Re: [Shorewall-users] Multiple ISP + traffic shapping = poor download speed

Tom Eastep Tue, 03 Dec 2013 16:03:37 -0800

On 12/3/2013 2:03 PM, [email protected] wrote:
> Hello,
> 
> Thanks for the great Shorewall which has replaced my hard to maintain 
> home-made scripts.
> 
> First, what works.
> 
> Our local network is 10.48.X.X with multiple vlan, each on a dedicated 
> interface. We use Shorewall 4.4.11 from Debian Squeeze.
> 
> We have a 2 ISP:
> - isp1 : an optical fiber provider with 10 Mbps.
> - isp2 : a DSL provider with 15Mbits/1Mbits.
> 
> We use isp2 as the default outgoing provider. The isp1 provider is used for 
> "critical" services (SSH...) and for incoming connections (VPN...).
> 
> Our interfaces file :
> ========================
> isp1    eth0          detect          
> logmartians,nosmurfs,routefilter=0,tcpflags
> isp2    eth1          detect          
> logmartians,nosmurfs,routefilter,tcpflags
> ========================
> 
> Here is our providers file:
> ========================
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         
> OPTIONS         COPY
> isp1  1       0x100   -               eth1            37.X.X.X    track,loose 
>     -
> isp2  2       0x200   -               eth2          217.X.X.X      
> track,balance   -
> ========================
> 
> Here is an extract of our tcrules file:
> ========================
> ######################################################################################################################
> #MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST  
>   LENGTH  TOS   CONNBYTES         HELPER
> #                                               PORT(S) PORT(S)
> 
> # ISP1 DNS => ISP1
> 256     0.0.0.0/0       37.X.X.X
> 256     $FW             37.X.X.X
> 
> # ISP2 DNS => ISP2
> 512     0.0.0.0/0       127.X.X.X
> 512     $FW             127.X.X.X
> 
> # Google DNS => ISP1
> 256     0.0.0.0/0       8.8.8.8,8.8.4.4
> 256     $FW             8.8.8.8,8.8.4.4
> 
> # VPN IPsec (out) => ISP1
> 256     0.0.0.0/0       0.0.0.0/0       udp     500,4500
> 256     $FW             0.0.0.0/0       udp     500,4500
> 
> # Force one host to ISP1
> 256     10.48.1.10             0.0.0.0/0
> 
> # Force all SSH to ISP1
> 256     0.0.0.0/0             0.0.0.0/0       tcp     22
> 256     $FW             0.0.0.0/0       tcp     22
> ========================
> 
> Yesterday we added VoIP. To do so, we force traffic from our Asterisk server 
> to go throw ISP1 with a dedicated public IP and force the traffic from this 
> dedicated public IP to go to Asterisk server (with IP filtering for 
> security). This works too.
> 
> Now, my problem is to put QoS (using TC_ENABLED=Internal). I try many 
> configuration but always have the same problem: once the isp1 interface is 
> listed in tcdevices, we have poor download speed. Even with/without other TC 
> configuration.
> 
> Here is our tcdevices file:
> ========================
> #NUMBER:      IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
> #INTERFACE                                                    INTERFACES
> 1:isp1                10240kbit       10240kbit
> ========================
> 
> We use an external server to test download speed with IP 5.X.X.X so we added 
> in tcrules:
> ========================
> 256   0.0.0.0/0       5.X.X.X
> $FW   0.0.0.0/0       5.X.X.X
> ========================
> 
> The results are:
> - without isp1 in tcdevices => more than 1MB/s (bytes measured with wget 
> command)
> -  with isp1 in tcdevices => less than 300 kB/s
> 
> If I change bandwidth of isp1 to something more than 70000kbit, all goes 
> right... Other lower value have the same problem but with different download 
> speed (seems proportional to the interface speed).
> 
> Here is a result of the following command: tc -s -d class show dev isp1 
> ======================== class htb 1:1 root rate 10240Kbit ceil 10240Kbit 
> burst 1598b/8 mpu 0b overhead 0b cburst 1598b/8 mpu 0b overhead 0b level 7 
>       Sent 1111091 bytes 11680 pkt (dropped 0, overlimits 0 requeues 0) 
>       rate 83656bit 124pps backlog 0b 0p requeues 0 
>       lended: 0 borrowed: 0 giants: 0
>       tokens: 17781 ctokens: 17781
> ========================
> 
> Rates seems to be OK.
> 
> Have someone the same problem?
>


Sounds like Shorewall FAQ 97a.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Multiple ISP + traffic shapping = poor download speed

Reply via email to