wqclatre
asked on
Reserve bandwidth for mail and www.
I have a Linux firewall with ipchains.
Looking like:
internet
|
Private------- FW----------DMZ
The connection is a bit to slow so I like to reserve some bandwith for mail and www that goes to DMZ.
(What I realy want to do is to give trafic to my mail and www server higest priority. As it is now it is awful slow to visit the www-server and to read mail from outside if someone on the Private Net is downloading a lot from internet.
I don't like to switch to 2.4 kernel because it seems like I cannot set the Masquerading Timeout like I can do with ipchains.
(ipchains -M -S 72000 10 60)
Can someone help me out how to implement this?
Traffic shaping. Kind of a heavy subject. Check out www.lartc.org
Indeed - I've done this a couple times in 2.2, but it's been a while... Grab the iproute2 tools and start playing around with tc - the docs out there are few, far between, and often conflicting - mostly you just have to play with 'tc' until you can get it to do what you want.
Also, don't foget ssh in your list of protocols of which to give guaranteed bandwidth - you think mail and http are slow when your pipe is full, try using an interactive shell - not gonna happen.
Cheers,
-Jon
Also, don't foget ssh in your list of protocols of which to give guaranteed bandwidth - you think mail and http are slow when your pipe is full, try using an interactive shell - not gonna happen.
Cheers,
-Jon
ASKER
The-Captain.
You can't give me some small example so I can get any idea of how it works ?
Do I need anything more than iproute2 ?
You can't give me some small example so I can get any idea of how it works ?
Do I need anything more than iproute2 ?
OK, ok... This should count as my good deed for the year - I found a script that I wrote and had thought was lost forever. Hope you can make sense of it....
Cheers,
-Jon
#!/bin/bash
#
# tcstart (see also: tcstop, tcconf)
#
# A basic traffic shaping script - bandwidth parameters are entered via the
# environment variables listed below. The basic idea is that connection A is
# a high-priority connection which is guaranteed a certain amount of bandwidth
# and can borrow bandwidth above and beyond that specification from the
# other source, connection B. Connection B is a low-priority connection from
# which connection A may borrow bandwidth until B's bandwidth is exhausted
# (This should indicate a saturation of the line with traffic on connection A)
#
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark). Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off. Mark traffic
# for connection A as 1, and traffic for connection B as 2. If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump? In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark). Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off. Mark traffic
# for connection A as 1, and traffic for connection B as 2. If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump? In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# appropriate fwmark argument. Also, rulesets that only consist of a default
# policy of ACCEPT should have a trivial rule that matches all traffic and
# assigns the appropriate fwmark.
#
# Also, since this only affects traffic that is *output* from each interface,
# the performance will suffer significantly if the box on which this script is
# run actually hosts services, rather than only routing traffic. More work is
# needed here to work around this limitation - supposedly it *can* be worked
# around, according to anecdotal reports...
# These numbers may need tweaking - they are based upon rather limited testing.
# Further experimentation is clearly needed.
# BTW, if MAXBAND != ABAND+BBAND, there had better be a good reason...
MAXBAND=10Mbit
ABAND=9Mbit
BBAND=128Kbit
INDEV=eth0
OUTDEV=eth1
# (Be sure to use units that 'tc' can understand in the above)
tc qdisc add dev $INDEV root handle 30: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $INDEV parent 30:0 classid 30:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
avpkt 1000 bounded
tc class add dev $INDEV parent 30:1 classid 30:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 av
pkt 1000 isolated
tc class add dev $INDEV parent 30:1 classid 30:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 av
pkt 1000 bounded
tc qdisc add dev $INDEV parent 30:100 sfq quantum 1514b perturb 15
tc qdisc add dev $INDEV parent 30:200 sfq quantum 1514b perturb 15
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 1 fw classid 30:100
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 2 fw classid 30:200
# That should handle the input traffic - now for the output traffic
tc qdisc add dev $OUTDEV root handle 20: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $OUTDEV parent 20:0 classid 20:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
avpkt 1000 bounded
tc class add dev $OUTDEV parent 20:1 classid 20:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 a
vpkt 1000 isolated
tc class add dev $OUTDEV parent 20:1 classid 20:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 a
vpkt 1000 bounded
tc qdisc add dev $OUTDEV parent 20:100 sfq quantum 1514b perturb 15
tc qdisc add dev $OUTDEV parent 20:200 sfq quantum 1514b perturb 15
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 1 fw classid 20:100
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 2 fw classid 20:200
# Eyes bleeding yet? Be thankful that RED support is not yet a part of the
# config... In any case, please send the author of 'tc' to my house so I can
# strangle him (or at least smack him around with the 'frontend' clue-by-four).
Cheers,
-Jon
#!/bin/bash
#
# tcstart (see also: tcstop, tcconf)
#
# A basic traffic shaping script - bandwidth parameters are entered via the
# environment variables listed below. The basic idea is that connection A is
# a high-priority connection which is guaranteed a certain amount of bandwidth
# and can borrow bandwidth above and beyond that specification from the
# other source, connection B. Connection B is a low-priority connection from
# which connection A may borrow bandwidth until B's bandwidth is exhausted
# (This should indicate a saturation of the line with traffic on connection A)
#
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark). Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off. Mark traffic
# for connection A as 1, and traffic for connection B as 2. If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump? In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark). Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off. Mark traffic
# for connection A as 1, and traffic for connection B as 2. If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump? In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# appropriate fwmark argument. Also, rulesets that only consist of a default
# policy of ACCEPT should have a trivial rule that matches all traffic and
# assigns the appropriate fwmark.
#
# Also, since this only affects traffic that is *output* from each interface,
# the performance will suffer significantly if the box on which this script is
# run actually hosts services, rather than only routing traffic. More work is
# needed here to work around this limitation - supposedly it *can* be worked
# around, according to anecdotal reports...
# These numbers may need tweaking - they are based upon rather limited testing.
# Further experimentation is clearly needed.
# BTW, if MAXBAND != ABAND+BBAND, there had better be a good reason...
MAXBAND=10Mbit
ABAND=9Mbit
BBAND=128Kbit
INDEV=eth0
OUTDEV=eth1
# (Be sure to use units that 'tc' can understand in the above)
tc qdisc add dev $INDEV root handle 30: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $INDEV parent 30:0 classid 30:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
avpkt 1000 bounded
tc class add dev $INDEV parent 30:1 classid 30:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 av
pkt 1000 isolated
tc class add dev $INDEV parent 30:1 classid 30:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 av
pkt 1000 bounded
tc qdisc add dev $INDEV parent 30:100 sfq quantum 1514b perturb 15
tc qdisc add dev $INDEV parent 30:200 sfq quantum 1514b perturb 15
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 1 fw classid 30:100
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 2 fw classid 30:200
# That should handle the input traffic - now for the output traffic
tc qdisc add dev $OUTDEV root handle 20: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $OUTDEV parent 20:0 classid 20:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
avpkt 1000 bounded
tc class add dev $OUTDEV parent 20:1 classid 20:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 a
vpkt 1000 isolated
tc class add dev $OUTDEV parent 20:1 classid 20:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 a
vpkt 1000 bounded
tc qdisc add dev $OUTDEV parent 20:100 sfq quantum 1514b perturb 15
tc qdisc add dev $OUTDEV parent 20:200 sfq quantum 1514b perturb 15
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 1 fw classid 20:100
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 2 fw classid 20:200
# Eyes bleeding yet? Be thankful that RED support is not yet a part of the
# config... In any case, please send the author of 'tc' to my house so I can
# strangle him (or at least smack him around with the 'frontend' clue-by-four).
arrggh - looks like I had some pasting problem up there - I think you can still get the general drift...
-Jon
-Jon
So, did that script help at all?
I can possibly clarify some things if you need it...
Cheers,
-Jon
I can possibly clarify some things if you need it...
Cheers,
-Jon
ASKER
Well i have not have had time to look into this so much but after a short look at this it seems like I have problem to understand anything. (and more problem to figure out how to set this up in my case)
Had exactly this problem last month so I downloaded this.
http://info.iet.unipi.it/~luigi/ip_dummynet/
20 minutes later I had a full solution. Could not be easier
there are some errors in the descriptions of how to start the bridge eg sysctl -w net.link.ether.bridge: 1 should read = 1 but this bootlable floppy image works pefectly and allows weighted queues of all types of traffic.
Suggest the best method is to produce a queue of weight 5 and a pipe representing your bandwidth then play until you get the results you want. NB it works with rtl 8029 or 8039 cards. I had a few problems with dlink and Kingston.
http://info.iet.unipi.it/~luigi/ip_dummynet/
20 minutes later I had a full solution. Could not be easier
there are some errors in the descriptions of how to start the bridge eg sysctl -w net.link.ether.bridge: 1 should read = 1 but this bootlable floppy image works pefectly and allows weighted queues of all types of traffic.
Suggest the best method is to produce a queue of weight 5 and a pipe representing your bandwidth then play until you get the results you want. NB it works with rtl 8029 or 8039 cards. I had a few problems with dlink and Kingston.
ASKER
I don't want to mess up my current firewall that I still need so I can not boot some floppy
Indeed - that would be the issue I would have as well...
What did you think of my script - how can I clarify it further?
Cheers,
-Jon
What did you think of my script - how can I clarify it further?
Cheers,
-Jon
ASKER
Sorry The-Captain. I have been buried in a lot of work so I have not have enogh time to investigate it. You don't have any pointer to some documentation about the comands that are used in this script?
The problem with the docs are that they are sparese, and are mainly comprised of less-than-clear examples (if I might pat myself on the back a bit, the above script does show a bit more due to the abstraction of certain variables). If you want a complete solution (all cmdlines directly illustrated), then I can probably come up w/ something in a few days (I'll squeeze it in between my real work)... If that would help, please say so, and I will look into it.
Cheers,
-Jon
Cheers,
-Jon
ASKER
Sorry for my late comment. I have been at vacation.
It would be great if you could help me out with a complete solution because i have problem to understand this.
(i will increes the points to 500)
there is just the www trafic to one ip in dmz, ssh to one ip in the dmz and https to one ip in the dmz that I like to give the higest priority.
It would be great if you could help me out with a complete solution because i have problem to understand this.
(i will increes the points to 500)
there is just the www trafic to one ip in dmz, ssh to one ip in the dmz and https to one ip in the dmz that I like to give the higest priority.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sigh - sometimes, when replying to such questions, I feel I am the only person that uses linux who cares about QoS issues (although I guess the kernel developers must think it's cool to even provide it in the 1st place) - please, Jim and Vijay (M Rich and Jon Anderson - feel free as well), prove me wrong...
Cheers,
-Jon
Cheers,
-Jon
ASKER
Yes I think it sounds like the way to proceed.
(this will meen that people behind the firewall that are surfing on the wer will not slow down my www and https server. right?
As I said before, I use kernel 2.2 and ipchains. Hope that would not be any problem.
(this will meen that people behind the firewall that are surfing on the wer will not slow down my www and https server. right?
As I said before, I use kernel 2.2 and ipchains. Hope that would not be any problem.
ASKER
One more thing... i have a 256k line...
I'd recommend trying out the Wonder Shaper, http://lartc.org/wondershaper/
When the connection in one direction is saturated, ACK's don't get through, and so it slows everything down. This solves the problem, and I found it to be the most simple to use. it requires kernel >= 2.4. I don't know if there's a way to do it with 2.2 .
When the connection in one direction is saturated, ACK's don't get through, and so it slows everything down. This solves the problem, and I found it to be the most simple to use. it requires kernel >= 2.4. I don't know if there's a way to do it with 2.2 .
>it requires kernel >= 2.4.
Why? I know the author says so, but it's just a script, and from what I saw when I examined it, it requires nothing specific to 2.2 - I'm guessing if you compiled the most recent iproute2 tools under a 2.2 kernel then this script would work for you - it is somewhat less confusing than my own script (although only slightly hehe).
Cheers,
-Jon
Why? I know the author says so, but it's just a script, and from what I saw when I examined it, it requires nothing specific to 2.2 - I'm guessing if you compiled the most recent iproute2 tools under a 2.2 kernel then this script would work for you - it is somewhat less confusing than my own script (although only slightly hehe).
Cheers,
-Jon
wqclatre:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: The--Captain {http:#7181695}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
paullamhkg
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: The--Captain {http:#7181695}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
paullamhkg
EE Cleanup Volunteer