Hello LEAFers-
We are experiencing issues with bandwidth usage. Currently we are using three
T-1 lines for a total of 4.5Mbits of bandwidth. We use Shorewall on our 4.3.1
Bering uClibc system to prioritize packets as follows:
#
# Shorewall version 4 - Tcdevices File
#
# For information about entries in this file, type "man shorewall-tcdevices"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
eth0 4400kbit 4200kbit
#
# Shorewall version 4 - Tcclasses File
#
# For information about entries in this file, type "man shorewall-tcclasses"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#INTERFACE:CLASS MARK RATE: CEIL PRIORITY
OPTIONS
# DMAX:UMAX
eth0 1 full*56/100 full*9/10 1
tos-maximize-throughput
eth0 2 full*34/100 full 2
tos=0x68/0xfc,tos=0xb8/0xfc
eth0 3 full*2/100 full*20/100 3
tcp-ack,tos-minimize-delay
eth0 4 full*2/100 full*10/100 4
eth0 5 full*4/100 full 5
tcp-ack,tos-minimize-delay
eth0 6 full*2/100 full*9/10 6
default
#
# Shorewall version 4 - Tcrules File
#
# For information about entries in this file, type "man shorewall-tcrules"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
###########################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS CONNB
# PORT(S) PORT(S)
# following are for Sorenson nTouchVP sessions
1:P 192.168.1.160/28 0.0.0.0/0 all
#1:P 192.168.1.160/28 0.0.0.0/0 tcp 1720
#1:P 0.0.0.0/0 192.168.1.160/28 tcp 1720
#1:P 192.168.1.160/28 0.0.0.0/0 tcp 5060,50060
#1:P 0.0.0.0/0 192.168.1.160/28 tcp 5060,50060
#1:P 192.168.1.160/28 0.0.0.0/0 tcp 15328:15348
#1:P 0.0.0.0/0 192.168.1.160/28 tcp 15328:15348
#1:P 192.168.1.160/28 0.0.0.0/0 udp 15328:15348
#1:P 0.0.0.0/0 192.168.1.160/28 udp 15328:15348
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark i
# standard ports used by Tandberg T-20 (Z-20) (HollyS + Doug)
1:P 192.168.1.64/30 0.0.0.0/0 tcp 1720,5060
1:P 0.0.0.0/0 192.168.1.64/30 tcp 1720,5060
1:P 192.168.1.64/30 0.0.0.0/0 udp 5060
1:P 0.0.0.0/0 192.168.1.64/30 udp 5060
1:P 192.168.1.64/30 0.0.0.0/0 udp 2326:2358
1:P 0.0.0.0/0 192.168.1.64/30 udp 2326:2358
1:P 192.168.1.64/30 0.0.0.0/0 tcp 32768:61000
1:P 0.0.0.0/0 192.168.1.64/30 tcp 32768:61000
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark i
# following 4 lines are for Apple FaceTime sessions
1:P 0.0.0.0/0 0.0.0.0/0 tcp 5223
1:P 0.0.0.0/0 0.0.0.0/0 udp 3478:3497
1:P 0.0.0.0/0 0.0.0.0/0 udp 16384:16387
1:P 0.0.0.0/0 0.0.0.0/0 udp 16393:16402
# following is for iChat sessions
1:P 0.0.0.0/0 0.0.0.0/0 tcp
5190,5220,5222,5223,5298
1:P 0.0.0.0/0 0.0.0.0/0 udp
5060,5190,5297,5298,5353,5678,16384:16403
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark i
# following is for VoIP connection to the 'net
2:P 192.168.1.40/32 0.0.0.0/0 udp
5060,5062,10000:20000,4000:4999,4569
2:P 192.168.1.97/27 0.0.0.0/0 udp
5060,5062,10000:20000,4000:4999,4569
2:P 192.168.1.128/27 0.0.0.0/0 udp
5060,5062,10000:20000,4000:4999,4569
2:P 0.0.0.0/0 192.168.1.40/32 udp
5060,5062,10000:20000,4000:4999,4569
2:P 192.168.1.40/32 0.0.0.0/0 tcp 5222,843,5269
2:P 192.168.1.97/27 0.0.0.0/0 tcp 5222,843,5269
2:P 192.168.1.128/27 0.0.0.0/0 tcp 5222,843,5269
2:P 0.0.0.0/0 192.168.1.40/32 tcp 5222,843,5269
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark i
# following 2 lines are for critical interactive sessions such as
downloads
3:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
3:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark is
# following 2 lines are for DNS queries/replies
4:P 0.0.0.0/0 0.0.0.0/0 tcp 53
4:P 0.0.0.0/0 0.0.0.0/0 tcp - 53
4:P 0.0.0.0/0 0.0.0.0/0 udp 53
4:P 0.0.0.0/0 0.0.0.0/0 udp - 53
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark i
# following 4 lines are for critical interactive sessions - FTP Data/FTP
Control/SSH/Telnet
5:P 0.0.0.0/0 0.0.0.0/0 tcp 20,21,22,23
5:P 0.0.0.0/0 0.0.0.0/0 udp 20,21,22,23
5:P 0.0.0.0/0 0.0.0.0/0 tcp -
20,21,22,23
5:P 0.0.0.0/0 0.0.0.0/0 udp -
20,21,22,23
#RESTORE 0.0.0.0/0 0.0.0.0/0 all - -
- 0 #moves the connection
#CONTINUE 0.0.0.0/0 0.0.0.0/0 all - -
- !0 #If the packet mark i
# following 1 line by default - ALL OTHER TRAFFIC
6:P 0.0.0.0/0 0.0.0.0/0 all
#SAVE 0.0.0.0/0 0.0.0.0/0 all - -
- !0
Our company uses video technology to communicate with our customers. In
addition, we host a VoIP PBX system box within our LAN that connects via SIP to
our SIP connection provider. Each Sorenson video connection consumes about 384
Kbps. iChat sessions consumes 500Kbps. I've been unable to find a way to
rate-limit FaceTime connections. Voice connections are about 84Kbps each. We
normally do not average more than 2 to 3 video connections simultaneously and
two to three VoIP connections. The entire company od 2f employees do not have
any restrictions on web-surfing and is not heavily used. We do have two
contractors that are allowed to connect to our internal LAN and it is observed
that when they are connected to us, their traffic is not minimal.
What we are seeing is that our video connections are freezing at times and
voice connection are breaking up at times. When that happens, I've observed via
iptraf that the inbound traffic consumes so much traffic that there isn't much
bandwidth left for outbound traffic. Typically we are able to see/hear people
on the other side of the video/voice connections but they are reporting
problems seeing/hearing us. When inbound traffic is light, we do not experience
such issues as much.
Is there a way I can control traffic so that we can experience better
bidirectional voice and video connections?
I've tried prerouting as well as postrouting along with using the
RESTORE/CONTINUE marks with little effect.
I've read that FreeBSD uses 'polling device' as a method of rate-limiting but
do not know any more than that.
About three months ago we upgraded our firewall from 3.x to 4.3 and have
experienced this kind of issues since then. I basically used the same set of
configuration from the older version with few changes. Are there any changes
that I may have overlooked within Shorewall that would help me control traffic
more effectively?
Suggestions/feedback will be cheerfully accepted.
~Doug
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
