I have a firewall that routes between seven separate zones including two ISPs, and two VPN tunnels. Everything was working flawlessly, until I went to add traffic shaping. I would like start prioritizing the outbound traffic on the two ISPs, and I have all the rules in place, but it doesn't seem to be working correctly.
Let me start with the layout of the firewall: eth0 - ISP#1 eth1 - ISP#2 eth2 - Internal network eth3 - DMZ eth4 - WiFi tun0 - VPN #1 tun1 - VPN #2 ISP #1 happens to be very sticky about traffic, but it is where our servers need to be hosted off, so the DMZ is the only source of traffic that goes in/out on ISP #1 (unless ISP #2 breaks). Everything else uses ISP #2, including the traffic for both VPNs. I would like to sort traffic into four classes: Highest priority - TCP/IP handshaking + other low latency High priority - VPN traffic Normal priority - Everything else Low priority - P2P traffic From various tests and watching the stats coming from tc, I know that the High/Low priority is hardly being used (I sent a 10M file over the VPN to another office, and barely 2k was recorded on that qdisc), and I have no idea why. Shorewall runs fine, and traffic is flowing with no problems, but the traffic just isn't being classified correctly. The important info/configs: shorewall version 3.4.6 iptables v1.3.8 ip utility, iproute2-ss070710 providers: ######################################################################## #################### #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISPS 2 0x0200 main eth1 68.144.64.1 track,balance eth2,eth3,eth4 ISPN 1 0x0100 main eth0 66.18.203.65 track,balance eth2,eth3,eth4 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE route_rules: ######################################################################## ###### #SOURCE DEST PROVIDER PRIORITY ## For VPNs - 192.168.0.0/16 main 1000 ## For firewall lo 68.144.64.0/22 ISPS 1000 lo 66.18.203.64/27 ISPN 1000 lo - ISPS 1000 ## For local eth2 68.144.64.0/22 ISPS 1000 eth2 66.18.203.64/27 ISPN 1000 eth2 - ISPS 1000 ## For wifi eth3 68.144.64.0/22 ISPS 1000 eth3 66.18.203.64/27 ISPN 1000 eth3 - ISPS 1000 ## For DMZ eth4 - ISPN 1000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE tcdevices: ######################################################################## ####### #INTERFACE IN-BANDWITH OUT-BANDWIDTH eth0 4000kbit 512kbit eth1 4000kbit 512kbit #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE tcclasses: ######################################################################## ####### #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth0 1 full/4 full 1 tcp-ack,tos- minimize-delay eth0 2 full/4 full 2 eth0 3 full/4 full 3 default eth0 4 full/4 full 4 eth1 1 full/4 full 1 tcp-ack,tos- minimize-delay eth1 2 full/4 full 2 eth1 3 full/4 full 3 default eth1 4 full/4 full 4 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE tcrules: ######################################################################## ####### #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS # PORT(S) RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 ## Mark Pings as highest priority 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply ## Mark SSH as highest priority 1 0.0.0.0/0 0.0.0.0/0 tcp ssh ## For the inter-office tunnel 2 0.0.0.0/0 production all 2 0.0.0.0/0 downtown all ## By default everything ends up in regular (3) class ## For torrents, cargo class 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE (As a note, production/downtown are names that can be resolved to an IP, and I have verified that they are correctly being used, They are to route the VPN traffic over class 2) The main one that I am concerned about is the traffic to "production" or "downtown", and why it isn't being classified into class 2. From there I'll worry about the P2P after. If anyone needs more information, let me know, and I'll gladly post whatever is requested. At this point, any help is greatly appreciated, even if it is just a suggestion of where I might start to look. -- James McTavish ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
