On Tue, Mar 28, 2006 at 04:23:51PM -0500, Jason Dixon wrote:
> On Mar 28, 2006, at 4:10 PM, Jon Simola wrote:
>
> >>With the current ruleset, clients are properly assigned to the
> >>"http_out" queue, but then the connection from the proxy is going to
> >>duplicate their traffic in altq. Even if don't queue outbound
> >>traffic from the proxy, the packets are going to be counted towards
> >>the default queue, skewing my totals. Has anyone come up with an
> >>effective QoS design for dealing with proxies handling multiple
> >>networks?
> >
> >I'm not sure what the problem is here. Clients get thrown into an
> >http_out queue on the DMZ interface, and the squid proxy will be put
> >into a seperate http_out interface on the public-facing interface. So
> >yes, client HTTP traffic will pass through your router twice (Client
> ><-> DMZ, DMZ <-> public) using different queues on different
> >interfaces as you've described.
>
> Ok, let me try and give an example scenario. Each client VLAN has a
> bandwidth limit of 100Kbps cbq(borrow). The DMZ, which normally will
> not pass that much outbound traffic, is limited to 50Kbps cbq
> (borrow). Suppose we have three clients that start downloading
> various files and/or streams:
>
> Client in VLAN 1 downloads an HTTP stream at 20Kbps
> Client in VLAN 2 downloads an HTTP object at 50Kbps
> Client in VLAN 3 downloads an HTTP object at 100Kbps
>
> Even though the aggregate 170Kbps is coming from the DMZ, the
> bandwidth is allocated to the outbound queue for each vlan
> interface. Combine that with the "real" 170Kbps coming into DMZ
> proxy, and your firewall thinks it is pushing 340Kbps. Does this
> sound kosher, or am I having a brain fart?
Well, the firwall *is* actually pushing 340Kbps - just in different
'directions' (networks, vlans, ...). Queue on that - for instance,
shape traffic from the proxy to the vlan.
As to the DMZ, the proxy can use lots of bandwidth, and the rest get,
say, 40Kbps.
Joachim
