reroute icmp traffic from one interface to another

reroute icmp traffic from one interface to another

[Ηλια Χατζηστυλη]

Hello,
I have an openwrt firmware installed in my router and I want to  
configure a Home and a Guest interface.
So I have two internal interfaces(home,guest) and the external(eth1).  
First I have to send all traffic from the two internal  
interfaces(wlan0,wlan0-1) to external(eth1). With my project I have to  
measure latency so I use nping. However when I use the command
"sudo nping -c 3200 --data-length 1460  x.x.x.x" with network seted to  
upload bandiwidth 2Mbps and with data length 1460 B (1460*8\x11740) we  
expect minimum delay 11740/2000000=5.8ms . Nonetheless, the avg ping  
time is about 0.8-3 ms which means that my iptables commands doesn't  
work properly for the ping traffic (icmp type). Do you know how I can  
route this traffic with the tcp one? I'm pretty sure that icmp traffic  
is enqueued because when the home user is uploading a file nping  
command takes out the proper delay.

Thank you in advance,
Chatzistyli Ilia

My code is:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

echo "Starting bandwidth shaping"
IPT=/usr/sbin/iptables
IF=eth1
#interface home user
IFHU=wlan0
#interface guest user
IFGU=wlan0-1
IP="$(ifconfig eth1 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' '  
-f 1)"    # IP eth1 Interface
IPHU\x192.168.5.1
IPGU\x192.168.3.1



$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t raw -F
$IPT -t raw -X
# Default Policies fuer integrierte Ketten festlegen:

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT

#----------send wlan0-1 & wlan0 to eth1
         echo "iptables interface traffic redirect"
         iptables -t nat -A POSTROUTING --out-interface $IF -j MASQUERADE
         iptables -A FORWARD --in-interface $IFHU -j CLASSIFY --set-class 2:1
         iptables -A FORWARD --in-interface $IFGU -j CLASSIFY --set-class 2:2
#here i tryed to add -p icmp --icmp-type any etc or -p any but still  
had the same problem.
         echo "end of iptables"

#--------------------------------------

Re: reroute icmp traffic from one interface to another

[Andy Furniss]

Ηλια Χατζηστυλη wrote:
>
> Hello, I have an openwrt firmware installed in my router and I want
> to configure a Home and a Guest interface. So I have two internal
> interfaces(home,guest) and the external(eth1). First I have to send
> all traffic from the two internal interfaces(wlan0,wlan0-1) to
> external(eth1). With my project I have to measure latency so I use
> nping. However when I use the command "sudo nping -c 3200
> --data-length 1460  x.x.x.x" with network seted to upload bandiwidth
> 2Mbps and with data length 1460 B (1460*8\x11740) we expect minimum
> delay 11740/2000000=5.8ms . Nonetheless, the avg ping time is about
> 0.8-3 ms which means that my iptables commands doesn't work properly
> for the ping traffic (icmp type). Do you know how I can route this
> traffic with the tcp one? I'm pretty sure that icmp traffic is
> enqueued because when the home user is uploading a file nping command
>  takes out the proper delay.

Easier to look at iptables counters to see what's hitting rules.

You don't say how you limit to 2mbit. Linux QOS doesn't emulate bitrate
latency so your test is not valid for seeing where packets go.

netem rate option does try to limit according to packet size subject to
timer granularity (see man tc-netem).

FWIW your calculation for rth should probably be more like (1460+8+20+14)*8.

reroute icmp traffic from one interface to another

[Ηλια Χατζηστυλη]

the code used to rerout traffic and limmit bandwith is :

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

MODULES='sch_ingress sch_sfq sch_htb cls_u32 act_police'
echo "Starting bandwidth shaping with htd and Guest limitation"
IPT=/usr/sbin/iptables
IF=eth1
IFHU=wlan0
IFGU=wlan0-1
IP="$(ifconfig eth1 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' '  
-f 1)"    # IP eth1 Interface
IPHU\x192.168.5.1
IPGU\x192.168.3.1
#U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32"


$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t raw -F
$IPT -t raw -X

#############################################################################
# Default Policies fuer integrierte Ketten festlegen:

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT

#############################################################################

for i in $MODULES ; do
                 insmod $i
         done

#----------send wlan0-1 & wlan0 to eth1
         echo "iptables interface traffic redirect up traffic"
         iptables -t nat -A POSTROUTING --out-interface $IF -j MASQUERADE
	iptables -A FORWARD --in-interface $IFHU -j CLASSIFY --set-class 1:10
         iptables -A FORWARD --in-interface $IFGU -j CLASSIFY --set-class 1:20
	echo "end of iptables rules"
#--------------------------------------
#----------clean prev rules always-----
         echo "clearing old qdiscs"
         tc qdisc del dev $IF root
	tc qdisc del dev $IF ingress
         echo "end of cleaning"
#--------------------------------------
#----------------------u32 for up limit
         echo "tc-start"
#       tc qdisc add dev $IF root
         echo "qdisc"
         tc qdisc add dev $IF root handle 1:0 htb default 30
         echo "class 10(home) 20(guest)"
         tc class add dev $IF parent 1: classid 1:1 htb rate 2mbit
         tc class add dev $IF parent 1:1 classid 1:10 htb rate 2mbit  
--home user bandwidth
	tc class add dev $IF parent 1:1 classid 1:20 htb rate 200kbit--guest user bw
         tc class add dev $IF parent 1:1 classid 1:30 htb rate 2mbit
	tc qdisc add dev $IF parent 1:10 handle 100: bfifo limit 75000
	tc qdisc add dev $IF parent 1:20 handle 200: bfifo limit 75000

#----
#---QDISC gia to download

	tc qdisc add dev $IF handle ffff: ingress
	tc filter add dev $IF parent ffff: protocol ip prio 50 u32 match ip  
src 0.0.0.0/0 police rate 30mbit burst 30mbit drop flowid :1

I send this nping command with the --data-length extension so that the  
ping will not be treated as a single bit.

Re: reroute icmp traffic from one interface to another

[Andy Furniss]

Ηλια Χατζηστυλη wrote:
> the code used to rerout traffic and limmit bandwith is :

>          tc qdisc add dev $IF root handle 1:0 htb default 30
>          echo "class 10(home) 20(guest)"
>          tc class add dev $IF parent 1: classid 1:1 htb rate 2mbit
>          tc class add dev $IF parent 1:1 classid 1:10 htb rate 2mbit
> --home user bandwidth
>      tc class add dev $IF parent 1:1 classid 1:20 htb rate
> 200kbit--guest user bw
>          tc class add dev $IF parent 1:1 classid 1:30 htb rate 2mbit
>      tc qdisc add dev $IF parent 1:10 handle 100: bfifo limit 75000
>      tc qdisc add dev $IF parent 1:20 handle 200: bfifo limit 75000
>
> #----
> #---QDISC gia to download
>
>      tc qdisc add dev $IF handle ffff: ingress
>      tc filter add dev $IF parent ffff: protocol ip prio 50 u32 match ip
> src 0.0.0.0/0 police rate 30mbit burst 30mbit drop flowid :1

Policers are not very good in practice, consider using ifb.
Either way policing/shaping ingress traffic is not totally controllable
like it is on egress.

> I send this nping command with the --data-length extension so that the
> ping will not be treated as a single bit.

If htb/bfifo is not backlogged then the packet will get sent instantly
whatever length it is.