On 09/27/2012 12:36 PM, Bill Shirley wrote: > > On 9/27/2012 2:03 PM, Tom Eastep wrote: >> On 09/27/2012 10:24 AM, Bill Shirley wrote: >>> I'm experiencing a problem with masquerade downloads saturating my >>> internet connection. I've implemented an IFB and now am looking into >>> flow keys. Although I've read the documentation, I'm not sure I have >>> this right. Can someone help? >>> >>> /etc/shorewall/params: >>> MID_IF=eth0 >>> MID_IF_TC=1 >>> INET1_IF=eth1 >>> INET1_IF_TC=2 >>> INET1_IFB_IF=ifb0 >>> INET1_IFB_TC=3 >>> >>> Note: MID_IF is the LAN and INET1_IF is my internet connection. >>> >>> /etc/shorewall/tcdevices: >>> #NUMBER: IN-BANDWITH OUT-BANDWIDTH >>> OPTIONS REDIRECTED >>> #INTERFACE INTERFACES >>> >>> $MID_IF_TC:$MID_IF 0 1000mbit >>> >>> $INET1_IF_TC:$INET1_IF - 2mbit >>> classify >>> $INET1_IFB_TC:$INET1_IFB_IF - 12mbit >>> - $INET1_IF >>> >>> /etc/shorewall/tcclasses: >>> #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS >>> # DMAX:UMAX >>> >>> $MID_IF:110 - 30*full/100 95*full/100 1 >> ... >>> $INET1_IFB_IF:140 - 15*full/100 85*full/100 4 flow=dst >>> $INET1_IFB_IF:150 - 10*full/100 85*full/100 5 flow=dst >>> >>> I'm looking at the flow=keys from here: >>> http://www.shorewall.net/manpages/shorewall-tcclasses.html >>> >>> Is this right? Is it logical to put flow control on the IFB? >> No. The problem with an IFB is that the packets passed through the IFB >> are "straight off the wire". So when you are masquerading, all incoming >> packets from masqueraded connections have DST=<external IP>. To get >> 'flow' to work correctly in that environment, you need to shape outgoing >> traffic on your LAN interface where the destination address has been >> re-written to that of a LAN host. >> >> -Tom > I heard what you said but I'm not understanding. My problem is my > incoming internet connection gets saturated sometimes with downloads and > I want to shape that traffic according to which PC it's going to. > > The IFB is going to drop packets when the connection gets saturated. I > just want it to be equally distributed. If one PC is downloading at 500 > KB on one connection and another PC has two connections at 500 KB, the > 2nd PC will get twice as much thru-put. > Because my LAN is 1 Gb I don't see how the incoming traffic on the > internet is ever going to trigger traffic shaping on the LAN. > > Am I missing something?
Yes -- you are missing the fact that, at the IFB, tc filters can't distinguish one internal PC from another. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
