On 09/27/2012 10:24 AM, Bill Shirley wrote: > I'm experiencing a problem with masquerade downloads saturating my > internet connection. I've implemented an IFB and now am looking into > flow keys. Although I've read the documentation, I'm not sure I have > this right. Can someone help? > > /etc/shorewall/params: > MID_IF=eth0 > MID_IF_TC=1 > INET1_IF=eth1 > INET1_IF_TC=2 > INET1_IFB_IF=ifb0 > INET1_IFB_TC=3 > > Note: MID_IF is the LAN and INET1_IF is my internet connection. > > /etc/shorewall/tcdevices: > #NUMBER: IN-BANDWITH OUT-BANDWIDTH > OPTIONS REDIRECTED > #INTERFACE INTERFACES > > $MID_IF_TC:$MID_IF 0 1000mbit > > $INET1_IF_TC:$INET1_IF - 2mbit > classify > $INET1_IFB_TC:$INET1_IFB_IF - 12mbit > - $INET1_IF > > /etc/shorewall/tcclasses: > #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS > # DMAX:UMAX > > $MID_IF:110 - 30*full/100 95*full/100 1 ... > $INET1_IFB_IF:140 - 15*full/100 85*full/100 4 flow=dst > $INET1_IFB_IF:150 - 10*full/100 85*full/100 5 flow=dst > > I'm looking at the flow=keys from here: > http://www.shorewall.net/manpages/shorewall-tcclasses.html > > Is this right? Is it logical to put flow control on the IFB?
No. The problem with an IFB is that the packets passed through the IFB are "straight off the wire". So when you are masquerading, all incoming packets from masqueraded connections have DST=<external IP>. To get 'flow' to work correctly in that environment, you need to shape outgoing traffic on your LAN interface where the destination address has been re-written to that of a LAN host. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
