Just to add to this mess :-) The upload traffic through the ipsec tunnel works as it should, the problem reported below only happens with incoming traffic 192.168.200.1 <--- 192.168.100.2.
see ya! Ismael ----- Original Message ----- From: "Ismael Milach da Silveira" <[EMAIL PROTECTED]> To: "Shorewall Users" <[email protected]> Sent: Thursday, January 04, 2007 5:08 PM Subject: Re: [Shorewall-users] TC again - now working on VPN traffic > ################################### > I don't see anywhere that you are "giving full bandwidth to VPN traffic". > > Hint: In IPSEC tunnel mode (and in most VPN situations), the actual VPN > traffic is $FW-><remote gateway> and you have no marking rules with SOURCE > = > $FW. > #################### > > the tunnel is IPSEC. > > 70kbps is my "full" :-) > > eth0= wan > eth1 = lan > 192.168.200.0/24 is LAN > 192.168.100.0/24 is the "remote" LAN > 201.89.170.2 is the remote GW > > tcdevices: > ############### > eth0 70kbps 70kbps > eth1 10000kbps 10000kbps > ################## > > tcrules > ############ > 1 $FW 192.168.100.0/24 all > 1 $FW 201.89.170.2 all > 3 192.168.100.0/24 0.0.0.0/0 all > ############ > > tcclasses: > ######################################## > eth0 1 10kbps 20kbps 1 > eth0 2 30kbps 40kbps 2 default > eth1 3 10kbps 20kbps 1 > eth1 4 30kbps 40kbps 2 default > ######################################## > > the traffic floats between 10 and 20KB/s. ok, it seems normal, although > only > the forwarded traffic is being classified. > > from the dump (FW.txt.bz2): > ############################################ > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 648 888K MARK all -- * * 192.168.100.0/24 > 0.0.0.0/0 MARK set 0x3 > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 0 0 MARK all -- * * 0.0.0.0/0 > 192.168.100.0/24 MARK set 0x1 > 0 0 MARK all -- * * 0.0.0.0/0 > 201.89.170.2 MARK set 0x1 > ############################################ > > ################### > Chain tcpost (1 references) > 648 888K CLASSIFY all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 > MARK match 0x3/0xff CLASSIFY set 2:13 > #################### > > #################### > class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 1500 rate 80000bit ceil > 160000bit > rate 88464bit > ##################### > around 11KB/s... ok. > > then I change tcclasses to: > ################################### > eth0 1 30kbps full 1 > eth0 2 10kbps 20kbps 2 default > eth1 3 30kbps full 1 > eth1 4 10kbps 20kbps 2 default > #################################### > when "full" would be around 70kbps. > > The traffic rate goes up, but far from what it should be, never going over > 23 KB/s. > > dump (FW2.txt.bz2) > ###################################################################### > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 2930 4126K MARK all -- * * 192.168.100.0/24 > 0.0.0.0/0 MARK set 0x3 > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 0 0 MARK all -- * * 0.0.0.0/0 > 192.168.100.0/24 MARK set 0x1 > 0 0 MARK all -- * * 0.0.0.0/0 > 201.89.170.2 MARK set 0x1 > ##################################################################### > > ################################# > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 2930 4126K CLASSIFY all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 2:13 > ######################################################################################### > > ######################## > class htb 2:13 parent 2:1 leaf 13: prio 1 quantum 2880 rate 240000bit ceil > 80000Kbit > rate 169344bit 14pps > ################################# > > And, when I disable every traffic shaping rule... > ######################################################## > [EMAIL PROTECTED] doctor]$ scp [EMAIL PROTECTED]:/home/doctor/marcia . > [EMAIL PROTECTED]'s password: > marcia 14% 1608KB 53.6KB/s > 03:01 > ETA > ######################################################### > > the moment I put some rule, no matter what rule, doing traffic shaping, > the > rate goes down between VPN station (the rest stays correct). > tcclasses looking like this and no tcrules applied. > ####################################### > eth0 1 30kbps full 1 default > eth1 2 30kbps full 1 default > ######################################## > > VPN traffic > > ###################### > [EMAIL PROTECTED] doctor]$ scp [EMAIL PROTECTED]:/home/doctor/marcia . > [EMAIL PROTECTED]'s password: > marcia 18% 2076KB 19.7KB/s > 07:49 > ETA > ##################### > why? > > > Traffic to the remote Gateway is normal: > ############################### > [EMAIL PROTECTED] doctor]$ scp [EMAIL PROTECTED]:/home/doctor/teste.zip > . > Password: > Password: > teste.zip 11% 3340KB 54.7KB/s 08:07 > ETAA > ############################ > > FW3.txt.bz2 > ############################## > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11 > 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 2:12 > ############################## > > Again, what I wanna do is to give full bandwidth to VPN traffic and to > limit > the rest to 30kbps or so. > > Sorry for the way-too-long post :-) > > Thanks! > > see ya, > Ismael > > > > > ----- Original Message ----- > From: "Tom Eastep" <[EMAIL PROTECTED]> > To: "Shorewall Users" <[email protected]> > Sent: Thursday, January 04, 2007 1:58 PM > Subject: Re: [Shorewall-users] TC again - now working on VPN traffic > > >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > -------------------------------------------------------------------------------- > > >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > -------------------------------------------------------------------------------- > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV -------------------------------------------------------------------------------- > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
