################################### I don't see anywhere that you are "giving full bandwidth to VPN traffic".
Hint: In IPSEC tunnel mode (and in most VPN situations), the actual VPN traffic is $FW-><remote gateway> and you have no marking rules with SOURCE = $FW. #################### the tunnel is IPSEC. 70kbps is my "full" :-) eth0= wan eth1 = lan 192.168.200.0/24 is LAN 192.168.100.0/24 is the "remote" LAN 201.89.170.2 is the remote GW tcdevices: ############### eth0 70kbps 70kbps eth1 10000kbps 10000kbps ################## tcrules ############ 1 $FW 192.168.100.0/24 all 1 $FW 201.89.170.2 all 3 192.168.100.0/24 0.0.0.0/0 all ############ tcclasses: ######################################## eth0 1 10kbps 20kbps 1 eth0 2 30kbps 40kbps 2 default eth1 3 10kbps 20kbps 1 eth1 4 30kbps 40kbps 2 default ########################################the traffic floats between 10 and 20KB/s. ok, it seems normal, although only the forwarded traffic is being classified.
from the dump (FW.txt.bz2): ############################################ Chain tcfor (1 references)pkts bytes target prot opt in out source destination 648 888K MARK all -- * * 192.168.100.0/24 0.0.0.0/0 MARK set 0x3
Chain tcout (1 references)pkts bytes target prot opt in out source destination 0 0 MARK all -- * * 0.0.0.0/0 192.168.100.0/24 MARK set 0x1 0 0 MARK all -- * * 0.0.0.0/0 201.89.170.2 MARK set 0x1
############################################ ################### Chain tcpost (1 references)648 888K CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 2:13
#################### ####################class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 1500 rate 80000bit ceil 160000bit
rate 88464bit ##################### around 11KB/s... ok. then I change tcclasses to: ################################### eth0 1 30kbps full 1 eth0 2 10kbps 20kbps 2 default eth1 3 30kbps full 1 eth1 4 10kbps 20kbps 2 default #################################### when "full" would be around 70kbps.The traffic rate goes up, but far from what it should be, never going over 23 KB/s.
dump (FW2.txt.bz2) ###################################################################### Chain tcfor (1 references)pkts bytes target prot opt in out source destination 2930 4126K MARK all -- * * 192.168.100.0/24 0.0.0.0/0 MARK set 0x3
Chain tcout (1 references)pkts bytes target prot opt in out source destination 0 0 MARK all -- * * 0.0.0.0/0 192.168.100.0/24 MARK set 0x1 0 0 MARK all -- * * 0.0.0.0/0 201.89.170.2 MARK set 0x1
##################################################################### ################################# Chain tcpost (1 references)pkts bytes target prot opt in out source destination 2930 4126K CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 2:13
######################################################################################### ########################class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 2880 rate 240000bit ceil 80000Kbit
rate 169344bit 14pps ################################# And, when I disable every traffic shaping rule... ######################################################## [EMAIL PROTECTED] doctor]$ scp [EMAIL PROTECTED]:/home/doctor/marcia . [EMAIL PROTECTED]'s password:marcia 14% 1608KB 53.6KB/s 03:01 ETA
#########################################################the moment I put some rule, no matter what rule, doing traffic shaping, the rate goes down between VPN station (the rest stays correct).
tcclasses looking like this and no tcrules applied. ####################################### eth0 1 30kbps full 1 default eth1 2 30kbps full 1 default ######################################## VPN traffic ###################### [EMAIL PROTECTED] doctor]$ scp [EMAIL PROTECTED]:/home/doctor/marcia . [EMAIL PROTECTED]'s password:marcia 18% 2076KB 19.7KB/s 07:49 ETA
##################### why? Traffic to the remote Gateway is normal: ############################### [EMAIL PROTECTED] doctor]$ scp [EMAIL PROTECTED]:/home/doctor/teste.zip . Password: Password:teste.zip 11% 3340KB 54.7KB/s 08:07 ETAA
############################ FW3.txt.bz2 ############################## Chain tcfor (1 references)pkts bytes target prot opt in out source destination
Chain tcout (1 references)pkts bytes target prot opt in out source destination
Chain tcpost (1 references)pkts bytes target prot opt in out source destination 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 2:12
##############################Again, what I wanna do is to give full bandwidth to VPN traffic and to limit the rest to 30kbps or so.
Sorry for the way-too-long post :-) Thanks! see ya, Ismael----- Original Message ----- From: "Tom Eastep" <[EMAIL PROTECTED]>
To: "Shorewall Users" <[email protected]> Sent: Thursday, January 04, 2007 1:58 PM Subject: Re: [Shorewall-users] TC again - now working on VPN traffic
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's Techsay panel and you'll get the chance to share youropinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
--------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
FW.txt.bz2
Description: Binary data
FW2.txt.bz2
Description: Binary data
FW3.txt.bz2
Description: Binary data
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
