth 10mbit + tc class add dev ppp0 parent 1: classid 1:1 cbq rate 150kbit allot 1500 prio 5 bounded isolated + tc class add dev ppp0 parent 1:1 classid 1:10 cbq rate 150kbit allot 1600 prio 1 avpkt 1000 + tc class add dev ppp0 parent 1:1 classid 1:20 cbq rate 135kbit allot 1600 prio 2 avpkt 1000 + tc class add dev ppp0 parent 1:1 classid 1:30 cbq rate 120kbit allot 1600 prio 2 avpkt 1000 + tc qdisc add dev ppp0 parent 1:10 handle 10: sfq perturb 10 + tc qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10 + tc qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10 + tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 + tc filter add dev ppp0 parent 1:0 protocol ip prio 11 u32 match ip protocol 1 0xff flowid 1:10 + tc filter add dev ppp0 parent 1: protocol ip prio 12 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x 0xffc0 at 2 flowid 1:10 + tc filter add dev ppp0 parent 1: protocol ip prio 18 u32 match ip dst 0.0.0.0/0 flowid 1:20 + tc qdisc add dev ppp0 handle : ingress + tc filter add dev ppp0 parent : protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1800kbit burst 10k drop flowid :1 This is the status information while running: + DOWNLINK=1800 + UPLINK=150 + DEV=ppp0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' status = status ']' + tc -s qdisc ls dev ppp0 qdisc ingress : Sent 264605 bytes 1195 pkts (dropped 0, overlimits 0) qdisc sfq 30: limit 128p quantum 1492b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: limit 128p quantum 1492b perturb 10sec Sent 390490 bytes 610 pkts (dropped 0, overlimits 0) qdisc sfq 10: limit 128p quantum 1492b perturb 10sec Sent 47228 bytes 942 pkts (dropped 0, overlimits 0) qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit Sent 437758 bytes 1553 pkts (dropped 0, overlimits 2037) borrowed 0 overactions 0 avgidle 624 undertime 0 + tc -s class ls dev ppp0 class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit Sent 40 bytes 1 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:10 parent 1:1 leaf 10: rate 150Kbit prio 1 Sent 47288 bytes 943 pkts (dropped 0, overlimits 351) borrowed 0 overactions 94 avgidle 624 undertime 0 class cbq 1:1 parent 1: rate 150Kbit (bounded,isolated) prio 5 Sent 437778 bytes 1553 pkts (dropped 0, overlimits 0) borrowed 161 overactions 0 avgidle 624 undertime 0 class cbq 1:20 parent 1:1 leaf 20: rate 135Kbit prio 2 Sent 390490 bytes 610 pkts (dropped 0, overlimits 1868) borrowed 161 overactions 263 avgidle 624 undertime 0 class cbq 1:30 parent 1:1 leaf 30: rate 120Kbit prio 2 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 + exit I hope this helps. -- Gruß, Michael aka. Tron ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper htb P2P downloads
On Wednesday 28 May 2003 04:07, Paul Suela wrote: Sir, Thanks for the wondershaper utility! It has improved the response time for my ssh connections to my home server whenever i need to access it from the Internet. However, is there a way to setup a bandwidth, say 10kbits/sec (i only have 128kbits/sec DSL), and assign it to a particular traffic type like kazaa and other P2P file-sharing? This way it will guarantee that my home users of kazaa will only eat up and share that total small amount amongst my family and nothing more. I don't want to restrict P2P usage in my home network but just put a configurable limit. Any help will be greatly appreciated. :) You can limit some parts of the traffic to a lower bandwidth. But the problem is to match that traffic. And kazaa is very hard to match. It uses random ports and even ACK packets for uploads. As fas I know there is no way to perfectly match kazaa traffic. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper htb P2P downloads
Believe L7 filtering matches kaaza. http://l7.sourceforge.net. Mohan On Wednesday 28 May 2003 04:07, Paul Suela wrote: Sir, Thanks for the wondershaper utility! It has improved the response time for my ssh connections to my home server whenever i need to access it from the Internet. However, is there a way to setup a bandwidth, say 10kbits/sec (i only have 128kbits/sec DSL), and assign it to a particular traffic type like kazaa and other P2P file-sharing? This way it will guarantee that my home users of kazaa will only eat up and share that total small amount amongst my family and nothing more. I don't want to restrict P2P usage in my home network but just put a configurable limit. Any help will be greatly appreciated. :) You can limit some parts of the traffic to a lower bandwidth. But the problem is to match that traffic. And kazaa is very hard to match. It uses random ports and even ACK packets for uploads. As fas I know there is no way to perfectly match kazaa traffic. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper script making connection worst.
i have the prob with my cable modem where the upload gets messed up with the download. So I donwload and tried the wondershaper script, but it seems to make my connection worst. If I start a download, and I'll get 180+K/s, then with a upload going it'll go down to about 50-60K/s. When I run the wondershaper script it goes down about 5K/s. :( I tried both CBQ and HTB versions and they both do the samething. I turned on all the QoS options, just incase. Are there any issues with RedHat8? -- I use wondershaper on redhat 8 with no problem, but i did have to experiment quite a bit with the values for UPLINK / DOWNLINK until i found ones that worked well...which it now does :) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper updates.
If you want a more general configuration interface to HTB, you can use htb.init, which allows an arbitrary configuration of traffic control: http://sourceforge.net/projects/htbinit Or, if you prefer a more fully featured language for describing traffic, tcng: http://tcng.sourceforge.net/ See my article on tcng + htb: http://linux-ip.net/articles/htb-and-tcng.html If you are feeling like contributing, you could write some tcng configuration files which solve your problem and publish them. -Martin : Wondershaper htb seems to work fine. It would be great if it had some : more features. I.E if people on this mailing list could contribute. I : use a fantastic contributed firewall script called monmotha that covers : lots of the features that you might want from a firewall. : : I'd find it useful if wondershaper could:- : : 1. Specifiy hi-priority ports, most specifically port 80 so people can : always browse on my shared connection. : 2. integrate this script to allow special game priorities to be setup : http://mailman.ds9a.nl/pipermail/lartc/2002q3/004827.html : : The extra features don't have to get in the way of the normal operation : surely. : : G. : : : Giles Westwood : Web Developer : Mob: 07764611148 : Tel: 01132781591 : Web: http://www.gileswestwood.co.uk : : : : ___ : LARTC mailing list / [EMAIL PROTECTED] : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Wondershaper updates.
I think I'll use htbinit, seems the most understandable. Seems a waste that people with lots of experience who are very into this stuff don't compile all the findings into a generic script(s) with parameters that any newbie can configure and benefit from. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin A. Brown Sent: 31 March 2003 20:59 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [LARTC] Wondershaper updates. If you want a more general configuration interface to HTB, you can use htb.init, which allows an arbitrary configuration of traffic control: http://sourceforge.net/projects/htbinit Or, if you prefer a more fully featured language for describing traffic, tcng: http://tcng.sourceforge.net/ See my article on tcng + htb: http://linux-ip.net/articles/htb-and-tcng.html If you are feeling like contributing, you could write some tcng configuration files which solve your problem and publish them. -Martin : Wondershaper htb seems to work fine. It would be great if it had some : more features. I.E if people on this mailing list could contribute. I : use a fantastic contributed firewall script called monmotha that covers : lots of the features that you might want from a firewall. : : I'd find it useful if wondershaper could:- : : 1. Specifiy hi-priority ports, most specifically port 80 so people can : always browse on my shared connection. : 2. integrate this script to allow special game priorities to be setup : http://mailman.ds9a.nl/pipermail/lartc/2002q3/004827.html : : The extra features don't have to get in the way of the normal operation : surely. : : G. : : : Giles Westwood : Web Developer : Mob: 07764611148 : Tel: 01132781591 : Web: http://www.gileswestwood.co.uk : : : : ___ : LARTC mailing list / [EMAIL PROTECTED] : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Wondershaper updates.
Giles, : I think I'll use htbinit, seems the most understandable. Seems a waste : that people with lots of experience who are very into this stuff don't : compile all the findings into a generic script(s) with parameters that : any newbie can configure and benefit from. The problem is a complex one. If you have thoughts or suggestions about how a script can be flexibly adapted to solve the problem, your voice is welcome. Wondershaper is an excellent example of a traffic control solution to a niche problem. It doesn't however address a more complex scenario. Your reasoning is exactly why wondershaper, cbq.init, htb.init, and my own lousy htb-script [1] exist. I'm sure there are others. People have vastly different needs for subdividing their bandwidth, hence the varied scripts for dividing bandwidth. Frankly, I believe that tcng [2] will allow people to write and share traffic control solutions in a much friendlier way than can be accomplished directly with tc. So, once again, I recommend that anybody starting to use traffic control under linux today start with tcng. It provides a more intuitive system for describing traffic control structures than raw tc commands. And, not only is it more intuitive, but tcng removes the repetitive and arcane from the configuration. If you make a traffic control solution which solves a general problem or a class of problem, document it and post it somewhere, so the world can benefit from your experience. Anyway, good luck with htb.init. It should be able to meet most of your needs. -Martin [1] http://linux-ip.net/htb-script [2] http://tcng.sourceforge.net/ -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper + htb prio + qdisc prio
But you are not listening to what I and others have been saying. Forget about the ICMP pings! They don't mean nothing! Use the script I attached (change a few settings, like your own speeds, interface and executables, speeds are in kbit!). Then use the following iptables rules: (eth0=my internet-interface, eth2=my LAN interface, change if needed !) # ICMP packets have an even higher priority (so you can test it with ping, but this doesn't help CounterStrike at all!) # Don't do massive pings/traceroutes because that would choke other traffic (including CS)! iptables -I PREROUTING -t mangle -i eth2 -j MARK --set-mark 1 -p ICMP iptables -I OUTPUT -t mangle -o eth0 -j MARK --set-mark 1 -p ICMP # And here's Counter Strike: # if you want you could add: -m multiport --destination-port 27000:27050 iptables -I PREROUTING -t mangle -i eth2 -j MARK --set-mark 1 -p DP --source-port 27005 # ACK Packets get higher priority than 'normal' packets iptables -I PREROUTING -t mangle -i eth2 -j MARK --set-mark 2 -p TCP -m length --length 0:100 iptables -I OUTPUT -t mangle -o eth0 -j MARK --set-mark 2 -p TCP -m length --length 0:100 And add some more yourself, remember: - All rules are tested for each packet: MARK does _not_ stop like ACCEPT and RETURN do. - Therefore the order in which you place these rules is important. - Rules are inserted (-I) in the table, so eventually (use iptables -L -n) the rules will be 'upside down' in the table. - Thus higher priorities rules (lower MARK numbers) should go first in your script, otherwise they might be overruled by later rules. Jannes Faber - Original Message - From: Ciprian Niculescu [EMAIL PROTECTED] To: Tornado [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, December 31, 2002 12:23 AM Subject: Re: [LARTC] wondershaper + htb prio + qdisc prio On Mon, 30 Dec 2002 22:22:28 +0100, Tornado [EMAIL PROTECTED] said: this is what i try, beacouse i dont realy play the game, i generate trafic to saturate the link, and ping from shell from an externat host In which case, you should check if your downstream is not chocking. Even if you shape outgoing packets, you can still get get bad pings, if your downstream is running at max. no a 1Mbit trafic on a 5M no chocking : C tcstart.sh Description: Binary data
Re: [LARTC] wondershaper + htb prio + qdisc prio
Hey there, hello, a friend of mine have this configuration: 10 x PC -- router/linux/rh8 -- ADSL Modem -- ISP let's say that the bandwidth is: 5M and 800K he does dc++ and counter-strike, so let's say the UP is full, and the ping from the counter server is 300ms, the server cut the connection, and no more game, the player is unhappy. The normal ping is 50ms. so he thinks to put some prio on the ping-echo packets to make the ping be extra small, he try the wondershapper from the lartc, don't work, make a simplified script just for icmp with is: $tc qdisc del $IF_EXT root $tc qdisc add $IF_EXT handle 1: root htb default 2 $tc class add $IF_EXT parent 1: classid 1:9 htb rate 500kbit burst 6k $tc class add $IF_EXT parent 1:9 classid 1:1 htb rate 500kbit ceil 500kbit burst 6k prio 1 $tc class add $IF_EXT parent 1:9 classid 1:2 htb rate 64kbit ceil 500kbit burst 6k prio 2 $tc filter add $IF_EXT protocol ip prio 2 parent 1: u32 \ match ip protocol 1 0xff flowid 1:1 first tryed it with ceil 800kbit, after with a smaller value, the real bandwidth was somewhere around 700kbit, at that moment. didn't work [ -- SNIP --] still with no result the ping from the counter server is always 300ms, what's wrong Maybe I'm misunderstanding you, maybe not - but what exactly do you mean by the ping from the server is always 300ms? Is it the ICMP ping (generated by the 'ping' tool), or do you mean when you play Counter-Strike, and you look at the players tab, that shows you're lagged with 300ms? Have you tried to ping the counter-strike server direct from the shell using the 'ping' tool? If this results in very low ping replies, your tc setup is correctly set up. The only thing you're missing now, is to prioritize counter-strike specific traffic. Usually the portnumbers used by Couter-Strike servers are 27015 and some numbers up, so this is what you have to prioritize. An example (class id is from your first script, using htb) - this will put the packets leaving your $IF_EXT to port 27015, 27016 and 27017 to any hosts in the class 1:1: for cs_p in 27015 27016 27017; do tc filter add dev $IF_EXT parent 1:0 protocol ip prio 10 u32 \ match ip dport $cs_p 0x flowid 1:1 done You may need to modify the above example to fit your script. -- Theepan PS: I'm sorry if you receive this mail twice. I forgot to CC it the list the first time. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper + htb prio + qdisc prio
Is it the ICMP ping (generated by the 'ping' tool), or do you mean when you play Counter-Strike, and you look at the players tab, that shows you're lagged with 300ms? by ping i meen the real ping program with icmp, i see that i could not specify counterstrike to don't create confusion. and the ideea is not to priorize the counter game, but only the ping used by the counter game so another question is, the counter strike game use udp/270015 only for ping probing or also for game packets The counter-strike server does not 'ping' you in a normal fashion. It's an in-game feature, which doesn't use extra protocols to retrieve ping, hence counter-trike server uses port 27015 to both game packets and ping-in-game-packets. And besides, it wouldn't make any difference to only prioritize the ping-in-game-packets, even if you could - the game would still lag as without traffic control. this is what i try, beacouse i dont realy play the game, i generate trafic to saturate the link, and ping from shell from an externat host In which case, you should check if your downstream is not chocking. Even if you shape outgoing packets, you can still get get bad pings, if your downstream is running at max. -- Theepan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper + htb prio + qdisc prio
On Mon, 30 Dec 2002 22:22:28 +0100, Tornado [EMAIL PROTECTED] said: this is what i try, beacouse i dont realy play the game, i generate trafic to saturate the link, and ping from shell from an externat host In which case, you should check if your downstream is not chocking. Even if you shape outgoing packets, you can still get get bad pings, if your downstream is running at max. no a 1Mbit trafic on a 5M no chocking : C ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper + htb prio + qdisc prio
Hi,BRBRI think that imcp is not the solution. I've tested with mohaa and that game uses an own sort of ping on a udp port (so via tcp and not imcp)BRBRMaby u should check if counterstrike does that too.BRBRRegards,BRAndreBRBRBRgt; hello,BRgt; BRgt; a friend of mine have this configuration:BRgt; BRgt; 10 x PC -- router/linux/rh8 -- ADSL Modem -- ISPBRgt; BRgt; let's say that the bandwidth is: 5M and 800KBRgt; BRgt; he does dc++ and counter-strike, so let's say the UP is full, and theBRgt; ping from the counter server is 300ms, the server cut the connection,BRgt; and no more game, the player is unhappy. The normal ping is 50ms.BRgt; BRgt; so he thinks to put some prio on the ping-echo packets to make the pingBRgt; be extra small, he try the wondershapper from the lartc, don't work,BRgt; make a simplified script just for icmp with is:BRgt; BRgt; $tc qdisc del $IF_EXT rootBRgt; $tc qdisc add $IF_EXT handle 1: root htb default 2BRgt; $tc class add $IF_EXT parent 1: classid 1:9 htb rate 500kbit burst 6kBRgt; $tc class add $IF_EXT parent 1:9 classid 1:1 htb rate 500kbit ceilBRgt; 500kbit burst 6k prio 1BRgt; $tc class add $IF_EXT parent 1:9 classid 1:2 htb rate 64kbit ceilBRgt; 500kbit burst 6k prio 2BRgt; BRgt; $tc filter add $IF_EXT protocol ip prio 2 parent 1: u32 \BRgt; match ip protocol 1 0xff flowid 1:1BRgt; BRgt; first tryed it with ceil 800kbit, after with a smaller value, the realBRgt; bandwidth was somewhere around 700kbit, at that moment.BRgt; BRgt; didn't workBRgt; BRgt; so he tryed with just a prio qdisc and put the icmp packets in the 0BRgt; band, the script:BRgt; BRgt; $iptables -t mangle -A POSTROUTING -p icmp -j TOS --set-tos 0x10BRgt; $tc qdisc del $IF_EXT rootBRgt; $tc qdisc add $IF_EXT root handle 10: prioBRgt; BRgt; $tc qdisc add $IF_EXT parent 10:1 handle 20: est 1sec 8sec bfifoBRgt; $tc qdisc add $IF_EXT parent 10:2 handle 30: est 1sec 8sec bfifoBRgt; $tc qdisc add $IF_EXT parent 10:3 handle 40: est 1sec 8sec bfifoBRgt; BRgt; $tc filter add $IF_EXT parent 10: protocol ip prio 1 u32 match ip tosBRgt; 0x10 0xff flowid 10:1BRgt; $tc filter add $IF_EXT parent 10: protocol ip prio 1 u32 match ip tosBRgt; 0x06 0xff flowid 10:2BRgt; $tc filter add $IF_EXT parent 10: protocol ip prio 1 u32 match ip tosBRgt; 0x0c 0xff flowid 10:3BRgt; BRgt; BRgt; still with no result the ping from the counter server is always 300ms,BRgt; what's wrongBRgt; BRgt; CBRgt; -- BRgt; Ciprian NiculescuBRgt; BRgt; ___BRgt; LARTC mailing list / [EMAIL PROTECTED]BRgt; http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/BR ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper + htb prio + qdisc prio
Hi,(Sorry for the repost last post was screwed up by my emailclient)I think that imcp is not the solution. I've tested with mohaa and that game uses an own sort of ping on a udp port (so via tcp and not imcp)Maby u should check if counterstrike does that too.Regards,Andre hello, a friend of mine have this configuration: 10 x PC -- router/linux/rh8 -- ADSL Modem -- ISP let's say that the bandwidth is: 5M and 800K he does dc++ and counter-strike, so let's say the UP is full, and the ping from the counter server is 300ms, the server cut the connection, and no more game, the player is unhappy. The normal ping is 50ms. so he thinks to put some prio on the ping-echo packets to make the ping be extra small, he try the wondershapper from the lartc, don't work, make a simplified script just for icmp with is: $tc qdisc del $IF_EXT root $tc qdisc add $IF_EXT handle 1: root htb default 2 $tc class add $IF_EXT parent 1: classid 1:9 htb rate 500kbit burst 6k $tc class add $IF_EXT parent 1:9 classid 1:1 htb rate 500kbit ceil 500kbit burst 6k prio 1 $tc class add $IF_EXT parent 1:9 classid 1:2 htb rate 64kbit ceil 500kbit burst 6k prio 2 $tc filter add $IF_EXT protocol ip prio 2 parent 1: u32 \ match ip protocol 1 0xff flowid 1:1 first tryed it with ceil 800kbit, after with a smaller value, the "real" bandwidth was somewhere around 700kbit, at that moment. didn't work so he tryed with just a prio qdisc and put the icmp packets in the 0 band, the script: $iptables -t mangle -A POSTROUTING -p icmp -j TOS --set-tos 0x10 $tc qdisc del $IF_EXT root $tc qdisc add $IF_EXT root handle 10: prio $tc qdisc add $IF_EXT parent 10:1 handle 20: est 1sec 8sec bfifo $tc qdisc add $IF_EXT parent 10:2 handle 30: est 1sec 8sec bfifo $tc qdisc add $IF_EXT parent 10:3 handle 40: est 1sec 8sec bfifo $tc filter add $IF_EXT parent 10: protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 10:1 $tc filter add $IF_EXT parent 10: protocol ip prio 1 u32 match ip tos 0x06 0xff flowid 10:2 $tc filter add $IF_EXT parent 10: protocol ip prio 1 u32 match ip tos 0x0c 0xff flowid 10:3 still with no result the ping from the counter server is always 300ms, what's wrong C -- Ciprian Niculescu ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] WonderShaper on LAN link kills to-host speed
On Tuesday, 17 December 2002, at 14:15:39 -0800, Kenneth Porter wrote: What about the ingress policer would do that? As far as I know, inbound traffic (ingress) can only police packets, that is, discard traffic on excess hoping the other end will notice it and slow down a bit. If you want to classify incoming traffic, create classes, attach queuing disciplines, and those nice things available in the outgoing traffic, you must: a) Patch your kernel with IMQ, redirect incoming traffic to it, and treat this device as you would any outgoing traffic, or... b) ...manage bandwidth in the outgoing direction on the other network card attached to the router (if this is a router). I'm sure somebody in this list can explain himslef much better, and provide links to information and example code, but hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.20-xfs) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper
Hello! I want to give port 14567 a high priority/minumum delay because its a onlien game. I took wondershaper cause its fairly easy to understand. AND i read the HowTo, especially Section 9!! DOWNLINK=786 UPLINK=128 DEV=ppp0 # start filters # TOS Minimum Delay (ssh, NOT scp) in 1:10: tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 Then i added my ports: - tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip dport 14567 0x flowid 1:10 flowid 1:10 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip dport 14567 0x flowid 1:10 flowid 1:10 -- I started an upload to see if it worked, but i still had a ping 1000 It didnt really change anything. The output of wondershaper was fine, no errors came up. Can anyone give me a hint what i did wrong? Cheers, Mario ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper
--On Monday, November 25, 2002 12:16 AM +0100 Mario Ohnewald [EMAIL PROTECTED] wrote: I started an upload to see if it worked, but i still had a ping 1000 It didnt really change anything. The output of wondershaper was fine, no errors came up. What did wshaper status say after the simultaneous game and upload? You should see traffic going into the two desired queues. What kind of upload, http or ftp? Which ports did it use? Did you put those in the traffic we hate list? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper
Hi, I am newbie to the list. I am using the wondershaper on RH Linux 7.3 machine. wondershaper version is 1.1a. I set it up as upload speed xkbps and download speed y kbps. I needed to setup total speed as x+y kbps but dynamically adjust uplink and download speeds. Is there any way to do it. thanks, Sam ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper
On Wednesday 20 November 2002 19:46, K Sambaiah wrote: Hi, I am newbie to the list. I am using the wondershaper on RH Linux 7.3 machine. wondershaper version is 1.1a. I set it up as upload speed xkbps and download speed y kbps. I needed to setup total speed as x+y kbps but dynamically adjust uplink and download speeds. Is there any way to do it. You can do this with the imq device. But why ?? The imq device is a virtual device and you can redirect traffic to it with iptables. You can do it from any interface you want and for both directions. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper
On Wed, 20 Nov 2002 20:09:23 +0100 Stef Coene [EMAIL PROTECTED] wrote: On Wednesday 20 November 2002 19:46, K Sambaiah wrote: Hi, I am newbie to the list. I am using the wondershaper on RH Linux 7.3 machine. wondershaper version is 1.1a. I set it up as upload speed xkbps and download speed y kbps. I needed to setup total speed as x+y kbps but dynamically adjust uplink and download speeds. Is there any way to do it. You can do this with the imq device. But why ?? Does it not make sense to allocate bandwidth without regard to direction? If bandwidth in one direction is unused, why limit the other direction? snip Regards, David ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper and favoring UDP traffic
I'd like to put all UDP traffic from ports 28000-28099 into the high-priority queue that WonderShaper creates. (This is game traffic, so it's highly sensitive to latency and dropping. Alas, the game authors didn't mark the packets for QoS.) What would be the best way to insure it gets into the right queue? Right now it looks like it's going in the middle (default) queue. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper and favoring UDP traffic
On Monday 04 November 2002 11:11, Kenneth Porter wrote: I'd like to put all UDP traffic from ports 28000-28099 into the high-priority queue that WonderShaper creates. (This is game traffic, so it's highly sensitive to latency and dropping. Alas, the game authors didn't mark the packets for QoS.) What would be the best way to insure it gets into the right queue? Right now it looks like it's going in the middle (default) queue. Add a u32 filter and put all traffic in band 2. If you open the wondershaper script, you find some examples of the filter commands. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper problem
On Monday 23 September 2002 01:16, Kristoffer Ottosson wrote: Hi I have two lucent wlancards and one 3com ethernet card running on my box. I'm running routing tables with iproute2 in order to route all the packets correctly ... Now I wonder, I should be able to use wondershaper on top of this, right? Are you sure you have all the needed options in the kernel? Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper problem
Hi I have two lucent wlancards and one 3com ethernet card running on my box. I'm running routing tables with iproute2 in order to route all the packets correctly ... Now I wonder, I should be able to use wondershaper on top of this, right? When I try to run wondershaper, it does nothing, and gives me lots of error messages ... The beginning of them are quoted here (output with -x activated in the beginning of the script): + DOWNLINK=1024+ UPLINK=1024+ DEV=eth1+ NOPRIOHOSTSRC=80+ NOPRIOHOSTDST=+ NOPRIOPORTSRC=+ NOPRIOPORTDST=+ '[' '' = status ']'+ tc qdisc del dev eth1 root+ tc qdisc del dev eth1 ingress+ '[' '' = stop ']'+ tc qdisc add dev eth1 root handle 1: cbq avpkt 1000 bandwidth 10mbitRTNETLINK answers: Invalid argument+ tc class add dev eth1 parent 1: classid 1:1 cbq rate 1024kbit allot 1500 prio 5 bounded isolatedRTNETLINK answers: Invalid argument+ tc class add dev eth1 parent 1:1 classid 1:10 cbq rate 1024kbit allot 1600 prio 1 avpkt 1000RTNETLINK answers: Invalid argument+ tc class add dev eth1 parent 1:1 classid 1:20 cbq rate 921kbit allot 1600 prio 2 avpkt 1000RTNETLINK answers: Invalid argument+ tc class add dev eth1 parent 1:1 classid 1:30 cbq rate 819kbit allot 1600 prio 2 avpkt 1000RTNETLINK answers: Invalid argument and so it continues on every single command-line wondershaper tried to type in. anybody have a clue, I would be grateful /Snowi3
Re: [LARTC] Wondershaper
On Wednesday 18 September 2002 12:42, Justin Morea wrote: How can I tell if wondershaper is running correctly tc qdisc sh dev $dev tc class sh dev $dev tc -s -d qdisc show dev $dev tc -s -d class show dev $dev Can anyone recommend a good program to log bandwidth usage? I would recommend mrtg. -- Salam, Adi Nugroho ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wondershaper
I think I've gotten everything up and running but I'm not sure. How can I tell if wondershaper is running correctly (I just put the command /wondershaper/wshaper in my /etc/rc.local)? Can anyone recommend a good program to log bandwidth usage? Thanx Snuffy2 __ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper
On Wednesday 18 September 2002 06:42, Justin Morea wrote: I think I've gotten everything up and running but I'm not sure. How can I tell if wondershaper is running correctly (I just put the command /wondershaper/wshaper in my /etc/rc.local)? Can anyone recommend a good program to log bandwidth usage? iptraf, ethereal, ntop, a quick google search will show some more. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper
On Friday 06 September 2002 10:52, Sebastian Bleikamp wrote: Hi ! I´ve been using the wonderful wondershaper from chapter 15.8 of the LARTC Howto for some time. It´s really wonderful. That's exactly why it's called the wondershaper :) Actually, I use the version from http://freshmeat.net/projects/wshaper/?topic_id=87 Now I tried to put some hosts to low priority, and it doesn´t work. The traffic is splitted equally between the noprio and the other hosts. Is this because I use ip masquerading, and all the traffic seems (for the shaper) to come from one host ? The U32 filter and the other setup works correctly, because e.g. ssh traffic on port 23 always has highest priority. Has anybody an idea how to fix it ? You can use an other filter : fw. This filter can use the iptables/ipchains mark. And you can put this mark when the packets enters the LAN NIC so you can use the ip-address of the incoming packets from your lan, mark this packets and use the mark on the internet NIC. I think a nice sketch about the order of routing/postrouting and traffic shaping would help me. I have one on docum.org, but it needs some updates. It's the one posted some months ago on this list. You can find it under KPTD. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper
Stef Coene schrieb: Try efsq. It's SFQ (so each flow gets an equal chance to send something). But efsq uses only dst/src addres and not dst/src address/port like sfq. Ideal to kill download managers because all traffic form/to the same hosts is considered as one stream. I have a link on docum.org under FAQ. I will test it, thnx. But another question: I tried your solution via fwmark, and it works. At least when the router is forwarding. I can slow down hosts on my LAN this way. If i try to slow the gateway/router down, it fails. I have added a mark to all outgoing traffic on ppp0, which comes from the router, to the OUTGOING/mangle table. But it doesn´t work this way. But from the sketch on your homepage this should work. I already checked the IPs and devices and they are correct. Any suggestions ? ;-) Seb. -= Sebastian Bleikamp -= EMail: [EMAIL PROTECTED] -= Phone: +49-172-6545394 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
