Re: [LARTC] Please help - totally confused (NAT + FWMARK + IMQ + HTB)

From: Andreas Klauer <Andreas.Klauer@metamorpher.de>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Please help - totally confused (NAT + FWMARK + IMQ + HTB)
Date: Tue, 28 Mar 2006 15:29:47 +0000	[thread overview]
Message-ID: <20060328152947.GA5566@EIS> (raw)
In-Reply-To: <F186866FA7EDDB4493515123931CC5A102659A@server.diademasw.inkubator.cz>

On Tue, Mar 28, 2006 at 10:07:36AM +0200, Jan Rovner wrote:
> 1. There is a router connected to the internet line via interface eth0

That's fine.

> 2. There are users connected to the router via two interfaces : eth1 and
> wlan0

Two possibilities come to mind:

a) If you can provide two completely separate bandwidth pools,
   you can use one HTB qdisc per device.
b) Otherwise you have to use a virtual device, for example IMQ.

> 3. All users are assigned private IP addresses (192.168.1.xxx on eth1,
> 192.168.2.xxx on wlan0)

That's fine.

> 4. The number of public IP addresses is limited, so the router does SNAT
> (and for some users having assigned a public IP address also DNAT)

More than one public IP address, but only one physical line, right?
That seems to be fine.

> 5. For the traffic classification I need to use iptables (and MARK
> target)
> 6. For the traffic shaping, I need to use HTB
> 7. Each user has only one IP address and should have allocated some
> upload and download bandwitdh
> 8. I need to get both UPLOAD and DOWNLOAD shaping, based on user's
> private address

Alright, judging from your description, it should be possible to do 
things that way.

> Please can someone post me some *really working* script for that? Or at
> least tell me, where is my fault? I think it could be in sequence of
> iptables calls, POSTROUTING/PREROUTING misunderstanding, etc...

I don't have a working script for exactly that; mine uses just one 
interface on the download side and only one public IP. But it distributes 
bandwidth on a per-user basis using HTB. I've also put some effort into 
documenting it, so maybe it can serve as an example:
http://www.metamorpher.de/fairnat/

> # setup IMQ
> ip link set imq0 up
> ip link set imq1 up

Since I'm not using IMQ myself, I'm not sure about this part, 
but why are you using two devices? imq0 seems fine, but imq1 
looks wrong to me. I would do the upload shaping on your 
internet device (eth0) directly.

About your script, depending on what is working and what is 
not, you can debug it by doing the following:

- verify that the iptables rules match the packets you want
  it to match. For example, iptables can list you the rules 
  it is using as well as counters for them. Or you could 
  add some logging rules. If the packets are not matched, 
  and thus not getting marked, your shaping can not work.

- verify that the packets go in the HTB classes you want
  them to go. This can probably be done by using HTB 
  statistics (tc -s -d qdisc/class show ...).

If you can describe in more detail what is (not) working 
about your script, maybe I can give you some better hints. 
Just by glancing at a script without knowing what is wrong 
it's hard to give recommendations.

Regards
Andreas Klauer
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc