Re: [LARTC] bridge or vlan
On 10/22/07 15:50, Vaidas M wrote: Thanks for your answer, this would help. You are welcome. I think I know how to block arp: -p ARP -j DROP something like that, ant the broadcasts: --pkttype-type ... Be careful blocking all ARP / broadcasts. Remember that equipment will need to ARP to find the router, at least from the two LANs that are not common with the router. You will probably want to allow ARPs to the router's IP address (and any other common equipment) and block all others. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge or vlan
Hello to everyone, Here is the situation: [LAN1]---[eth3]/--\ | LinuxBR |[eth2]---[LAN0]---[linuxGW]---[internet] [LAN2]---[eth4]\--/ Whole LAN is in subnet 10.0.0.0/24. So I need: LAN0, LAN1, LAN2 could not see each other. LAN0, LAN1, LAN2 is in same subnet (10.0.0.0/24). All LANs have to get only internet. How can I configure LinuxBR to do so? Do I have to do only bridge? Or only vlan? Or both? Thanks. _ _ __ _ _ _ __ ___ _ Vaidas M. [Noxius] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] bridge or vlan
On Sat, 20 Oct 2007 14:23:12 +0300 Vaidas M [EMAIL PROTECTED] wrote: Hello to everyone, Here is the situation: [LAN1]---[eth3]/--\ | LinuxBR |[eth2]---[LAN0]---[linuxGW]---[internet] [LAN2]---[eth4]\--/ Whole LAN is in subnet 10.0.0.0/24. So I need: LAN0, LAN1, LAN2 could not see each other. LAN0, LAN1, LAN2 is in same subnet (10.0.0.0/24). All LANs have to get only internet. How can I configure LinuxBR to do so? Do I have to do only bridge? Or only vlan? Or both? On LinuxBR: iptables -A FORWARD -s 10.0.0.0/24 -d linuxGW_IP/32 -j ACCEPT iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.0.0/24 -j DROP iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d linuxGW_IP/32 -j MASQUERADE On linuxGW: iptables -t nat -A POSTROUTING -s LinuxBR_IP/32 -j MASQUERADE -- With best regards, Pan'ko Alexander. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] bridge and ipp2p question
This is not possible because ipp2p does not match every p2p packet but only some essential signaling packets. By filtering these packets, the p2p client cannot estabilish connections to transfer data, and that's how it filters it. Sometimes, ipp2p 'discovers' that this is a p2p related connection after the connection has been established, and then drops the signaling packets. And since you are not an AS and you have one different address per connection, you cannot route packets with a different source address than the one the connection has been established. I have a different approach on this, it is not a perfect soulution, but it work quite well on some enviroments: I route all the traffic through one NIC (the garbage p2p connection) and then (with iptables or u32) direct the important traffic by port (HTTP, FTP, IRC, MSN, DNS, SMTP, POP, etc) through the other NIC (the non-p2p connection). Then I filter (with ipp2p) the p2p traffic on the non-p2p NIC because some p2p clients try to mask the connections as it were these services. This works quite well, but you need to know every service your clients use. I use this on a router, I never tested this with a bridge, but it may work too. -- Marco On 1/17/07, Roberto Pereyra [EMAIL PROTECTED] wrote: Hi all !!! I have a firewall bridge (not router) with two nics that filter p2p with ipp2p. All works fine but now I need to add a third nic to route all p2p traffic through this nic. It is that possible with a bridge ? Later (with other server) connect to this nic I do loading balancing with two adsl lines to route all p2p traffic. Any hint ? Any howto ? Thanks in advance. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge and ipp2p question
Hi all !!! I have a firewall bridge (not router) with two nics that filter p2p with ipp2p. All works fine but now I need to add a third nic to route all p2p traffic through this nic. It is that possible with a bridge ? Later (with other server) connect to this nic I do loading balancing with two adsl lines to route all p2p traffic. Any hint ? Any howto ? Thanks in advance. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Bridge HFSC QOS questions ...
Hello, I've got somes questions about Bridge and QOS ... I've got a serveur with 2 interfaces eth0,eth1 inside br0 bridge ... nothing of special ... If I understand all, normally I should configure TC class and qdisc on each physical or use ebtables to manage packets on output ... right ? I've attached my qos_script that hsfc and layer7 module. I use only Iptables in this script... might be should I use ebtables too ? Does anyone can take a look to this script and tell me If I've done any errors because seems that not works :( Thanks for the help Sébastien SPEED=30 DEV=eth0 CL1=-j CLASSIFY --set-class 1:10 CL2=-j CLASSIFY --set-class 1:11 CL3=-j CLASSIFY --set-class 1:12 CL4=-j CLASSIFY --set-class 1:13 CL5=-j CLASSIFY --set-class 1:14 RET=-j RETURN echo -n + Create root queue discipline for ${DEV} cpe interface tc qdisc add dev ${DEV} root handle 1: hfsc default 13 echo [done] iptables -t mangle -A POSTROUTING -j LOG iptables -t mangle -N SHAPPER iptables -t mangle -A POSTROUTING -j SHAPPER # add main rate limit class echo -n + Create class for CPE SHAPPING tc class add dev ${DEV} parent 1: classid 1:1 hfsc sc rate ${SPEED}mbit ul rate ${SPEED}mbit echo [done] # Interactive traffic: guarantee realtime full uplink for 50ms, then # 1/10 of the uplink echo -n+ Append subclass for low delay tc class add dev ${DEV} parent 1:1 classid 1:10 hfsc \ rt m1 ${SPEED}mbit d 50ms m2 $[1*$SPEED/10]mbit \ ls m1 ${SPEED}mbit d 50ms m2 $[3*$SPEED/10]mbit \ ul rate ${SPEED}mbit # To speed up downloads while an upload is going on, put short ACK # packets in the interactive class: iptables -t mangle -A SHAPPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length :64 $CL1 iptables -t mangle -A SHAPPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length :64 $RET # ICMP in the interactive class iptables -t mangle -A SHAPPER -p icmp $CL1 iptables -t mangle -A SHAPPER -p icmp $RET # All traffic optimized for minimize monetary cost TOS 0x02 iptables -t mangle -A SHAPPER -m tos --tos 0x02$CL1 iptables -t mangle -A SHAPPER -m tos --tos 0x02$RET # All traffic optimized for minimize delay TOS 0x10 iptables -t mangle -A SHAPPER -m tos --tos 0x10$CL1 iptables -t mangle -A SHAPPER -m tos --tos 0x10$RET # Interactive port #iptables -t mangle -A SHAPPER -p tcp -m multiport --sports ftp,ftp $CL1 #iptables -t mangle -A SHAPPER -p tcp -m multiport --sports ssh,ftp $RET # All udp dns traffic iptables -t mangle -A SHAPPER -p udp --dport 53$CL1 iptables -t mangle -A SHAPPER -p udp --dport 53$RET echo [done] # VoIP: guarantee full uplink for 200ms, then 5/10 echo -n+ Append subclass for VoIP traffic tc class add dev ${DEV} parent 1:1 classid 1:11 hfsc \ sc m1 ${SPEED}mbit d 200ms m2 $[5*$SPEED/10]mbit \ ul rate ${SPEED}kbit iptables -t mangle -A SHAPPER -p tcp -m multiport --sports sip $CL2 iptables -t mangle -A SHAPPER -p tcp -m multiport --sports sip $RET iptables -t mangle -A SHAPPER -p tcp -m multiport --dport 1:2 $CL2 iptables -t mangle -A SHAPPER -p tcp -m multiport --dport 1:2 $RET echo [done] # smtp traffic: don't guarantee anything for the first 10 seconds, # then guarantee 1/20 echo -n+ Append subclass for high reliability traffic tc class add dev ${DEV} parent 1:1 classid 1:12 hfsc \ sc m1 0 d 10s m2 $[1*$SPEED/20]mbit \ ul rate ${SPEED}mbit iptables -t mangle -A SHAPPER -p tcp -m multiport --sports smtp,ssmtp $CL3 iptables -t mangle -A SHAPPER -p tcp -m multiport --sports smtp,ssmtp $RET iptables -t mangle -A SHAPPER -m tos --tos 0x04 $CL3 iptables -t mangle -A SHAPPER -m tos --tos 0x04 $RET echo [done] # p2p traffic: don't guarantee anything for the first 20 seconds, # then guarantee 1/20 echo -n+ Append subclass for P2P tc class add dev $DEV parent 1:1 classid 1:14 hfsc \ sc m1 0 d 20s m2 $[1*$SPEED/20]mbit \ ul rate ${SPEED}mbit iptables -t mangle -A SHAPPER -m layer7 --l7proto edonkey $CL5 iptables -t mangle -A SHAPPER -m layer7 --l7proto edonkey $RET iptables -t mangle -A SHAPPER -m layer7 --l7proto fasttrack $CL5 iptables -t mangle -A SHAPPER -m layer7 --l7proto fasttrack $RET iptables -t mangle -A SHAPPER -m layer7 --l7proto bittorrent $CL5 iptables -t mangle -A SHAPPER -m layer7 --l7proto bittorrent $RET echo [done] # Default traffic: don't guarantee anything for the first two seconds, echo -n+ Append subclass for high bandwith, low latency traffic (default) tc class add dev $DEV parent 1:1 classid 1:13 hfsc \ sc m1 0 d 2s m2 $[1*$SPEED/20]mbit \ ul rate ${SPEED}mbit iptables -t mangle -A SHAPPER -m tos --tos 0x08 $CL4 iptables -t mangle -A SHAPPER -m tos --tos 0x08 $RET iptables -t mangle -A SHAPPER $CL4
[LARTC] Bridge HFSC QOS ... strange TC values ...
Hello, I’ve setuped HFSC QOS using as this script http://automatthias.wordpress.com/2006/06/30/hfsc-and-voip/ I've a bridge with eth0 and eth1 inside br0 I haven't use ebtables, just iptables. I neeed to have different value on upload and download this why I've setuped QOS on 2 interfaces Is very strange but root (2:) and main parent (2:2 ) queues still empty with HFSC I've got another shapper running with HTB and these 2 queues have got a value ? # tc -s -d class show dev eth1 class hfsc 2: root Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 class hfsc 2:22 parent 2:2 sc m1 0bit d 10.0s m2 1000Kbit ul m1 0bit d 0us m2 3Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 class hfsc 2:23 parent 2:2 sc m1 0bit d 2.0s m2 1000Kbit ul m1 0bit d 0us m2 3Kbit Sent 3545998683 bytes 2796571 pkts (dropped 299, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 class hfsc 2:2 parent 2: sc m1 0bit d 0us m2 3Kbit ul m1 0bit d 0us m2 3Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 class hfsc 2:20 parent 2:2 rt m1 3Kbit d 50.0ms m2 3000Kbit ls m1 3Kbit d 50.0ms m2 9000Kbit ul m1 0bit d 0us m2 3Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 class hfsc 2:21 parent 2:2 sc m1 3Kbit d 200.0ms m2 15000Kbit ul m1 0bit d 0us m2 3bit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 class hfsc 2:24 parent 2:2 sc m1 0bit d 20.0s m2 1000Kbit ul m1 0bit d 0us m2 3Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 2067840 bytes level 3466779352 I hope that someone could give me an hand. I can send the script I use regards begin:vcard fn;quoted-printable:S=C3=A9bastien CRAMATTE n;quoted-printable:CRAMATTE;S=C3=A9bastien org:ZEN Soluciones;IT technologies, Linux and Web adr;quoted-printable:Piso 4b;;Calle Alfonso X el Sabio, 29;Las torres de cotillas;Murcia;30565;Espa=C3=B1a email;internet:[EMAIL PROTECTED] title:Consultant tel;work:+34 968 292 965 tel;cell:+34 627 665 283 x-mozilla-html:FALSE url:http://www.zensoluciones.com version:2.1 end:vcard ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Bridge and Router on the same device
On 11/13/06, Net Cerebrum [EMAIL PROTECTED] wrote: I want to configure a device with three network interfaces where two of them would bridge two segments of the LAN subnet and the third one would be connected to the WAN link. eth0 - 10.10.10.2/24 to be connected to the internet gateway having IP 10.10.10.1/24 (also the default gateway for the device) eth1 and eth2 bridged as br0 with IP address 172.16.100.1 connected to different segments of the subnet 172.16.100.0/24. WAN (10.10.10.1) | | eth0 (10.10.10.2) -eth1 eth2-- LAN (172.16.100.0/24)LAN (172.16.100.0/24) I plan to configure the Bridge IP ( 172.16.100.1) as the default gateway for the LAN and also regulate the traffic between the two bridged interfaces (eth1 and eth2) using a user space tool. Further since the traffic meant for internet would pass through eth0, there would be a need to regulate the traffic between eth1 and eth0 and also eth2 and eth0. Is the above arrangement feasible ? Would it be possible to define static routes on this device itself involving hosts reachable through either of the interfaces. Thank you in advance. I think it's possible, but, what does regulating traffic between the two bridged interfaces? Remember that a bridge works at the data link layer, so I think it won't be possible filter bridged traffic at higher layers (TCP/IP) on the bridge device. Maybe you can filter at network and transport layers on the physical interfaces which are attached to the bridge (eth1, eth2) with iptables if you really need it. Don't know if you mean filtering by saying regulating. Routing and bridging is possible. The default gateway for the hosts in 172.16.100.0/24 should be 172.16.100.1, and there's nothing wrong with using a IP which is bonded to a bridge interface. For traffic that needs to be routed from the 172.16.100.0/24 network through the WAN interface you can treat the bridge as a physical interface. 10.10.10.1 should be the default gateway for this machine. Regards. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge stops bridging
I recently upgraded my gateway to a pIII 600 with a zyxel 4 port nic (tulip) and bridge eth0 and eth1, eth0 is a crossover cable to my PC eth1 a switch. I don't have ifconfig on this box (LFS) and couldn't find any examples of bridging using ip - maybe this is relevant maybe not - I've tried a few combinations of different orders of setting things up. Is there a magic one? There is normally no traffic across the bridge - it is all to/from br0 (It's still needed though, for games that use ipx/same subnet and I multicast out of br0 (Don't know how to add a mcast route to more than one if). I expected things to just bridge, but this does not always happen (maybe timeout) eg pinging a box on the switch from box on eth0 fails at ip level - arp passes eth0 both ways, but I can't see any ip with tcpdump on eth0, pinging from a box on the switch however doesn't get arp replies from eth0. I can fix it by running a script on the bridge box to toggle eth0 down/up, which forces learning and all is then OK. brctl showmacs br0 looks no different whether it's working or not - all macs are shown and traffic to/from br0 always works. Kernel (tainted by dsl modem) is 2.6.17.11, iproute2-ss060323, bridge-utils 1.1. STP off (turning on doesn't fix) Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Bridge and Router on the same device
I want to configure a device with three network interfaces where two of them would bridge two segments of the LAN subnet and the third one would be connected to the WAN link.eth0 - 10.10.10.2/24 to be connected to the internet gateway having IP 10.10.10.1/24 (also the default gateway for the device)eth1 and eth2 bridged as br0 with IP address 172.16.100.1 connected to different segments of the subnet 172.16.100.0/24. WAN (10.10.10.1) | | eth0 (10.10.10.2)-eth1 eth2-- LAN (172.16.100.0/24) LAN (172.16.100.0/24)I plan to configure the Bridge IP ( 172.16.100.1) as the default gateway for the LAN and also regulate the traffic between the two bridged interfaces (eth1 and eth2) using a user space tool. Further since the traffic meant for internet would pass through eth0, there would be a need to regulate the traffic between eth1 and eth0 and also eth2 and eth0. Is the above arrangement feasible ? Would it be possible to define static routes on this device itself involving hosts reachable through either of the interfaces.Thank you in advance. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge QoS
hi everybody. i have a bridge, and i want to apply QoS with htb and layer7 on both interfaces(eth0 and eth1), should i apply qdiscs and classes to each individual interface (eth0 and eth1, not br0)? if someone is using layer7, which is the right place to put the iptables rules to assure that all packets (fom internet to LAN and viceversa) get analyzed for layer7 patterns, including those that are for/from the bridge (it will have an ip address)? (maybe iptables -A POSTROUTING -m layer7 --l7proto someproto -j MARK --set-mark 3 ?) thanks in advance. Roberto Scattini _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge with packetrate limiter and absolute priority?
Hi. I am trying to bend my brain around 'tc' and friends and am failing so far. I need to set up a bridge which limits the packet rate to 2000 packets/s, but with the added twist that packets with a certain DSCP value must be given absolute priority in both directions. The packet rate limit thing appears to be easy: brcfg addbr br0 brcfg addif br0 eth0 brcfg addif br0 eth1 ifconfig eth0 promisc up ifconfig eth1 promisc up ifconfig br0 192.168.10.1 promisc up ebtables -P FORWARD DROP ebtables -A FORWARD --logical-out br0 --limit 2000/s -j ACCEPT I think this bit works. (A bit difficult to measure. iptraf only reveals packetrates for physical ethernet interfaces. Are there better alternatives to monitor the packetrate on a live interface?) But I need to make sure the packets are prioritized before they enter the bridge device. I was hoping the ingress qdisc could help me here. Something like this: tc qdisc add dev eth0 handle : ingress tc filter add dev eth0 parent : protocol ip prio 1 u32 match ip tos 0xC0 0xff tc filter add dev eth0 parent : protocol ip prio 2 u32 match ip dst 0/0 tc qdisc add dev eth1 handle : ingress tc filter add dev eth1 parent : protocol ip prio 1 u32 match ip tos 0xC0 0xff tc filter add dev eth1 parent : protocol ip prio 2 u32 match ip dst 0/0 I would not be terribly surprised if the lines above make somebody cry. Or laugh. Or both. The idea was to prioritize packets with the right DSCP value over all other packets, causing the other packets to be dropped first. This does not appear to work. Is what I am trying to do at all doable with the current tools? And by the way: 'man tc' refers to the 'tc-filter' man-page, which I cannot find Regards, Dag B ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Bridge + TC
I posted out on this problem some time ago and could never get 2.4.25 or any 2.6 kernel to work with TC + Bridging. If anyone has this working and has actually tested it (I am actually just doing IP based iptables filtering from my bridge interface) please let us know what version of iproute you used and what patches you applied and with which version of the kernel. -Vanilla kernel 2.6.3 form kernel.org - no patches applied just ethernet bridging and Bridged IP/ARP packets filtering enabled in kernel config. -iptables snapshot v1.2.9-20040302 -as far as I remember tc is from the htb homepage http://luxik.cdi.cz/~devik/qos/htb/ Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bridge + TC
I'm hoping someone can provide a little input that might help me out a little... I've recently tried to setup a 3-interface transparent bridge, where 2 internal interfaces (eth1,eth2) funnel into 1 outgoing interface (eth0). The idea was to be that eth1 gets priority over eth2 in all cases. The bridge works flawlessly - it passes all layer2 traffic through properly. The traffic control however, does not work at all. (The LARTC Howto says bridging + tc should work as advertised, but no examples or instructions are given...) The conclusion I came to was that bridging is done in layer2, and so traffic control code (typically layer3) never gets to touch it. Am I wrong? Setup was: mark packets with ebtables, then filter into 2 qdiscs based on those marks. Ebtables bit: ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 - This works, as ebtables' counters do count matching packets correctly (connecting a machine to and interface, and starting . (I assume that they set sk_buff-nfmark properly.) . Classes: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 450kbit ceil 500kbit prio 0 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 50kbit ceil 500kbit prio 1 tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:20 As I understand it, the second last line should put packets with nfmark 1 into class 1:10 (450-500 kbit), and the last line should put packets with nfmark 2 into class 1:20 (50-500kbit). With an active host plugged into eth2, all I get is traffic going through the default class (1:10) according to 'tc -s show class dev eth0' If anyone could offer any suggestions, I'd be glad to hear 'em. Cheers, jon anderson ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Hi, I've got an almost simular setup, which is working fine. something I noticed: You say everything is going into class 1:10, which is both your default AND you got a filter for it -?? I also see that your default filter has handle 1, in my setup the handles of the filters are unique. For the rest, the only real difference is that I mark in the iptables mangle PREROUTING table, maybe an idea to test that. So I would suggest testing: 1) no filter rule for 1:10 which is default 2) no filters with handle 1, (I start at 101 for the filters) 3) marking with iptables in mangle PREROUTING should work, it's working fine here on 2.4.24+ebtables Cheers, Jeroen. On Mon, 15 Mar 2004 11:15:48 + Jon Anderson [EMAIL PROTECTED] wrote: I'm hoping someone can provide a little input that might help me out a little... I've recently tried to setup a 3-interface transparent bridge, where 2 internal interfaces (eth1,eth2) funnel into 1 outgoing interface (eth0). The idea was to be that eth1 gets priority over eth2 in all cases. The bridge works flawlessly - it passes all layer2 traffic through properly. The traffic control however, does not work at all. (The LARTC Howto says bridging + tc should work as advertised, but no examples or instructions are given...) The conclusion I came to was that bridging is done in layer2, and so traffic control code (typically layer3) never gets to touch it. Am I wrong? Setup was: mark packets with ebtables, then filter into 2 qdiscs based on those marks. Ebtables bit: ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 - This works, as ebtables' counters do count matching packets correctly (connecting a machine to and interface, and starting . (I assume that they set sk_buff-nfmark properly.) . Classes: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 450kbit ceil 500kbit prio 0 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 50kbit ceil 500kbit prio 1 tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:20 As I understand it, the second last line should put packets with nfmark 1 into class 1:10 (450-500 kbit), and the last line should put packets with nfmark 2 into class 1:20 (50-500kbit). With an active host plugged into eth2, all I get is traffic going through the default class (1:10) according to 'tc -s show class dev eth0' If anyone could offer any suggestions, I'd be glad to hear 'em. Cheers, jon anderson ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Hi, I have also tried that. I'm using 2.6.3-mm3 - packets don't seem to Perhaps the key here is 2.4. I might have to revert... There was a change with kernel 2.6.0 for incoming and outgoing interfaces of a bridge device (at least for iptables - that's why I'm guessing it also affects ebtables): ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 Well for iptables a similar rule would look like: iptables -A FORWARD -i eth1 -j MARK --set-mark 0x1 If eth1 is a port of a bridge you have to use with 2.6.x this: iptables -A FORWARD -m physdev --physdev-in eth1 -j MARK --set-mark 0x1 Having a closer look at this may help solving your problem? Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Bridge + TC
I posted out on this problem some time ago and could never get 2.4.25 or any 2.6 kernel to work with TC + Bridging. If anyone has this working and has actually tested it (I am actually just doing IP based iptables filtering from my bridge interface) please let us know what version of iproute you used and what patches you applied and with which version of the kernel. The older 2.4.2x kernel's seem to work fine for this (I am currently running 2.4.22). Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: Re: [LARTC] Bridge + TC Hi, I have also tried that. I'm using 2.6.3-mm3 - packets don't seem to Perhaps the key here is 2.4. I might have to revert... There was a change with kernel 2.6.0 for incoming and outgoing interfaces of a bridge device (at least for iptables - that's why I'm guessing it also affects ebtables): ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 Well for iptables a similar rule would look like: iptables -A FORWARD -i eth1 -j MARK --set-mark 0x1 If eth1 is a port of a bridge you have to use with 2.6.x this: iptables -A FORWARD -m physdev --physdev-in eth1 -j MARK --set-mark 0x1 Having a closer look at this may help solving your problem? Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Roy Walker wrote: I posted out on this problem some time ago and could never get 2.4.25 or any 2.6 kernel to work with TC + Bridging. If anyone has this working and has actually tested it (I am actually just doing IP based iptables filtering from my bridge interface) please let us know what version of iproute you used and what patches you applied and with which version of the kernel. The older 2.4.2x kernel's seem to work fine for this (I am currently running 2.4.22). I just got this working under 2.4.25 on a different test rig (with only 2 interfaces) - installed Debian Testing, patched and compiled a kernel with relevant stuff, start the bridge, apply tc rules, and *poof* packets get filtered/classified properly. All within 1.5 hrs. `tc -s class show dev eth0` shows the right stuff going through the right filters at the right rate. Versions/patches: iproute-20010824-13, from Debian testing iptables-1.2.9, from Debian testing (Used: iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0x4 -- no ebtables needed) ebtables-brnf-5-vs-2.4.25 patch from ebtables.sourceforge.net kernel-2.4.25, with above ebtables patch Hopefully it'll still work with 3 interfaces when I get 2.4.25 on the original test rig! Cheers, jon ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + leased line + tc
On Tuesday 13 January 2004 4:15 pm, Wouter Coppens wrote: Hi, I can't get traffic shaping working. This is my situation: -- Net1 - |router| | TC | --- Net2 leased line -- eth1eth0 We use the leased line for normal traffic but also for synchronisation between 2 servers. The leased line is 2mbit. The synchronisation generates too much traffic and uses completely the 2mbit capacity of the leased line. This is no problem during night, but we want to limit the synchronisation traffic during day (or in other words: the sync-traffic should get the lowest priority and the other traffic can use up to 2mbit). According to the documentation, you can only shape outgoing traffic. We took a PC (named TC) and put the network interfaces in bridge mode. The synchronisation happens from Net1 to Net2, so TC is after the leased line. Normally you would shape the outgoing traffic on eth0, but this doesn't work. We even tried to limit eth0 to 20kbit, but the synch-traffic completely fills the leased line and no other traffic gets through. We found a temporary fix by using IMQ with iptables: /sbin/tc qdisc del root dev imq0 /sbin/tc qdisc add dev imq0 root handle 1: htb default 20 /sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 2Mbit burst 6k /sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64kbit ceil 787kbit /sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb rate 2Mbit /sbin/tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10 /sbin/tc filter add dev imq0 parent 1: protocol ip prio 18 u32 match ip dst 10.10.10.10 flowid 1:10 (10.10.10.10 is ip of server in Net2). Is there a better way to give the sync-traffic the lowest priority? If somybody starts a download it should get 2mbit and the sync-traffichttp should get the rest (if any). We would like to upgrade to 2.6, but imq is not maintained. Any help? IMQ has been ported to 2.6 http://www.digriz.org.uk/jdg-qos-script/ Andy. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bridge + leased line + tc
Hi, I can't get traffic shaping working. This is my situation: -- Net1 - |router| | TC | --- Net2 leased line -- eth1eth0 We use the leased line for normal traffic but also for synchronisation between 2 servers. The leased line is 2mbit. The synchronisation generates too much traffic and uses completely the 2mbit capacity of the leased line. This is no problem during night, but we want to limit the synchronisation traffic during day (or in other words: the sync-traffic should get the lowest priority and the other traffic can use up to 2mbit). According to the documentation, you can only shape outgoing traffic. We took a PC (named TC) and put the network interfaces in bridge mode. The synchronisation happens from Net1 to Net2, so TC is after the leased line. Normally you would shape the outgoing traffic on eth0, but this doesn't work. We even tried to limit eth0 to 20kbit, but the synch-traffic completely fills the leased line and no other traffic gets through. We found a temporary fix by using IMQ with iptables: /sbin/tc qdisc del root dev imq0 /sbin/tc qdisc add dev imq0 root handle 1: htb default 20 /sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 2Mbit burst 6k /sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64kbit ceil 787kbit /sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb rate 2Mbit /sbin/tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10 /sbin/tc filter add dev imq0 parent 1: protocol ip prio 18 u32 match ip dst 10.10.10.10 flowid 1:10 (10.10.10.10 is ip of server in Net2). Is there a better way to give the sync-traffic the lowest priority? If somybody starts a download it should get 2mbit and the sync-traffic should get the rest (if any). We would like to upgrade to 2.6, but imq is not maintained. Any help? Thanks in advance, Wouter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + leased line + tc
On Tuesday 13 January 2004 17:15, Wouter Coppens wrote: Hi, I can't get traffic shaping working. This is my situation: -- Net1 - |router| | TC | --- Net2 leased line -- eth1eth0 We use the leased line for normal traffic but also for synchronisation between 2 servers. The leased line is 2mbit. The synchronisation generates too much traffic and uses completely the 2mbit capacity of the leased line. This is no problem during night, but we want to limit the synchronisation traffic during day (or in other words: the sync-traffic should get the lowest priority and the other traffic can use up to 2mbit). According to the documentation, you can only shape outgoing traffic. We took a PC (named TC) and put the network interfaces in bridge mode. The synchronisation happens from Net1 to Net2, so TC is after the leased line. Normally you would shape the outgoing traffic on eth0, but this doesn't work. We even tried to limit eth0 to 20kbit, but the synch-traffic completely fills the leased line and no other traffic gets through. We found a temporary fix by using IMQ with iptables: /sbin/tc qdisc del root dev imq0 /sbin/tc qdisc add dev imq0 root handle 1: htb default 20 /sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 2Mbit burst 6k /sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64kbit ceil 787kbit /sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb rate 2Mbit /sbin/tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10 /sbin/tc filter add dev imq0 parent 1: protocol ip prio 18 u32 match ip dst 10.10.10.10 flowid 1:10 (10.10.10.10 is ip of server in Net2). Is there a better way to give the sync-traffic the lowest priority? If somybody starts a download it should get 2mbit and the sync-traffic should get the rest (if any). We would like to upgrade to 2.6, but imq is not maintained. Any help? Your idea of using eth0 for shaping should work. What if you add a simple tbf qdisc to eth0? This limits all traffic leaving eth0 and can be used to test tc. If the tbf works, you can try to replace it with htb or cbq to do more fancy shaping. I never used a bridge to shape the traffic, but I found this im own faq : http://docum.org/stef.coene/qos/faq/cache/41.html Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] bridge
I belive I missed something | br0 | test --|eth0 eth1 |- network ftp|tc | If I ping a machine from network from the test ftp she doen't answers. If I skip the bridge, and I put the test ftp in the network, the ping is working. I have no firewall on the bridge, and the bridge is working. Trafic is shaped through this bridge. - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ Random Thought: -- Love makes fools, marriage cuckolds, and patriotism malevolent imbeciles. -- Paul Leautaud, Passe-temps ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] bridge
We'll need a lot more information to help you... Why do you say the bridge is working? What DOES work? What is the configuration of your bridge? On Fri, 2002-09-06 at 03:35, Victor wrote: I belive I missed something | br0 | test --|eth0 eth1 |- network ftp|tc | If I ping a machine from network from the test ftp she doen't answers. If I skip the bridge, and I put the test ftp in the network, the ping is working. I have no firewall on the bridge, and the bridge is working. Trafic is shaped through this bridge. - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ Random Thought: -- Love makes fools, marriage cuckolds, and patriotism malevolent imbeciles. -- Paul Leautaud, Passe-temps ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Lawrence MacIntyre 865.574.8696 [EMAIL PROTECTED] Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group signature.asc Description: This is a digitally signed message part
[LARTC] Bridge with load balancing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have a question here, i am wondering if changing my setup. I have a linux firewall doing QoS and load balancing with 3 ethernets. I have to DSL connections running at 2Mbit each. So, i was wondering, can i change this setup to set up to bridges on top of the ethernets connected to the dsl routers and still be capable of doing load balancing? -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP4pWLX7diNnrrZKsEQL+vgCgw+nOyrSjKyawUX94QCIt5x/K0ncAoJsK UOIQLBXB6y+dt+wtDo3ahjTD =ELwG -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge+QOS
On Monday 17 March 2003 08:04, hare ram wrote: Hi all iam setting up a bridge with QOS Services i would like to you to have coments on setup, is this works i ahve setup like this LAN--eth1(Bridge)eth0--router--Internet in LAN i have users 10 people i would like to have QOS Services for 5 people burstable 5 People commited ( bounded b/w what i have) Can i use TC+htb to make this setup yes is the tc+htb work with my transparent bridge yes. You have to shape on eth0 and eth1. Just like you should do on a normal router. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] bridge advice
I'm about to set up a Linux bridge (kernel 2.4.18.x from Redhat 7.3) between a (future) cable modem and several machines in the house. Some of those machines are windows, mine is Linux (but dual boots to windows). Basically: CABLE_MODEM (DHCP issues to each machine) | |(eth0 -- outer) LINUX_BRIDGE (not proxy, but is firewall on some ports) |(eth1 -- inner) | 8_PORT_SWITCH | |-Machine1 |-Machine2 ... |-MachineN Except for my machine, the other machines will email and web browsing machines (I do cvs, ssh, remote web site editing, and write network game software in Linux, as well as play games under windows). My goal is similar to the cable modem wonder shaper, but I'm not positive if maybe I need to expand on that, and am currently not familiar with the more advanced QoS and shaping abilities (I know they are there, I now have some docs, and a machine I will be able to test on soon), especially with respect to bridges. I want my machine to have low latency, but the other machines do not care about latency; all machines care about having a fair bandwidth. A problem I am thinking about (until I get my bridge done I can only think about it, can't test anything) is that each machine is assigned address via DHCP, so perhaps the Linux bridge will have to find a way to know which DHCP address is assigned to which physical machine. If I were to simply assign qualities to the inside interface (eth1), then the same QoS and general characteristics would apply to all machines...which I do not want, so it seems I must deal on a per-IP-address basis, or a per-port basis. For port 80 web traffic, this seems just fine. I could even assign a quality for telnet and ssh ports. However, if I suddenly decide that one machine wants different characteristics for a port, or if it is an unknown port (such as some games work with...they may not always use the same port, or they can use more than one port at once), this breaks. So I am wanting to deal with latency on a per-machine basis, and simply assign low latency to my machine in general, and fair bandwidth for all machines; perhaps after that, I could override for particular ports, and for example, make all machines use port 80 web traffic with higher latency, even on my machine (which is otherwise low latency). Is this reasonable with current 2.4.x kernels? Are there particular things to watch out for or look for, especially for a bridge? Also, I have used ipchains in the past, but it seems iptables will be the future. What parts of this depend on iptables versus ipchains (if any)? The iproute2 package seems to provide most of the features I'm looking at, but it is conceivable that the use of ipchains or iptables will interact. D. Stimits, stimits AT idcomm.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] bridge advice
I have some remakst to make. You can't use iptables on a linux bridge. (I think there is a patch that you can, but I'm not sure). And try to patch the kernel for htb (it's a replacement for cbq). And maybe you can try to filter on mac-address so you don't need to know the ip-addresses. Stef On Thursday 01 August 2002 18:51, D. Stimits wrote: I'm about to set up a Linux bridge (kernel 2.4.18.x from Redhat 7.3) between a (future) cable modem and several machines in the house. Some of those machines are windows, mine is Linux (but dual boots to windows). Basically: CABLE_MODEM (DHCP issues to each machine) |(eth0 -- outer) LINUX_BRIDGE (not proxy, but is firewall on some ports) |(eth1 -- inner) 8_PORT_SWITCH |-Machine1 |-Machine2 ... |-MachineN Except for my machine, the other machines will email and web browsing machines (I do cvs, ssh, remote web site editing, and write network game software in Linux, as well as play games under windows). My goal is similar to the cable modem wonder shaper, but I'm not positive if maybe I need to expand on that, and am currently not familiar with the more advanced QoS and shaping abilities (I know they are there, I now have some docs, and a machine I will be able to test on soon), especially with respect to bridges. I want my machine to have low latency, but the other machines do not care about latency; all machines care about having a fair bandwidth. A problem I am thinking about (until I get my bridge done I can only think about it, can't test anything) is that each machine is assigned address via DHCP, so perhaps the Linux bridge will have to find a way to know which DHCP address is assigned to which physical machine. If I were to simply assign qualities to the inside interface (eth1), then the same QoS and general characteristics would apply to all machines...which I do not want, so it seems I must deal on a per-IP-address basis, or a per-port basis. For port 80 web traffic, this seems just fine. I could even assign a quality for telnet and ssh ports. However, if I suddenly decide that one machine wants different characteristics for a port, or if it is an unknown port (such as some games work with...they may not always use the same port, or they can use more than one port at once), this breaks. So I am wanting to deal with latency on a per-machine basis, and simply assign low latency to my machine in general, and fair bandwidth for all machines; perhaps after that, I could override for particular ports, and for example, make all machines use port 80 web traffic with higher latency, even on my machine (which is otherwise low latency). Is this reasonable with current 2.4.x kernels? Are there particular things to watch out for or look for, especially for a bridge? Also, I have used ipchains in the past, but it seems iptables will be the future. What parts of this depend on iptables versus ipchains (if any)? The iproute2 package seems to provide most of the features I'm looking at, but it is conceivable that the use of ipchains or iptables will interact. D. Stimits, stimits AT idcomm.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge with Traffic shaping
I think I caused unnecessary alarm. There was actually a network cable connecting my router and hub behind the linux box that does the shaping, duh :-) I forgot to pull it out once I move some servers around causing very little traffic to go through the box doing the shaping. :) This seems to be working now. Are there tools that I can test this with. Traffic seems to go through all classes now and there is good amount of borrowed and lended packets on all classes. I have some scripts that generate graphs based on the output of tc. See www.docum.org under gui. There is a link to an example setup that monitors my internet connection at home. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Bridge with Traffic shaping
what kinda bridge are you using? bridge-nf? if you are it says it only supports iptables, you would have to mark the packets then use filter to put the marked packets into teh correct queue for managing Yes I'm using bridge-nf, but as far as I understand bridge-nf doesn't require iptables for shaping - you only need to patch your kernel if you _want_ to use iptables. I am in any case not using fw but using u32 which should match anything in a packet header. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge with Traffic shaping
does not HTB only shape on outgoing traffic? unless you start doing some ingress queues? - Original Message - From: Stef Coene [EMAIL PROTECTED] To: Roché Compaan [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, July 29, 2002 5:54 AM Subject: Re: [LARTC] Bridge with Traffic shaping If I understand correctly I can shape incoming traffic by setting up a qdisc on eth0 and filters that match any of the ip addresses in my public subnet sitting behind the linux box that currently does the traffic shaping. But all traffic coming on eth0 is leaving eht1 and vice versa. So shaping incoming traffic on eth0 is the same as shaping outgoing traffic on eth1. No packets seem to match any of the other classes although tcpdump confirms that there are definitely traffic destined for the ip addresses mentioned in my filters. Mhh. It should work. I will think about it tonight. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Bridge with Traffic shaping
On Saturday 27 July 2002 19:56, Roché Compaan wrote: Hi, I am fairly new to routing and traffic control but I with the help of the lartc howto I managed to setup a bridge with htb traffic control. The traffic shapping does not seem to work as I expected and I would really appreciate if somebody can tell my why this is the case. My setup: I have a DSL router connecting a /28 network to the internet. I put a linux box with 2 ethernet cards between my router and the rest of the subnet. I set up the linux box as an ethernet bridge where the 2 ethernet cards has no ip address and the bridge has an ip address. I patched the kernel with the IMQ patch so that I can shape incoming traffic. eth0 is connected to the router and eth1 is connect to the rest of the public subnet. I have an iptables rule that routes all traffic on eth1 to the imq device. If you put all incoming traffic on eth1 in the imq device, why don't you use the outgoing traffic on eth0 do the same shaping? All traffic entering the box on eth1 leaves the box on eth0. That way you don't need the imq device. If I understand correctly I can shape incoming traffic by setting up a qdisc on eth0 and filters that match any of the ip addresses in my public subnet sitting behind the linux box that currently does the traffic shaping. Ok, I tried this but all traffic still seems to match only the default htb class. Here's my tc script: #!/bin/bash tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 128kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 32kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:12 htb rate 32kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.53 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.54 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.55 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.51 flowid 1:11 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.52 flowid 1:11 And this is the ouput of tc -s -d class show dev eth0: class htb 1:1 root prio 0 rate 128Kbit ceil 128Kbit burst 1753b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 1638 level 3 Sent 83954 bytes 576 pkts (dropped 0, overlimits 0) rate 30bps lended: 114 borrowed: 0 giants: 0 injects: 0 tokens: 101 ctokens: 101 class htb 1:10 parent 1:1 prio 0 rate 64Kbit ceil 128Kbit burst 1679b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 819 level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 205 ctokens: 107 class htb 1:12 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 12864 bytes 215 pkts (dropped 0, overlimits 0) rate 30bps lended: 215 borrowed: 0 giants: 0 injects: 0 tokens: 387 ctokens: 104 class htb 1:11 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 71090 bytes 361 pkts (dropped 0, overlimits 97) lended: 247 borrowed: 114 giants: 0 injects: 0 tokens: 373 ctokens: 101 No packets seem to match any of the other classes although tcpdump confirms that there are definitely traffic destined for the ip addresses mentioned in my filters. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge with Traffic shaping
what kinda bridge are you using? bridge-nf? if you are it says it only supports iptables, you would have to mark the packets then use filter to put the marked packets into teh correct queue for managing - Original Message - From: Roché Compaan [EMAIL PROTECTED] To: Stef Coene [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, July 28, 2002 10:27 PM Subject: RE: [LARTC] Bridge with Traffic shaping On Saturday 27 July 2002 19:56, Roché Compaan wrote: Hi, I am fairly new to routing and traffic control but I with the help of the lartc howto I managed to setup a bridge with htb traffic control. The traffic shapping does not seem to work as I expected and I would really appreciate if somebody can tell my why this is the case. My setup: I have a DSL router connecting a /28 network to the internet. I put a linux box with 2 ethernet cards between my router and the rest of the subnet. I set up the linux box as an ethernet bridge where the 2 ethernet cards has no ip address and the bridge has an ip address. I patched the kernel with the IMQ patch so that I can shape incoming traffic. eth0 is connected to the router and eth1 is connect to the rest of the public subnet. I have an iptables rule that routes all traffic on eth1 to the imq device. If you put all incoming traffic on eth1 in the imq device, why don't you use the outgoing traffic on eth0 do the same shaping? All traffic entering the box on eth1 leaves the box on eth0. That way you don't need the imq device. If I understand correctly I can shape incoming traffic by setting up a qdisc on eth0 and filters that match any of the ip addresses in my public subnet sitting behind the linux box that currently does the traffic shaping. Ok, I tried this but all traffic still seems to match only the default htb class. Here's my tc script: #!/bin/bash tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 128kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 32kbit ceil 128kbit tc class add dev eth0 parent 1:1 classid 1:12 htb rate 32kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.53 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.54 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.55 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.51 flowid 1:11 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 196.xx.yy.52 flowid 1:11 And this is the ouput of tc -s -d class show dev eth0: class htb 1:1 root prio 0 rate 128Kbit ceil 128Kbit burst 1753b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 1638 level 3 Sent 83954 bytes 576 pkts (dropped 0, overlimits 0) rate 30bps lended: 114 borrowed: 0 giants: 0 injects: 0 tokens: 101 ctokens: 101 class htb 1:10 parent 1:1 prio 0 rate 64Kbit ceil 128Kbit burst 1679b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 819 level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 205 ctokens: 107 class htb 1:12 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 12864 bytes 215 pkts (dropped 0, overlimits 0) rate 30bps lended: 215 borrowed: 0 giants: 0 injects: 0 tokens: 387 ctokens: 104 class htb 1:11 parent 1:1 prio 0 rate 32Kbit ceil 128Kbit burst 1638b/8 mpu 0b cburst 1753b/8 mpu 0b quantum 409 level 0 Sent 71090 bytes 361 pkts (dropped 0, overlimits 97) lended: 247 borrowed: 114 giants: 0 injects: 0 tokens: 373 ctokens: 101 No packets seem to match any of the other classes although tcpdump confirms that there are definitely traffic destined for the ip addresses mentioned in my filters. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/