Re: [Shorewall-users] Is this TC configuration correct

Sat, 28 Mar 2009 14:22:43 -0700

Hello again!

  
Well, I forgot to mention background information about the company.
We host websites that are used for webmail and client access
and having enough bandwidth for those is the primary thing.
Most of the users don't have anything to do on the internet.
Even if the users go on the net, they shouldn't be able to eat
bandwidth.

Secondary, i have to deal with private used laptops,
and there have been cases on infected hardware eating all the
bandwidth (botnet client), that is why i have to limit each user to a maximum
of bandwidth. (closing all unnecessary ports is not an option, regretfully)
    

Then Shorewall's traffic shaping does not offer you a workable solution.

Ok, I think I get what you are suggesting.  But if  I make  one class per subnet (for eaxmple sales),
then it would work, not? (Saying I don't care about how the bandwidth gets divided in a subnet)

Browsing the website i found the following solution:
make classes for each ip and make rules for them

(i did the tables with TAB-s, just i couldn't get it to work with my webmail)

        
And I've deleted them in my response since my mailer made them totally
unreadable.
      
I will ll try to paste them again with one space between each word.

tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
eth0 40mbps 40mbps
eth2 100mbps 100mbps
Ok, I updated the tcclasses table
tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth0 1 10mbps full 1 default
eth2 1 10mbps full 1 default
eth0 2 100kbps 1mbps 2
eth2 2 100kbps 1mbps 2
eth0 3 100kbps 1mbps 2
eth2 3 100kbps 1mbps 2
eth0 4 100kbps 1mbps 2
eth2 4 100kbps 1mbps 2

tcrules
#MARK SOURCE DESTINATION PROTIOCOL PORT(s)
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
...


    
Is This configuration correct?
        
No. The sum of the RATE column for each interface exceeds the
OUT-BANDWIDTH for the interface. The RATE column specifies what you
GUARANTEE each class, no matter how congested the link is, so the sum of
the numbers in that column cannot exceed the OUT-BANDWIDTH.
      
Do you mean that this works, but if more than 40 users use the 1 mbit, then
traffic shaping becomes useless, or do you mean that shorewall won't
even accept it?
    

No -- I mean this won't work at all. You are guaranteeing ALL OF THE
BANDWIDTH to the default class ('full' in the RATE column). So there is
none left over for the other classes. When HTB is configured like this,
it just plain doesn't work.
So if I keep the bandwidth of all the classes under 40Mbps(in my case)
then it would work. 
If u know any other sw that works beside shorewall and is better suited,
please write and url.
    

I know of no good solution on Linux that scales to 100s of internal systems.

-Tom
I am thinking about keeping about 30 classes for tha local net,
(dhcp is configured to serve these adresses first and we have
like 15-20 many clients today)
and one class for the sales net.

The rates would be:
30*100kbps=~ 3mbps for local net
10mbps for deafult
1mbps for sales

and i am still under 40mbps.

rule 1 for default
rule 2-31 for local
rule 32 for sales net
tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
eth0 40mbps 40mbps
eth2 100mbps 100mbps

tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth0 1 10mbps full 1 default
eth2 1 10mbps full 1 default
eth0 2 100kbps 1mbps 2
eth2 2 100kbps 1mbps 2
eth0 3 100kbps 1mbps 2
eth2 3 100kbps 1mbps 2
eth0 4 100kbps 1mbps 2
eth2 4 100kbps 1mbps 2
...
eth0 31 100kbps 1mbps 2
eth2 31 100kbps 1mbps 2
eth0 32 1mbps 5mbps 3
eth0 32 1mbps 5mbps 3

tcrules
#MARK SOURCE DESTINATION PROTIOCOL PORT(s)
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
... 
31:F 192.168.101.40 eth0 all
31:F eth0 192.168.101.40 all
32:F 192.168.102.0/24 eth0 all
32:F eth0 192.168.102.0/24 all

 
So do I get it right this time?

Laszlo Balogh

P.S.: sorry for my thickheadedness, 
and thank you for your patience

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to