Re: [Shorewall-users] Shorewall QoS problems

Thu, 02 Jun 2016 07:39:24 -0700 

On 05/27/2016 06:44 PM, Jacob W. Hiltz wrote:
> Still having problems with QoS.
> 
> 
> TCDEVICES
> eth0  -  20mbit
> 
> TCCLASSES
> eth0            1       10kbit     100kbit 1       
> eth0            2       10kbit     full        2 default
> 
> MANGLE
> MARK(1)         eth1.100   0.0.0.0/0       tcp  80   
> MARK(1)         eth1.100   0.0.0.0/0       tcp  -   80   
> MARK(2)         eth1.100   0.0.0.0/0       tcp   443    
> MARK(2)         eth1.100   0.0.0.0/0       tcp   -   443    
> SAVE              0.0.0.0/0   0.0.0.0/0       all        -             -      
>   -         !0
> 
> I only ever see speeds of ~80kbps. I would expect that packets with mark=1 
> would be at most 100kbit (port 80 traffic) and packets with mark=2 (port 443) 
> would be full speed.
> 
> I must be missing something here. I’ve spent hours trying to do different 
> combinations and nothing seems to work for me.

You are probably marking in the PREROUTING chain
(MARK_IN_FORWARD_CHAIN=No in shorewall.conf) and have
FORWARD_CLEAR_MARK=Yes (again in shorewall.conf). Add the :F chain
designator to your MARK rules (e.g., MARK(1):F)

The MARK(2) and SAVE rules are also useless. 2 is the default mark and
you are not restoring the connection mark (or at least it is not shown
above).

> 
> Question: What would my tcclasses, tcdevices and mangle file look like if I 
> wanted to just limit traffic on port 443 to 1mbps and all other traffic full 
> speed?

TCDEVICES

eth0    -       20mbit

TCCLASSES

eth0    2       10kbit  full    2       default
eth0    1       10kbit  1mbit   1

MANGLE

MARK(1):F       eth1.100        0.0.0.0/0       tcp     443
MARK(1):F       eth1.100        0.0.0.0/0       tcp     -       443

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to