netfiler & QoS

Jose Celestino japc@co.sapo.pt
Mon, 23 Jul 2001 13:24:14 +0100 

Howdy,

I'm facing the following problem.

Our current routing/nat architecture is:

              _________
            ( W O R L D )
              ---------
                  |^
           > > > >|^ 
         /-----------------\
        |^       (A)       |
     (B)|^                 |(C)
  /-----------\      /-----------\
  |           |      |           |
  | iptables  |      |  freeswan |
  |   GW/NAT  |      | IPSEC/VPN |
  |  & PROXY  |      |           |
  \___________       \___________/
         |^                 |
         |^                 |
         \_<_<_<_<__________/
                  |^
                  |^
              /--------\ < < < </---------\
              | Router |--------|  LAN 2  |
              \________/        \_________/
                  |^
                  |^
             /----------\
             |   LAN 1  |
             \__________/

We have our LAN divided into 3 class C segments and all trafic gets
routed throught our central LAN router.

All traffic gets routed to the GW/NAT box (were we have the transparent
proxy also) except traffic to 2 class C networks at our data center that
we route to the VPN for encryption/tunneling.

At our GW/NAT we do fascist-port-closure (tm), transparent proxying,
masquerading and source nating (for some IPs that we need to get pass a
foreign pix firewall).

Traffic that goes through our VPN is ssh sessions, http sessions, etc,
to servers at our data center.

Our bandwith is 2Mbps (at A).

Well, the problem is that for much that we do the traffic that goes
through (B) always ends up "eating" most of the available bandwidth at (A).

What we want to do is to limit all traffic going through (B) to 750Kbps
so that all the remaing traffic can be used by traffic from (C), that's
means legimit traffic, work stuff.

What I'm doing is marking the packets:

iptables -t mangle -A PREROUTING -j MARK --set-mark 2147581953 -m state --state RELATED,NEW,ESTABLISHED,INVALID

tc qdisc replace dev eth2 root cbq bandwidth 100Mbit avpkt 1000
tc class add dev eth2 parent 8001:0 cbq bandwidth 100Mbit rate 1000Kbit allot 1514 weight 50Kbit prio 5 maxburst 20 avpkt 1000 bounded isolated
tc filter replace dev eth2 protocol ip parent 8001: prio 1 handle 0x80018001 fw classid 8001:8001
tc class replace dev eth2 classid 8001:8001 parent 8001:0 cbq bandwidth 750Kbit rate 1Kbit allot 1514b weight 50Kbit prio 5 maxburst 20 avpkt 1000b bounded isolated

This doesn't seem to work, I tried that same class but with bandwidth
1Kbit and I did't find it to work.

Am I doing something wrong (most certainly)? By the way, what can I do
to optimize/improve my masquerade script?

TIA.

Best regards

-- 
Jose Celestino <japc@co.sapo.pt>
---------------------------------
"In 3010, the potatoes triumphed."