Hi there,
i tried to setup up a Linuxbridge for prioritize some interactive (Citrix / https)
Traffic to 1.2.3.4 on my ADSL Link, but i think it work not correct.
Overview:
Router <->Linux Bridge<->internal Net
eth1 eth0
This is my Script (with friendly support from the Linux Advanced Routing & Traffic
control Howto)
#!/bin/sh
#
# ADSL 1500/160kbit Down/Upload
UPLOAD=140
#DOWNLOAD=1130
DOWNLOAD=1330
## IP Adresses TKH = internal, SAD = external
# internel Host
TKH=1.2.3.4
# external Partner
SAD=5.6.7.8
## create QDISK
tc qdisc add dev eth1 root handle 1: htb default 11
## create UPload Class
tc class add dev eth1 parent 1: classid 1:1 htb rate ${UPLOAD}kbit ceil ${UPLOAD}kbit
# Upload Interaktive and "Connection beginn" Class
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 30kbit ceil ${UPLOAD}kbit prio
0 burst 4k quantum 6000
# Upload Webclass und Default
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 70kbit ceil 100kbit prio 1
burst 2k quantum 1500
# Upload SMTP Class
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbit ceil 100kbit prio 2
quantum 1500
# Handle Mapping
tc qdisc add dev eth1 parent 1:11 handle 120: sfq perturb 10
tc qdisc add dev eth1 parent 1:12 handle 130: sfq perturb 10
#
## Einstellung der Priorit�ten der einzelnen Klassen und f�r den Einsatz mit IP Tables
#
# Mark Mapping
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12
# Set Mark's to right Packes
# You can start marking packets adding rules to the PREROUTING chain in the mangle
table.
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
#A good idea is to prioritize packets to begin tcp connections, those with SYN flag
set:
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK
--set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
# We have done a -j RETURN so packets don't traverse all rules. Icmp packets won't
match other rules below RETURN. Keep that in mind. Now we can start adding more rules,
lets do proper TOS handling:
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Delay -j MARK
--set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Cost -j MARK --set-mark
0x3
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Maximize-Throughput -j MARK
--set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Maximize-Throughput -j RETURN
# high prio Citrix / https Connections
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --dport 443 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --sport 443 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --sport 443 -j RETURN
# low SMTP Connections
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x3
#
# Dowloadbegrenzung
# extra qdisc
tc qdisc add dev eth1 handle ffff: ingress
# filtere/bremSE alles was zu schnell kommt
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0
police rate ${DOWNLOAD}kbit burst 10k drop flowid :1
So my Problems are:
1) a big Download becomes never more than ~ 100kbit (the most times it will be much
lower). Why that ?
- Should it not have the speed of the Download Rate from the ingress qdisq ?
- The ingress qdisq counter show 0 Packets send. Why isn't this work ?
2) when the Download run break's interactivity on the Citrix Clients, can anybody
explain me why ?
- Citrix Clients should have the highest Priority, and counter of the Classes 1:10,
1:11 and 1:12 show different Values.
So i think the mangling with iptables should work.
3) when big E-Mail's go out of our Network, it break's interactivity on the Citrix
Clients, can anybody explain me why ?
Here some minor Infos:
- Debian Woody Backport Kernel 2.6.2
- htb Version 3.15
I think i do something wrong, but can please anybody point my to the right direction ?
Thank You
Thomas
_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
