From: "Jerry Vonau" >> For instance, ALL ssh (tcp/22) traffic should be going out over NET_IF1 >> (eth3, >> via 172.16.3.1) with mark of 10 or 20. But here's a tcp trace from the LAN: > > That is only for traffic control, that is in the forward chain. The mark > of 10 or 20 relates to routing and a provider how??
Thanks Jerry. I was of the understanding that as the marks 10/20 are associated with the interface for the required ISP, that traffic so marked will be routed out that ISP: tcclasses: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS $NET_IF1 10 full full 1 tcp-ack,tos-minimize-delay $NET_IF1 20 9*full/10 9*full/10 2 $NET_IF1 30 6*full/10 6*full/10 3 default ...etc >> tcrules: >> #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS >> # PORT(S) PORT(S) <snip> >> 20 $LAN_NETWORK $ANY_IP tcp ssh - - - 513: >> 10 $LAN_NETWORK $ANY_IP tcp ssh - - - 0:512 > > the routing rules: > > 0: from all lookup local > 10001: from all fwmark 0x1 lookup IINET > 10002: from all fwmark 0x2 lookup TELSTRA > 10202: from all fwmark 0xca lookup squid > 20256: from 172.16.3.2 lookup IINET > 20512: from 172.16.4.2 lookup TELSTRA > 32766: from all lookup main > 32767: from all lookup default > > When using the tcrules file to override balancing to use only one isp, > you should be using the providers' mark here (in the tcpre chain, that > is part of the prerouting chain) to direct traffic into the providers' > routing table to pick your preferred isp. You'll need to use something like: > > 1:P $LAN_NETWORK $ANY_IP tcp ssh > > 1 = mark of your "preferred" provider > P = use mark in prerouting chain Wont that bypass the traffic shaping? That's a show stopper for us. We rely heavily on SSH and it can't really be delayed waiting for Joe User to finish downloading a CD ISO :( Maybe I should be using classes in the tcrules instead: providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY $ISP1 1 1 main $NET_IF1 $NET_IF1_GW $PROVOPTS $COPY $ISP2 2 2 main $NET_IF2 $NET_IF2_GW $PROVOPTS $COPY squid 3 202 - $LAN_IF $PROXYSVR loose - tcrules: #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS # PORT(S) PORT(S) -- Snipped -- 1:120 $LAN_NETWORK $ANY_IP tcp ssh - - - 513: 1:110 $LAN_NETWORK $ANY_IP tcp ssh - - - 0:512 Or is this a two-step process? One rule in the prerouting chain to force a specific ISP, then another rule in the forward chain to mark the traffic for shaping? >> What is left to make this work....it feels close :-/ > > Hope that is your fix.. Me too Jerry :) I'll give it a shot, but like I said, even if the routing works we need the traffic shaping too. Cheers, James ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
