[LARTC] Bandwidth limiting a MASQed network.

[LARTC] Bandwidth limiting a MASQed network.

[Kim]

<PRE>Hi!

I just recently entered the wonderful world of the so called &quot;advanced
routing&quot; and decided to try and limit the bandwidth of a MASQed network
here and ended up in trouble :(.

The setup is (as far as I can tell) pretty straightforward. eth0 is
connected to the &quot;real&quot; network with a proper IP, and eth2 is 192.168.10.x
(the MASQed network). All of it is basicly right out of the advanced
routing howto.

My problem is that it only shapes traffic going into the MASQed network
and not from it. I've been trying to figure out why, and the only reason I
can think of is that once the traffic passes through eth0 going out to the
public network the packets are no longer tagged with a 192.168.10.x ip,
but rather the public address. Is this the case?

(The MASQ-box I'm using actually has 6 NICs, but I'm only using two of
them right now, which explains why only eth0 and eth2 are in the example).

Here's the setup as of right now:

---

tc qdisc add dev eth0 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc qdisc add dev eth2 root handle 20: cbq bandwidth 100Mbit avpkt 1000

tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100Mbit \
rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000

tc class add dev eth2 parent 20:0 classid 20:1 cbq bandwidth 100Mbit \
rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000

tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth \
100Mbit rate 2Mbit allot 1514 weight 200Kbit prio 5 maxburst 20 \
avpkt 1000 bounded

tc class add dev eth2 parent 20:1 classid 20:100 cbq bandwidth \
100Mbit rate 2Mbit allot 1514 weight 200Kbit prio 5 maxburst 20 \
avpkt 1000 bounded

tc qdisc add dev eth0 parent 10:100 sfq quantum 1514b perturb 15
tc qdisc add dev eth2 parent 20:100 sfq quantum 1514b perturb 15

tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip src \
192.168.10.0/24 flowid 10:100

tc filter add dev eth2 parent 20:0 protocol ip prio 100 u32 match ip dst \
192.168.10.0/24 flowid 20:100

---

I hope someone can help! :)

// Kim Lundgren



</PRE>

[LARTC] Bandwidth limiting a MASQed network.

[Christian]

<PRE>Hi,

&gt;<i> My problem is that it only shapes traffic going into the MASQed </I>network
&gt;<i> and not from it. I've been trying to figure out why, and the only </I>reason I
&gt;<i> can think of is that once the traffic passes through eth0 going out to </I>the
&gt;<i> public network the packets are no longer tagged with a 192.168.10.x </I>ip,
&gt;<i> but rather the public address. Is this the case?
</I>
Yes. But I guess you can use the firewall mark and let ipchains (and probably also netfilter in 2.4) mark masqgraded packets with some specific value and then use filters to match this specific mark. I have not tried this myself, though.


Christian



</PRE>

[LARTC] Bandwidth limiting a MASQed network.

[Kim]

<PRE>Quoting Christian Worm Mortensen &lt;<A HREF="mailto:worm@dkik.dk">worm@dkik.dk</A>&gt;:

&gt;<i> Yes. But I guess you can use the firewall mark and let ipchains (and
</I>&gt;<i> probably also netfilter in 2.4) mark masqgraded packets with some
</I>&gt;<i> specific value and then use filters to match this specific mark. I have
</I>&gt;<i> not tried this myself, though.
</I>
Ah :) I was hoping that might do the trick. I´m using ipchains to set up ipmasq 
right now and I have absolutely no idea of how to mark them. Is there anyone 
out there that could help me out?

// Kim Lundgren


</PRE>

[LARTC] Bandwidth limiting a MASQed network.

[David]

[-- Attachment #1: Type: text/plain, Size: 735 bytes --]

Kim Lundgren wrote:
&gt;<i> 
</I>&gt;<i> Ah :) I was hoping that might do the trick. I´m using ipchains to set up ipmasq
</I>&gt;<i> right now and I have absolutely no idea of how to mark them. Is there anyone
</I>&gt;<i> out there that could help me out?
</I>

You have to compile the netfilter modules (and load them) such as 

	ipt_MARK

then you also have to compile (and load) the necessary QoS/queueing
modules such as

	cls_fw
	sch_cbq
	sch_sfq

Then you have to configure this; either command line, or maybe you are
interested in a GUI.

I have screenshots of the configuration for doing this with a GUI at

	<A HREF="http://users.pandora.be/stes/ipmenu.html">http://users.pandora.be/stes/ipmenu.html</A>

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 1131 bytes --]

[LARTC] Bandwidth limiting a MASQed network.

[Christian]

<PRE>Hi,

&gt;<i> &gt; Yes. But I guess you can use the firewall mark and let ipchains (and
</I>&gt;<i> &gt; probably also netfilter in 2.4) mark masqgraded packets with some
</I>&gt;<i> &gt; specific value and then use filters to match this specific mark. I </I>have
&gt;<i> &gt; not tried this myself, though.
</I>&gt;<i> 
</I>&gt;<i> Ah :) I was hoping that might do the trick. I´m using ipchains to </I>set up ipmasq 
&gt;<i> right now and I have absolutely no idea of how to mark them. Is there </I>anyone 
&gt;<i> out there that could help me out?
</I>
I think you should use ipchains to set up masqgrading and add an &quot;-m 42&quot; option to the line you do it with (i.e. &quot;ipchains ... -m 42 - j MASQ) . Then you can probably use the u32 or the fwmark filter to match on packets which has the firewall mark set to the value 42.


Christian



</PRE>

[LARTC] Bandwidth limiting a MASQed network.

[Kim]

<PRE>Quoting David Stes &lt;<A HREF="mailto:stes@pandora.be">stes@pandora.be</A>&gt;:

&gt;<i> You have to compile the netfilter modules (and load them) such as 
</I>&gt;<i> 
</I>&gt;<i> 	ipt_MARK
</I>&gt;<i> 
</I>&gt;<i> then you also have to compile (and load) the necessary QoS/queueing
</I>&gt;<i> modules such as
</I>&gt;<i> 
</I>&gt;<i> 	cls_fw
</I>&gt;<i> 	sch_cbq
</I>&gt;<i> 	sch_sfq
</I>&gt;<i> 
</I>&gt;<i> Then you have to configure this; either command line, or maybe you are
</I>&gt;<i> interested in a GUI.
</I>&gt;<i> 
</I>&gt;<i> I have screenshots of the configuration for doing this with a GUI at
</I>&gt;<i> 
</I>&gt;<i> 	<A HREF="http://users.pandora.be/stes/ipmenu.html">http://users.pandora.be/stes/ipmenu.html</A>
</I>
Is this possible on the 2.2 kernel though? That´s what I´m using right now.. 
I´ll change if I have to, but I´d rather not as of yet. Thank you very much for 
pointing me to that excellent piece of software though :).

// Kim Lundgren


</PRE>