Re: [Shorewall-users] Multi-ISP + Traffic Shaping Problem (Shorewall 3.4.5)

Tue, 14 Aug 2007 07:08:49 -0700 

James Gray wrote:

> The NET_IFx_GW variables are the ADSL modems' IP's (again, defined in params) 
> as follows:
> NET_IF1_GW=172.16.3.1
> NET_IF2_GW=172.16.4.1
> NET_IF3_GW=172.16.5.1
> 
> tcdevices:
> #INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
> $NET_IF1        $NET_IF1_IN     $NET_IF1_OUT
> $NET_IF2        $NET_IF2_IN     $NET_IF2_OUT
> $NET_IF3        $NET_IF3_IN     $NET_IF3_OUT
> 
> tcclasses:
> #INTERFACE MARK RATE      CEIL      PRIORITY OPTIONS
> #
> # Primary Interface (ADSL2+ 24M/1.5M)
> $NET_IF1   10   full      full      1        tcp-ack,tos-minimize-delay
> $NET_IF1   20   9*full/10 9*full/10 2
> $NET_IF1   30 6*full/10 6*full/10 3        default
> #
> # Secondary Interface (ADSL1 1.5M/256K)
> $NET_IF2   40   full      full      4        tcp-ack,tos-minimize-delay
> $NET_IF2   50   6*full/10 6*full/10 5        default
> #
> # Tertiary Interface (ADSL1 512K/128K)
> $NET_IF3   60   full      full      6        default
> 
> tcrules:
> #MARK SOURCE       DEST    PROTO DEST SOURCE USER TEST LENGTH TOS
> #                                PORT PORT
> 10    $LAN_NETWORK $ANY_IP tcp   ssh  -      -    -    0:512
> 20    $LAN_NETWORK $ANY_IP tcp   ssh  -      -    -    513:
> 20    $LAN_NETWORK $ANY_IP tcp   $WWW
> 20    $LAN_NETWORK $ANY_IP tcp   $FTP
> 30    $LAN_NETWORK $ANY_IP tcp   nntp
> 40    $LAN_NETWORK $ANY_IP tcp   $STREAM
> 50    $LAN_NETWORK $ANY_IP tcp   $ALLMAIL
> 50    $LAN_NETWORK $ANY_IP tcp   $IM
> 50    $LAN_NETWORK $ANY_IP udp   $IM
> 50    $LAN_NETWORK $ANY_IP tcp   $P2P
> 50    $LAN_NETWORK $ANY_IP udp   $P2P
> 50    $LAN_NETWORK $ANY_IP tcp   $GAMES
> 50    $LAN_NETWORK $ANY_IP udp   $GAMES
> 50    $LAN_NETWORK $ANY_IP all
> 

In taking another look at your configuration this morning, I see a couple of
more problems:

a)  You have MARK_IN_FORWARD_CHAIN=No in shorewall.conf so all of your
marking rules are going in the PREROUTING chain. With multi-ISP routing,
your traffic shaping marking must be done in the FORWARD chain.

b)  You have failed to grasp the notion that tcrules are 'last-match-wins'
not 'first-match'wins'. So all traffic through your router is being marked
with fwmark = 50.

These two blunders have an effect on your multi-ISP problem. After
PREROUTING, all packets have a mark value of 50. That doesn't match any of
the fwmark values given for your Providers so traffic is routed according to
the 'main' routing table.  Because you didn't specify 'balance' on your
providers, your main routing table has a single default route via eth3 so
all traffic is sent out of that interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to