Hello,
Thanks for the great Shorewall which has replaced my hard to maintain home-made
scripts.
First, what works.
Our local network is 10.48.X.X with multiple vlan, each on a dedicated
interface. We use Shorewall 4.4.11 from Debian Squeeze.
We have a 2 ISP:
- isp1 : an optical fiber provider with 10 Mbps.
- isp2 : a DSL provider with 15Mbits/1Mbits.
We use isp2 as the default outgoing provider. The isp1 provider is used for
"critical" services (SSH...) and for incoming connections (VPN...).
Our interfaces file :
========================
isp1 eth0 detect
logmartians,nosmurfs,routefilter=0,tcpflags
isp2 eth1 detect logmartians,nosmurfs,routefilter,tcpflags
========================
Here is our providers file:
========================
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
COPY
isp1 1 0x100 - eth1 37.X.X.X track,loose
-
isp2 2 0x200 - eth2 217.X.X.X
track,balance -
========================
Here is an extract of our tcrules file:
========================
######################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
# ISP1 DNS => ISP1
256 0.0.0.0/0 37.X.X.X
256 $FW 37.X.X.X
# ISP2 DNS => ISP2
512 0.0.0.0/0 127.X.X.X
512 $FW 127.X.X.X
# Google DNS => ISP1
256 0.0.0.0/0 8.8.8.8,8.8.4.4
256 $FW 8.8.8.8,8.8.4.4
# VPN IPsec (out) => ISP1
256 0.0.0.0/0 0.0.0.0/0 udp 500,4500
256 $FW 0.0.0.0/0 udp 500,4500
# Force one host to ISP1
256 10.48.1.10 0.0.0.0/0
# Force all SSH to ISP1
256 0.0.0.0/0 0.0.0.0/0 tcp 22
256 $FW 0.0.0.0/0 tcp 22
========================
Yesterday we added VoIP. To do so, we force traffic from our Asterisk server to
go throw ISP1 with a dedicated public IP and force the traffic from this
dedicated public IP to go to Asterisk server (with IP filtering for security).
This works too.
Now, my problem is to put QoS (using TC_ENABLED=Internal). I try many
configuration but always have the same problem: once the isp1 interface is
listed in tcdevices, we have poor download speed. Even with/without other TC
configuration.
Here is our tcdevices file:
========================
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
1:isp1 10240kbit 10240kbit
========================
We use an external server to test download speed with IP 5.X.X.X so we added in
tcrules:
========================
256 0.0.0.0/0 5.X.X.X
$FW 0.0.0.0/0 5.X.X.X
========================
The results are:
- without isp1 in tcdevices => more than 1MB/s (bytes measured with wget
command)
- with isp1 in tcdevices => less than 300 kB/s
If I change bandwidth of isp1 to something more than 70000kbit, all goes
right... Other lower value have the same problem but with different download
speed (seems proportional to the interface speed).
Here is a result of the following command: tc -s -d class show dev isp1
======================== class htb 1:1 root rate 10240Kbit ceil 10240Kbit burst
1598b/8 mpu 0b overhead 0b cburst 1598b/8 mpu 0b overhead 0b level 7
Sent 1111091 bytes 11680 pkt (dropped 0, overlimits 0 requeues 0)
rate 83656bit 124pps backlog 0b 0p requeues 0
lended: 0 borrowed: 0 giants: 0
tokens: 17781 ctokens: 17781
========================
Rates seems to be OK.
Have someone the same problem?
Regards,
Olivier Monaco
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
