On Mar 28, 2006, at 4:10 PM, Jon Simola wrote:
With the current ruleset, clients are properly assigned to the
"http_out" queue, but then the connection from the proxy is going to
duplicate their traffic in altq. Even if don't queue outbound
traffic from the proxy, the packets are going to be counted towards
the default queue, skewing my totals. Has anyone come up with an
effective QoS design for dealing with proxies handling multiple
networks?
I'm not sure what the problem is here. Clients get thrown into an
http_out queue on the DMZ interface, and the squid proxy will be put
into a seperate http_out interface on the public-facing interface. So
yes, client HTTP traffic will pass through your router twice (Client
<-> DMZ, DMZ <-> public) using different queues on different
interfaces as you've described.
Ok, let me try and give an example scenario. Each client VLAN has a
bandwidth limit of 100Kbps cbq(borrow). The DMZ, which normally will
not pass that much outbound traffic, is limited to 50Kbps cbq
(borrow). Suppose we have three clients that start downloading
various files and/or streams:
Client in VLAN 1 downloads an HTTP stream at 20Kbps
Client in VLAN 2 downloads an HTTP object at 50Kbps
Client in VLAN 3 downloads an HTTP object at 100Kbps
Even though the aggregate 170Kbps is coming from the DMZ, the
bandwidth is allocated to the outbound queue for each vlan
interface. Combine that with the "real" 170Kbps coming into DMZ
proxy, and your firewall thinks it is pushing 340Kbps. Does this
sound kosher, or am I having a brain fart?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
